From 4f85857c506729174013742149d69eca736fe2de Mon Sep 17 00:00:00 2001
From: Henrik Lund Kramshoej <hlk@kramse.org>
Date: Mon, 10 Jul 2017 12:27:27 +0200
Subject: Messing up the thing

---
 conf-from-container/conf/README.md                 |   5 +
 conf-from-container/conf/access-control.xml        |  68 +++++
 conf-from-container/conf/admin/general-admin.xml   |  53 ++++
 conf-from-container/conf/admin/metrics.xml         | 129 +++++++++
 conf-from-container/conf/attribute-filter.xml      |  45 ++++
 .../conf/attribute-resolver-full.xml               | 292 +++++++++++++++++++++
 .../conf/attribute-resolver-ldap.xml               |  94 +++++++
 conf-from-container/conf/attribute-resolver.xml    | 108 ++++++++
 conf-from-container/conf/audit.xml                 |  32 +++
 .../conf/authn/authn-comparison.xml                |  77 ++++++
 .../conf/authn/authn-events-flow.xml               |  18 ++
 .../conf/authn/duo-authn-config.xml                |  25 ++
 conf-from-container/conf/authn/duo.properties      |   9 +
 .../conf/authn/external-authn-config.xml           |  70 +++++
 conf-from-container/conf/authn/general-authn.xml   | 156 +++++++++++
 .../conf/authn/ipaddress-authn-config.xml          |  37 +++
 .../conf/authn/jaas-authn-config.xml               |  27 ++
 conf-from-container/conf/authn/jaas.config         |  11 +
 .../conf/authn/krb5-authn-config.xml               |  31 +++
 .../conf/authn/ldap-authn-config.xml               | 135 ++++++++++
 .../conf/authn/mfa-authn-config.xml                |  94 +++++++
 .../conf/authn/password-authn-config.xml           | 121 +++++++++
 .../conf/authn/remoteuser-authn-config.xml         |  75 ++++++
 .../authn/remoteuser-internal-authn-config.xml     |  63 +++++
 .../conf/authn/spnego-authn-config.xml             |  74 ++++++
 .../conf/authn/x509-authn-config.xml               |  44 ++++
 .../conf/authn/x509-internal-authn-config.xml      |  21 ++
 .../c14n/attribute-sourced-subject-c14n-config.xml |  44 ++++
 .../conf/c14n/simple-subject-c14n-config.xml       |  27 ++
 .../conf/c14n/subject-c14n-events-flow.xml         |  18 ++
 conf-from-container/conf/c14n/subject-c14n.xml     | 109 ++++++++
 .../conf/c14n/x500-subject-c14n-config.xml         |  37 +++
 conf-from-container/conf/cas-protocol.xml          |  84 ++++++
 conf-from-container/conf/credentials.xml           |  65 +++++
 conf-from-container/conf/errors.xml                | 120 +++++++++
 conf-from-container/conf/global.xml                |  53 ++++
 conf-from-container/conf/idp.properties            | 195 ++++++++++++++
 .../conf/intercept/consent-intercept-config.xml    | 136 ++++++++++
 .../intercept/context-check-intercept-config.xml   |  42 +++
 .../expiring-password-intercept-config.xml         |  37 +++
 .../conf/intercept/intercept-events-flow.xml       |  18 ++
 .../conf/intercept/profile-intercept.xml           |  38 +++
 conf-from-container/conf/ldap.properties           |  74 ++++++
 conf-from-container/conf/logback.xml               | 186 +++++++++++++
 conf-from-container/conf/metadata-providers.xml    |  67 +++++
 conf-from-container/conf/mvc-beans.xml             |  23 ++
 conf-from-container/conf/relying-party.xml         |  70 +++++
 conf-from-container/conf/saml-nameid.properties    |  35 +++
 conf-from-container/conf/saml-nameid.xml           |  62 +++++
 conf-from-container/conf/services.properties       |  65 +++++
 conf-from-container/conf/services.xml              | 144 ++++++++++
 conf-from-container/conf/session-manager.xml       |  45 ++++
 conf-from-container/run.sh                         |   1 +
 conf-from-container/shell.sh                       |   1 +
 54 files changed, 3710 insertions(+)
 create mode 100644 conf-from-container/conf/README.md
 create mode 100644 conf-from-container/conf/access-control.xml
 create mode 100644 conf-from-container/conf/admin/general-admin.xml
 create mode 100644 conf-from-container/conf/admin/metrics.xml
 create mode 100644 conf-from-container/conf/attribute-filter.xml
 create mode 100644 conf-from-container/conf/attribute-resolver-full.xml
 create mode 100644 conf-from-container/conf/attribute-resolver-ldap.xml
 create mode 100644 conf-from-container/conf/attribute-resolver.xml
 create mode 100644 conf-from-container/conf/audit.xml
 create mode 100644 conf-from-container/conf/authn/authn-comparison.xml
 create mode 100644 conf-from-container/conf/authn/authn-events-flow.xml
 create mode 100644 conf-from-container/conf/authn/duo-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/duo.properties
 create mode 100644 conf-from-container/conf/authn/external-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/general-authn.xml
 create mode 100644 conf-from-container/conf/authn/ipaddress-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/jaas-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/jaas.config
 create mode 100644 conf-from-container/conf/authn/krb5-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/ldap-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/mfa-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/password-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/remoteuser-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/remoteuser-internal-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/spnego-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/x509-authn-config.xml
 create mode 100644 conf-from-container/conf/authn/x509-internal-authn-config.xml
 create mode 100644 conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml
 create mode 100644 conf-from-container/conf/c14n/simple-subject-c14n-config.xml
 create mode 100644 conf-from-container/conf/c14n/subject-c14n-events-flow.xml
 create mode 100644 conf-from-container/conf/c14n/subject-c14n.xml
 create mode 100644 conf-from-container/conf/c14n/x500-subject-c14n-config.xml
 create mode 100644 conf-from-container/conf/cas-protocol.xml
 create mode 100644 conf-from-container/conf/credentials.xml
 create mode 100644 conf-from-container/conf/errors.xml
 create mode 100644 conf-from-container/conf/global.xml
 create mode 100644 conf-from-container/conf/idp.properties
 create mode 100644 conf-from-container/conf/intercept/consent-intercept-config.xml
 create mode 100644 conf-from-container/conf/intercept/context-check-intercept-config.xml
 create mode 100644 conf-from-container/conf/intercept/expiring-password-intercept-config.xml
 create mode 100644 conf-from-container/conf/intercept/intercept-events-flow.xml
 create mode 100644 conf-from-container/conf/intercept/profile-intercept.xml
 create mode 100644 conf-from-container/conf/ldap.properties
 create mode 100644 conf-from-container/conf/logback.xml
 create mode 100644 conf-from-container/conf/metadata-providers.xml
 create mode 100644 conf-from-container/conf/mvc-beans.xml
 create mode 100644 conf-from-container/conf/relying-party.xml
 create mode 100644 conf-from-container/conf/saml-nameid.properties
 create mode 100644 conf-from-container/conf/saml-nameid.xml
 create mode 100644 conf-from-container/conf/services.properties
 create mode 100644 conf-from-container/conf/services.xml
 create mode 100644 conf-from-container/conf/session-manager.xml
 create mode 100644 conf-from-container/run.sh
 create mode 100644 conf-from-container/shell.sh

(limited to 'conf-from-container')

diff --git a/conf-from-container/conf/README.md b/conf-from-container/conf/README.md
new file mode 100644
index 0000000..6002238
--- /dev/null
+++ b/conf-from-container/conf/README.md
@@ -0,0 +1,5 @@
+# IDP config templates
+
+This directory contains the files which are being replaced after running install.
+
+Dockerfile should install these after running install.
diff --git a/conf-from-container/conf/access-control.xml b/conf-from-container/conf/access-control.xml
new file mode 100644
index 0000000..a9184e6
--- /dev/null
+++ b/conf-from-container/conf/access-control.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+    
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
+        </entry>
+        
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+        
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+    
+    </util:map>
+
+</beans>
diff --git a/conf-from-container/conf/admin/general-admin.xml b/conf-from-container/conf/admin/general-admin.xml
new file mode 100644
index 0000000..6e9fc19
--- /dev/null
+++ b/conf-from-container/conf/admin/general-admin.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <util:list id="shibboleth.AvailableAdminFlows">
+    
+        <!-- Status Page -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/status"
+            p:loggingId="%{idp.service.logging.status:Status}"
+            p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
+
+        <!-- Service Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- MetadataResolver Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-metadata"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- AttributeResolver Debugging -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/resolvertest"
+            p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
+            p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
+
+        <!-- REST StorageService Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/storage"
+            p:loggingId="Storage"
+            p:policyName="AccessByIPAddress" />
+    
+        <!-- REST Interface to Metrics -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/metrics"
+            p:loggingId="Metrics"
+            p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+    
+    </util:list>
+
+</beans>
diff --git a/conf-from-container/conf/admin/metrics.xml b/conf-from-container/conf/admin/metrics.xml
new file mode 100644
index 0000000..f9b5c16
--- /dev/null
+++ b/conf-from-container/conf/admin/metrics.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+    
+    <!-- Metrics enablement / activation. -->
+
+    <!--
+    Register one or more of the built-in system metric sets available.
+    -->
+
+    <bean parent="shibboleth.metrics.RegisterMetricSets">
+        <property name="arguments">
+            <list>
+                <ref bean="shibboleth.metrics.CoreGaugeSet" />
+                <ref bean="shibboleth.metrics.IdPGaugeSet" />
+                <ref bean="shibboleth.metrics.LoggingGaugeSet" />
+                <ref bean="shibboleth.metrics.AccessControlGaugeSet" />
+                <ref bean="shibboleth.metrics.MetadataGaugeSet" />
+                <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
+                <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+
+                <!--
+                <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
+                    c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
+                <bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
+                <bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
+                <bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
+                -->
+            </list>
+        </property>
+    </bean>
+
+    <!-- Metrics REST API Configuration -->
+
+    <!--
+    The global metric set is available by default at /idp/profile/admin/metrics
+    
+    Any pathinfo after that is assumed to identify specific named metrics. You can
+    create mappings here between a logical "group" name and an implementation of the
+    com.codahale.metrics.MetricFilter interface to specify which metrics to include.
+    -->
+    <util:map id="shibboleth.metrics.MetricGroups">
+        <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
+        <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
+        <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
+        <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
+        <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
+        <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+        <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
+        <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+    </util:map>
+        
+    <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
+    <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
+    
+    <!--
+    To override the default access policy, map a metric name or
+    mapped group above to an alternative policy name.
+    -->
+    <util:map id="shibboleth.metrics.AccessPolicyMap">
+    
+    </util:map>
+        
+    <!--
+    In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
+    available to upload a JSON feed to a URL. The example shown relies on standard JVM
+    trust configuration for TLS server verification.
+    
+    The "start" method triggers the timer thread; the example pushes every 30 minutes.
+    -->
+    <!--
+    <bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
+        p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
+                
+    <bean class="org.springframework.beans.factory.config.MethodInvokingBean"
+            p:targetObject-ref="PushReporter"
+            p:targetMethod="start">
+        <property name="arguments">
+            <list>
+                <value>30</value>
+                <util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
+            </list>
+        </property>
+    </bean>
+    -->
+
+    <!-- IdP Metrics Configuration -->
+    
+    <!--
+    A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
+    can be defined to add timers and counters to a large range of objects in the system. Each timer is
+    defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
+    
+    The most common example is to start a timer when a particular flow action bean starts and
+    stop it when the same or different action bean stops, to measure how long the execution takes.
+    
+    If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
+    logging category named "metrics.<timername>" in your logging configuration.
+    -->
+    <!--
+    <bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
+            factory-method="inlineScript">
+        <constructor-arg>
+            <value>
+            <![CDATA[
+                metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
+                metricCtx.addTimer("idp.attribute.resolution",
+                    "ResolveAttributes",
+                    "FilterAttributes"
+                    );                                
+                true; // Signals success.
+            ]]>
+            </value>
+        </constructor-arg>
+    </bean>
+    -->
+    
+</beans>
diff --git a/conf-from-container/conf/attribute-filter.xml b/conf-from-container/conf/attribute-filter.xml
new file mode 100644
index 0000000..f8c41ba
--- /dev/null
+++ b/conf-from-container/conf/attribute-filter.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+    
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release some attributes to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonAffiliation to two specific SPs. -->
+    <AttributeFilterPolicy id="example2">
+        <PolicyRequirementRule xsi:type="OR">
+            <Rule xsi:type="Requester" value="https://sp.example.org" />
+            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
diff --git a/conf-from-container/conf/attribute-resolver-full.xml b/conf-from-container/conf/attribute-resolver-full.xml
new file mode 100644
index 0000000..4681b64
--- /dev/null
+++ b/conf-from-container/conf/attribute-resolver-full.xml
@@ -0,0 +1,292 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file containing lots of commented
+    example attributes, encoders, and a couple of example data connectors.
+     
+    Not all attribute definitions or data connectors are demonstrated, but
+    a variety of LDAP attributes, some common to Shibboleth deployments and
+    many not, are included.
+    
+    Deployers should refer to the Identity Provider 3 documentation
+    
+    https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolverConfiguration
+     
+    for a complete list of components and their options.
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:sec="urn:mace:shibboleth:2.0:security"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
+                            urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd">
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!-- Schema: Core schema attributes-->
+<!--
+    <AttributeDefinition xsi:type="Simple" id="uid" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="mail" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="homePhone" sourceAttributeID="homePhone">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePhone" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="mobileNumber" sourceAttributeID="mobile">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mobile" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="pagerNumber" sourceAttributeID="pager">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:pager" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="surname" sourceAttributeID="sn">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="locality" sourceAttributeID="l">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:l" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="stateProvince" sourceAttributeID="st">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:st" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="street" sourceAttributeID="street">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:street" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="organizationName" sourceAttributeID="o">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="organizationalUnit" sourceAttributeID="ou">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ou" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="title" sourceAttributeID="title">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:title" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="postalAddress" sourceAttributeID="postalAddress">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalAddress" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="postalCode" sourceAttributeID="postalCode">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postalCode" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="givenName" sourceAttributeID="givenName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="initials" sourceAttributeID="initials">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:initials" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" encodeType="false" />
+    </AttributeDefinition>
+-->
+
+    <!-- Schema: inetOrgPerson attributes-->
+<!--
+    <AttributeDefinition xsi:type="Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" />
+    </AttributeDefinition>
+    
+    <AttributeDefinition xsi:type="Simple" id="displayName" sourceAttributeID="displayName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
+    </AttributeDefinition> 
+
+    <AttributeDefinition xsi:type="Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="employeeType" sourceAttributeID="employeeType">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" encodeType="false" />
+    </AttributeDefinition>
+-->
+
+    <!-- Schema: eduPerson attributes -->
+<!--
+    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId" scope="%{idp.scope}" sourceAttributeID="localUniqueId">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName" sourceAttributeID="eduPersonPrincipalName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalNamePrior" sourceAttributeID="eduPersonPrincipalNamePrior">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" friendlyName="eduPersonPrincipalNamePrior" encodeType="false" />
+    </AttributeDefinition>
+
+    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation" scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" />
+    </AttributeDefinition>
+    
+    <AttributeDefinition xsi:type="Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" encodeType="false" />
+    </AttributeDefinition>
+-->
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!-- Example Static Connector -->
+<!--
+    <DataConnector id="staticAttributes" xsi:type="Static">
+        <Attribute id="eduPersonAffiliation">
+            <Value>member</Value>
+        </Attribute>
+    </DataConnector>
+-->
+
+    <!-- Example Relational Database Connector -->
+<!--
+    <DataConnector id="mySIS" xsi:type="RelationalDatabase">
+        <ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
+                                         jdbcUserName="myid" 
+                                         jdbcPassword="mypassword" />
+        <QueryTemplate>
+            <![CDATA[
+                SELECT * FROM student WHERE gzbtpid = '$resolutionContext.principal'
+            ]]>
+        </QueryTemplate>
+
+        <Column columnName="gzbtpid" attributeID="uid" />
+        <Column columnName="fqlft" attributeID="gpa" />
+    </DataConnector>
+-->
+
+    <!-- Example LDAP Connector -->
+<!--
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+        <StartTLSTrustCredential id="LDAPtoIdPCredential" xsi:type="sec:X509ResourceBacked">
+            <sec:Certificate>%{idp.attribute.resolver.LDAP.trustCertificates}</sec:Certificate>
+        </StartTLSTrustCredential>
+    </DataConnector>
+-->
+
+</AttributeResolver>
diff --git a/conf-from-container/conf/attribute-resolver-ldap.xml b/conf-from-container/conf/attribute-resolver-ldap.xml
new file mode 100644
index 0000000..ec79de9
--- /dev/null
+++ b/conf-from-container/conf/attribute-resolver-ldap.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+    
+    Very few attribute definitions and data connectors are demonstrated,
+    and use of LDAP is assumed, with the LDAP configuration primarily
+    supplied from the ldap.properties file.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications. 
+    -->
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped" sourceAttributeID="eduPersonPrincipalName">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+        
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+    
+    <!--
+    Example LDAP Connector
+    
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}" 
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+	<ConnectionPool
+            minPoolSize="%{idp.pool.LDAP.minSize:3}"
+            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
+            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
+    </DataConnector>
+
+</AttributeResolver>
diff --git a/conf-from-container/conf/attribute-resolver.xml b/conf-from-container/conf/attribute-resolver.xml
new file mode 100644
index 0000000..35f3b35
--- /dev/null
+++ b/conf-from-container/conf/attribute-resolver.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+
+    NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+        xmlns="urn:mace:shibboleth:2.0:resolver"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications.
+    -->
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
+    </AttributeDefinition>
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!--
+    Example LDAP Connector
+
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="ldaps://ldap.nordu.net"
+        baseDN="dc=nordu,dc=net">
+        <FilterTemplate>
+            <![CDATA[
+                (uid=$requestContext.principalName)
+            ]]>
+        </FilterTemplate>
+    </DataConnector>
+<!--    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
+        principal="%{idp.attribute.resolver.LDAP.bindDN}"
+        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
+        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
+        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
+        <FilterTemplate>
+            <![CDATA[
+                %{idp.attribute.resolver.LDAP.searchFilter}
+            ]]>
+        </FilterTemplate>
+  <ConnectionPool
+            minPoolSize="%{idp.pool.LDAP.minSize:3}"
+            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
+            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
+            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
+    </DataConnector>
+  -->
+
+</AttributeResolver>
diff --git a/conf-from-container/conf/audit.xml b/conf-from-container/conf/audit.xml
new file mode 100644
index 0000000..22949fd
--- /dev/null
+++ b/conf-from-container/conf/audit.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <!--
+    This bean defines a mapping between audit log categories and formatting strings. The default entry is
+    for compatibility with V2 audit logging.
+    -->
+    <util:map id="shibboleth.AuditFormattingMap">
+        <entry key="Shibboleth-Audit" value="%T|%b|%I|%SP|%P|%IDP|%bb|%III|%u|%ac|%attr|%n|%i|" />
+    </util:map>
+
+    <!-- Override the format of date/time fields in the log and/or convert to default time zone. -->
+    <!--
+    <bean id="shibboleth.AuditDateTimeFormat" class="java.lang.String" c:_0="YYYY-MM-dd'T'HH:mm:ss.SSSZZ" />
+    <util:constant id="shibboleth.AuditDefaultTimeZone" static-field="java.lang.Boolean.TRUE" />
+    -->
+
+    <!-- Allows auditing to be disabled selectively for particular profiles/flows. -->
+    <util:list id="shibboleth.AuditSuppressedProfiles">
+        <value>http://shibboleth.net/ns/profiles/status</value>
+    </util:list>
+
+</beans>
diff --git a/conf-from-container/conf/authn/authn-comparison.xml b/conf-from-container/conf/authn/authn-comparison.xml
new file mode 100644
index 0000000..f167b7a
--- /dev/null
+++ b/conf-from-container/conf/authn/authn-comparison.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    These beans can be used in the AuthnComparisonRules map below instead of the defaults to
+    support more advanced matching rules. The top example shows how to configure a matching rule,
+    in this case a rule that the two listed classes are "better" than the password class.
+    
+    To use these beans, configure the matchingRules map as desired, and then reference the bean id in the
+    desired value-ref slot in the AuthnComparisonRules map.
+    -->
+    
+    <bean id="shibboleth.BetterClassRefMatchFactory" parent="shibboleth.InexactMatchFactory">
+        <!--
+        <property name="matchingRules">
+            <map>
+                <entry key="urn:oasis:names:tc:SAML:2.0:ac:classes:Password">
+                    <list>
+                        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</value>
+                        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</value>
+                    </list>
+                </entry>
+            </map>
+        </property>
+        -->
+    </bean>
+
+    <bean id="shibboleth.MinimumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+
+    <bean id="shibboleth.MaximumClassRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+
+    <!-- DeclRefs are rarely used in SAML, so you likely won't bother with these. -->
+    <bean id="shibboleth.BetterDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+    <bean id="shibboleth.MinimumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+    <bean id="shibboleth.MaximumDeclRefMatchFactory" parent="shibboleth.InexactMatchFactory" />
+    
+    
+    <!-- Registry of matching rules. -->
+    
+    <util:map id="shibboleth.AuthnComparisonRules">
+    
+        <!-- Exact matching, should be left alone to avoid tricking the IdP into behaving incorrectly. -->
+        <entry key-ref="shibboleth.SAMLAuthnMethodExact" value-ref="shibboleth.ExactMatchFactory"/>
+        <entry key-ref="shibboleth.SAMLACClassRefExact" value-ref="shibboleth.ExactMatchFactory"/>
+        <entry key-ref="shibboleth.SAMLACDeclRefExact" value-ref="shibboleth.ExactMatchFactory"/>
+
+        <!-- Minimum matching, leave to allow degeneration into exact, or replace with custom rules. -->
+        <entry key-ref="shibboleth.SAMLACClassRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
+        <entry key-ref="shibboleth.SAMLACDeclRefMinimum" value-ref="shibboleth.ExactMatchFactory"/>
+
+        <!-- Maximum matching, leave to allow degeneration into exact, or replace with custom rules. -->
+        <entry key-ref="shibboleth.SAMLACClassRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
+        <entry key-ref="shibboleth.SAMLACDeclRefMaximum" value-ref="shibboleth.ExactMatchFactory"/>
+
+        <!-- Better matching, refers to empty ruleset that has to be populated to work. -->
+        <entry key-ref="shibboleth.SAMLACClassRefBetter" value-ref="shibboleth.BetterClassRefMatchFactory"/>
+        <entry key-ref="shibboleth.SAMLACDeclRefBetter" value-ref="shibboleth.BetterDeclRefMatchFactory"/>
+        
+    </util:map>
+    
+    <!-- List of context classes or declarations to ignore if an SP requests them. -->
+
+    <util:list id="shibboleth.IgnoredContexts">
+        <value>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</value>
+    </util:list>
+    
+</beans>
diff --git a/conf-from-container/conf/authn/authn-events-flow.xml b/conf-from-container/conf/authn/authn-events-flow.xml
new file mode 100644
index 0000000..244e1db
--- /dev/null
+++ b/conf-from-container/conf/authn/authn-events-flow.xml
@@ -0,0 +1,18 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+      abstract="true">
+
+    <!-- ADVANCED USE ONLY -->
+    
+    <!--
+    You can ignore this file unless you are creating your own custom login subflows that want to
+    report custom events in response to unusual error or warning conditions.
+    -->
+
+    <!-- Custom error events to reflect back from user-supplied login subflows. -->
+    <!--
+    <end-state id="MyCustomEvent" />
+    -->
+
+</flow>
diff --git a/conf-from-container/conf/authn/duo-authn-config.xml b/conf-from-container/conf/authn/duo-authn-config.xml
new file mode 100644
index 0000000..0a48152
--- /dev/null
+++ b/conf-from-container/conf/authn/duo-authn-config.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize" default-destroy-method="destroy">
+
+    <!--
+    By default, the Duo flow will use a statically-defined integration defined with the
+    duo.properties file. If you need more flexibility, you can define a function bean
+    called "shibboleth.authn.Duo.DuoIntegrationStrategy" to return an instance of
+    net.shibboleth.idp.authn.duo.DuoIntegration based on the state of the request.
+
+    The Duo flow is designed to operate in conjunction with some other login flow,
+    usually orchestrated by the MFA login flow. It obtains the username to send to
+    Duo based on the output of the other login flow or a previous session with the
+    user. You can override that approach using a function bean called
+    "shibboleth.authn.Duo.UsernameLookupStrategy" to supply the username from a
+    different source.
+    -->
+
+</beans>
diff --git a/conf-from-container/conf/authn/duo.properties b/conf-from-container/conf/authn/duo.properties
new file mode 100644
index 0000000..2ca71ee
--- /dev/null
+++ b/conf-from-container/conf/authn/duo.properties
@@ -0,0 +1,9 @@
+# Duo integration settings
+
+# Note: If upgrading from pre-3.3 IdP versions, you will need to manually add a pointer
+# to this property file to idp.properties.
+
+idp.duo.apiHost = hostname
+idp.duo.applicationKey = key
+idp.duo.integrationKey = key
+idp.duo.secretKey = key
diff --git a/conf-from-container/conf/authn/external-authn-config.xml b/conf-from-container/conf/authn/external-authn-config.xml
new file mode 100644
index 0000000..8b3a159
--- /dev/null
+++ b/conf-from-container/conf/authn/external-authn-config.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Servlet context-relative path to wherever your implementation lives. -->
+    <bean id="shibboleth.authn.External.externalAuthnPath" class="java.lang.String"
+        c:_0="contextRelative:Authn/External" />
+
+    <!--
+    Default is to always use the path in the bean above. If you want to determine it
+    dynamically, define a bean called "shibboleth.authn.External.externalAuthnPathStrategy"
+    of type Function<ProfileRequestContext,String> that returns the path to use.
+    -->
+
+    <!--
+    Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
+    You would normally only unset this if you plan to return a fully decorated Java Subject from your
+    external authentication source.
+    -->
+    <util:constant id="shibboleth.authn.External.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
+
+    <!--
+    <bean id="shibboleth.authn.External.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
+        c:_0="^(.+)@example\.edu]$" />
+    -->
+
+    <!--
+    Define entries here to map error messages returned by external modules and classify them as particular
+    kinds of errors for use in your templates and as events in flows.
+
+    Keys are events to signal, values are error codes.
+
+    The examples here just allow external signaling of the exact type of condition to record.
+    
+    If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
+    -->
+    <util:map id="shibboleth.authn.External.ClassifiedMessageMap">
+        <entry key="UnknownUsername">
+            <list>
+                <value>UnknownUsername</value>
+            </list>
+        </entry>
+        <entry key="InvalidPassword">
+            <list>
+                <value>InvalidPassword</value>
+            </list>
+        </entry>
+        <entry key="ExpiredPassword">
+            <list>
+                <value>ExpiredPassword</value>
+            </list>
+        </entry>
+        <entry key="ExpiringPassword">
+            <list>
+                <value>ExpiringPassword</value>
+            </list>
+        </entry>
+    </util:map>
+    
+</beans>
diff --git a/conf-from-container/conf/authn/general-authn.xml b/conf-from-container/conf/authn/general-authn.xml
new file mode 100644
index 0000000..ac55bbb
--- /dev/null
+++ b/conf-from-container/conf/authn/general-authn.xml
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    This file provisions the IdP with information about the configured login mechanisms available for use.
+    The actual beans and subflows that make up those mechanisms are in their own files, but this pulls them
+    together with deployer-supplied metadata to describe them to the system.
+    
+    You can turn on and off individual mechanisms by adding and remove them here. Nothing left out will
+    be used, regardless any other files loaded by the Spring container.
+    
+    Flow defaults include: no support for IsPassive/ForceAuthn, support for non-browser clients enabled,
+    and default timeout and lifetime values set via properties. We also default to supporting the SAML 1/2
+    expressions for password-based authentication over a secure channel, so anything more exotic requires
+    customization, as the examples below for IP address and SPNEGO authentication illustrate.
+    -->
+
+    <util:list id="shibboleth.AvailableAuthenticationFlows">
+        
+        <bean id="authn/IPAddress" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:lifetime="PT60S" p:inactivityTimeout="PT60S">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/SPNEGO" parent="shibboleth.AuthenticationFlow"
+                p:nonBrowserSupported="false">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:1510" />
+                </list>
+            </property>
+        </bean>
+        
+        <bean id="authn/External" parent="shibboleth.AuthenticationFlow"
+            p:nonBrowserSupported="false" />
+
+        <bean id="authn/RemoteUser" parent="shibboleth.AuthenticationFlow"
+            p:nonBrowserSupported="false" />
+
+        <bean id="authn/RemoteUserInternal" parent="shibboleth.AuthenticationFlow" />
+
+        <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
+                p:nonBrowserSupported="false">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:2246" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/X509Internal" parent="shibboleth.AuthenticationFlow">
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:X509" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:ietf:rfc:2246" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:forcedAuthenticationSupported="true" />
+
+        <bean id="authn/Duo" parent="shibboleth.AuthenticationFlow"
+                p:forcedAuthenticationSupported="true"
+                p:nonBrowserSupported="false">
+            <!--
+            The list below should be changed to reflect whatever locally- or
+            community-defined values are appropriate to represent MFA. It is
+            strongly advised that the value not be specific to Duo or any
+            particular technology.
+            -->
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="http://example.org/ac/classes/mfa" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="http://example.org/ac/classes/mfa" />
+                </list>
+            </property>
+        </bean>
+
+        <bean id="authn/MFA" parent="shibboleth.AuthenticationFlow"
+                p:passiveAuthenticationSupported="true"
+                p:forcedAuthenticationSupported="true">
+            <!--
+            The list below almost certainly requires changes, and should generally be the
+            union of any of the separate factors you combine in your particular MFA flow
+            rules. The example corresponds to the example in mfa-authn-config.xml that
+            combines IPAddress with Password.
+            -->
+            <property name="supportedPrincipals">
+                <list>
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                        c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
+                    <bean parent="shibboleth.SAML1AuthenticationMethod"
+                        c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
+                </list>
+            </property>
+        </bean>
+
+    </util:list>
+
+    <!--
+    This is a map used to "weight" particular methods above others if the IdP has to randomly select one
+    to insert into a SAML authentication statement. The typical use shown below is to bias the IdP in favor
+    of expressing the SAML 2 PasswordProtectedTransport class over the more vanilla Password class on the
+    assumption that the IdP doesn't accept passwords via an insecure channel. This map never causes the IdP
+    to violate its matching rules if an RP requests a particular value; it only matters when nothing specific
+    is chosen. Anything not in the map has a weight of zero.
+    -->
+    
+    <util:map id="shibboleth.AuthenticationPrincipalWeightMap">
+        <entry>
+            <key>
+                <bean parent="shibboleth.SAML2AuthnContextClassRef"
+                    c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+            </key>
+            <value>1</value>
+        </entry>
+    </util:map>
+
+</beans>
diff --git a/conf-from-container/conf/authn/ipaddress-authn-config.xml b/conf-from-container/conf/authn/ipaddress-authn-config.xml
new file mode 100644
index 0000000..a3ee096
--- /dev/null
+++ b/conf-from-container/conf/authn/ipaddress-authn-config.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+
+    <!-- Apply any regular expression replacement pairs to address before validation. -->
+    <util:list id="shibboleth.authn.IPAddress.Transforms" />
+
+    <!--
+    Configure the address range(s) and principal name(s) for IP-based login here.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+    -->
+
+
+    <util:map id="shibboleth.authn.IPAddress.Mappings">
+        <!--
+        <entry key="jdoe">
+            <list>
+                <value>127.0.0.1/32</value>
+                <value>::1/128</value>
+            </list>
+        </entry>
+        -->
+    </util:map>
+
+</beans>
diff --git a/conf-from-container/conf/authn/jaas-authn-config.xml b/conf-from-container/conf/authn/jaas-authn-config.xml
new file mode 100644
index 0000000..daef4d2
--- /dev/null
+++ b/conf-from-container/conf/authn/jaas-authn-config.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+    
+    <!-- Specify your JAAS config. -->
+    <bean id="JAASConfig" class="org.springframework.core.io.FileSystemResource" c:path="%{idp.home}/conf/authn/jaas.config" />
+    
+    <util:property-path id="shibboleth.authn.JAAS.JAASConfigURI" path="JAASConfig.URI" />
+    
+    <!-- Specify the application name(s) in the JAAS config. -->
+    <util:list id="shibboleth.authn.JAAS.LoginConfigNames">
+        <value>ShibUserPassAuth</value>
+    </util:list>
+
+    <alias name="ValidateUsernamePasswordAgainstJAAS" alias="ValidateUsernamePassword"/>
+
+</beans>
diff --git a/conf-from-container/conf/authn/jaas.config b/conf-from-container/conf/authn/jaas.config
new file mode 100644
index 0000000..232e93d
--- /dev/null
+++ b/conf-from-container/conf/authn/jaas.config
@@ -0,0 +1,11 @@
+ShibUserPassAuth {
+    /*
+	com.sun.security.auth.module.Krb5LoginModule required;
+	*/
+
+    org.ldaptive.jaas.LdapLoginModule required
+      ldapUrl="ldap://localhost:10389"
+      baseDn="ou=people,dc=example,dc=org"
+      userFilter="uid={user}";
+
+};
\ No newline at end of file
diff --git a/conf-from-container/conf/authn/krb5-authn-config.xml b/conf-from-container/conf/authn/krb5-authn-config.xml
new file mode 100644
index 0000000..d3590a2
--- /dev/null
+++ b/conf-from-container/conf/authn/krb5-authn-config.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+    
+    <util:constant id="shibboleth.authn.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
+
+    <util:constant id="shibboleth.authn.Krb5.PreserveTicket" static-field="java.lang.Boolean.FALSE" />
+
+    <!--
+    Uncomment these beans to perform KDC verification using a service principal and keytab.
+    The keytab bean must be an absolute file pathname and not a reference to a classpath resource,
+    so if idp.home is not a path, don't use it in the value.
+    -->
+    <!--
+    <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/principal" />
+    <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/keytab" />
+    -->
+    
+    <alias name="ValidateUsernamePasswordAgainstKerberos" alias="ValidateUsernamePassword"/>
+
+</beans>
diff --git a/conf-from-container/conf/authn/ldap-authn-config.xml b/conf-from-container/conf/authn/ldap-authn-config.xml
new file mode 100644
index 0000000..56d1bc7
--- /dev/null
+++ b/conf-from-container/conf/authn/ldap-authn-config.xml
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy"
+       default-lazy-init="true">
+
+    <alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}" alias="shibboleth.authn.LDAP.authenticator" />
+    <bean id="shibboleth.authn.LDAP.returnAttributes" parent="shibboleth.CommaDelimStringArray">
+        <constructor-arg type="java.lang.String" value="%{idp.authn.LDAP.returnAttributes:1.1}" />
+    </bean>
+
+    <alias name="ValidateUsernamePasswordAgainstLDAP" alias="ValidateUsernamePassword" />
+
+    <!-- Connection Configuration -->
+    <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig" abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL}"
+        p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
+        p:useSSL="%{idp.authn.LDAP.useSSL:false}"
+        p:connectTimeoutDuration="%{idp.authn.LDAP.connectTimeout:PT3S}"
+        p:responseTimeoutDuration="%{idp.authn.LDAP.responseTimeout:PT3S}"
+        p:sslConfig-ref="sslConfig" />
+
+    <alias name="%{idp.authn.LDAP.sslConfig:certificateTrust}" alias="sslConfig" />
+
+    <bean id="jvmTrust" class="org.ldaptive.ssl.SslConfig" />
+    <bean id="certificateTrust" class="org.ldaptive.ssl.SslConfig">
+        <property name="credentialConfig">
+            <bean parent="shibboleth.X509ResourceCredentialConfig" p:trustCertificates="%{idp.authn.LDAP.trustCertificates:undefined}" /> 
+        </property>
+    </bean>
+    <bean id="keyStoreTrust" class="org.ldaptive.ssl.SslConfig">
+        <property name="credentialConfig">
+            <bean parent="shibboleth.KeystoreResourceCredentialConfig" p:truststore="%{idp.authn.LDAP.trustStore:undefined}" /> 
+        </property>
+    </bean>
+
+    <!-- Authentication handler -->
+    <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler" p:connectionFactory-ref="bindPooledConnectionFactory" />
+    <bean id="bindPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPool-ref="bindConnectionPool" />
+    <bean id="bindConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
+        p:connectionFactory-ref="bindConnectionFactory" p:name="bind-pool" />
+    <bean id="bindConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindConnectionConfig" />
+    <bean id="bindConnectionConfig" parent="connectionConfig" />
+
+    <!-- Format DN resolution -->
+    <bean id="formatDnResolver" class="org.ldaptive.auth.FormatDnResolver" p:format="%{idp.authn.LDAP.dnFormat:undefined}" />
+
+    <!-- Pool Configuration -->
+    <bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
+        p:blockWaitTimeDuration="%{idp.pool.LDAP.blockWaitTime:PT3S}"
+        p:poolConfig-ref="poolConfig"
+        p:pruneStrategy-ref="pruneStrategy"
+        p:validator-ref="searchValidator"
+        p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
+    <bean id="poolConfig" class="org.ldaptive.pool.PoolConfig"
+        p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
+        p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
+        p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
+        p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
+        p:validatePeriodDuration="%{idp.pool.LDAP.validatePeriod:PT5M}" />
+    <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
+        p:prunePeriodDuration="%{idp.pool.LDAP.prunePeriod:PT5M}"
+        p:idleTimeDuration="%{idp.pool.LDAP.idleTime:PT10M}" />
+    <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
+
+    <!-- Anonymous Search Configuration -->
+    <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
+        <constructor-arg index="0" ref="anonSearchDnResolver" />
+        <constructor-arg index="1" ref="authHandler" />
+    </bean>
+    <bean id="anonSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
+        p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
+        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
+        p:connectionFactory-ref="anonSearchPooledConnectionFactory" >
+        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
+        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
+    </bean>
+    <bean id="anonSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
+        p:connectionPool-ref="anonSearchConnectionPool" />
+    <bean id="anonSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
+        p:connectionFactory-ref="anonSearchConnectionFactory" p:name="search-pool" />
+    <bean id="anonSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="anonSearchConnectionConfig" />
+    <bean id="anonSearchConnectionConfig" parent="connectionConfig" />
+
+    <!-- Bind Search Configuration -->
+    <bean name="bindSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
+        <constructor-arg index="0" ref="bindSearchDnResolver" />
+        <constructor-arg index="1" ref="authHandler" />
+    </bean>
+    <bean id="bindSearchDnResolver" class="net.shibboleth.idp.authn.PooledTemplateSearchDnResolver"
+        p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
+        p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
+        p:connectionFactory-ref="bindSearchPooledConnectionFactory" >
+        <constructor-arg index="0" ref="shibboleth.VelocityEngine" />
+        <constructor-arg index="1" value="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}" />
+    </bean>
+    <bean id="bindSearchPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"
+        p:connectionPool-ref="bindSearchConnectionPool" />
+    <bean id="bindSearchConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
+        p:connectionFactory-ref="bindSearchConnectionFactory" p:name="search-pool" />
+    <bean id="bindSearchConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="bindSearchConnectionConfig" />
+    <bean id="bindSearchConnectionConfig" parent="connectionConfig" p:connectionInitializer-ref="bindConnectionInitializer" />
+    <bean id="bindConnectionInitializer" class="org.ldaptive.BindConnectionInitializer"
+            p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
+        <property name="bindCredential">
+            <bean class="org.ldaptive.Credential">
+                <constructor-arg value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
+            </bean>
+        </property>
+    </bean>
+
+    <!-- Direct Search Configuration -->
+    <bean name="directAuthenticator" class="org.ldaptive.auth.Authenticator" p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
+        <constructor-arg index="0" ref="formatDnResolver" />
+        <constructor-arg index="1" ref="authHandler" />
+    </bean>
+
+    <!-- Want to use ppolicy? Configure support by adding <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.PasswordPolicyAuthenticationResponseHandler" 
+        /> add p:authenticationResponseHandlers-ref="authenticationResponseHandler" to the authenticator <bean id="authenticationControl" 
+        class="org.ldaptive.control.PasswordPolicyControl" /> add p:authenticationControls-ref="authenticationControl" to the authHandler -->
+
+    <!-- Active Directory Configuration -->
+    <bean id="adAuthenticator" class="org.ldaptive.auth.Authenticator" p:authenticationResponseHandlers-ref="authenticationResponseHandler"
+        p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
+        <constructor-arg index="0" ref="formatDnResolver" />
+        <constructor-arg index="1" ref="authHandler" />
+    </bean>
+    <bean id="authenticationResponseHandler" class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" />
+
+</beans>
diff --git a/conf-from-container/conf/authn/mfa-authn-config.xml b/conf-from-container/conf/authn/mfa-authn-config.xml
new file mode 100644
index 0000000..c47c901
--- /dev/null
+++ b/conf-from-container/conf/authn/mfa-authn-config.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    This is a map of transition rules that guide the behavior of the MFA flow
+    and controls how factors are sequenced, skipped, etc. The key of each entry
+    is the name of the step/flow out of which control is passing. The starting
+    rule has an empty key.
+    
+    Each entry is a bean inherited from "shibboleth.authn.MFA.Transition". Per
+    the Javadoc for net.shibboleth.idp.authn.MultiFactorAuthenticationTransition:
+            
+        p:nextFlow (String)
+            - A flow to run if the previous step signaled a "proceed" event, for simple
+                transitions.
+                
+        p:nextFlowStrategy (Function<ProfileRequestContext,String>)
+            - A function to run if the previous step signaled a "proceed" event, for dynamic
+                transitions. Returning null ends the MFA process.
+            
+        p:nextFlowStrategyMap (Map<String,Object> where Object is String or Function<ProfileRequestContext,String>)
+            - Fully dynamic way of expressing control paths. Map is keyed by a previously
+                signaled event and the value is a flow to run or a function to
+                return the flow to run. Returning null ends the MFA process.
+                
+    When no rule is provided, there's an implicit "null" that ends the MFA flow
+    with whatever event was last signaled. If the "proceed" event from a step is
+    the final event, then the MFA process attempts to complete itself successfully.
+    -->
+    <util:map id="shibboleth.authn.MFA.TransitionMap">
+        <!-- First rule runs the IPAddress login flow. -->
+        <entry key="">
+            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlow="authn/IPAddress" />
+        </entry>
+        
+        <!--
+        Second rule runs a function if IPAddress succeeds, to determine whether an additional
+        factor is required.
+        -->
+        <entry key="authn/IPAddress">
+            <bean parent="shibboleth.authn.MFA.Transition" p:nextFlowStrategy-ref="checkSecondFactor" />
+        </entry>
+        
+        <!-- An implicit final rule will return whatever the final flow returns. -->
+    </util:map>
+
+    <!-- Example script to see if second factor is required. -->
+    <bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
+        p:customObject-ref="shibboleth.AttributeResolverService">
+        <constructor-arg>
+            <value>
+            <![CDATA[
+                nextFlow = "authn/Password";
+
+                // Go straight to second factor if we have to, or set up for an attribute lookup first.
+                authCtx = input.getSubcontext("net.shibboleth.idp.authn.context.AuthenticationContext");
+                mfaCtx = authCtx.getSubcontext("net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext");
+                if (mfaCtx.isAcceptable()) {
+                    // Attribute check is required to decide if first factor alone is enough.
+                    resCtx = input.getSubcontext(
+                        "net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
+                    resCtx.setPrincipal(input.getSubcontext(
+                        "net.shibboleth.idp.authn.context.SubjectCanonicalizationContext").getPrincipalName());
+                    resCtx.getRequestedIdPAttributeNames().add("allowedLoginMethods");
+                    resCtx.resolveAttributes(custom);
+                    
+                    // Check for an attribute that authorizes use of first factor.
+                    attribute = resCtx.getResolvedIdPAttributes().get("allowedLoginMethods");
+                    valueType =  Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
+                    if (attribute != null && attribute.getValues().contains(new valueType("IPAddress"))) {
+                        nextFlow = null;
+                    }
+                    
+                    input.removeSubcontext(resCtx);   // cleanup
+                }
+                
+                nextFlow;   // pass control to second factor or end with the first
+            ]]>
+            </value>
+        </constructor-arg>
+    </bean>
+    
+</beans>
diff --git a/conf-from-container/conf/authn/password-authn-config.xml b/conf-from-container/conf/authn/password-authn-config.xml
new file mode 100644
index 0000000..f27051b
--- /dev/null
+++ b/conf-from-container/conf/authn/password-authn-config.xml
@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+    
+    <!-- Choose an import based on the back-end you want to use. -->
+    <!-- <import resource="jaas-authn-config.xml" /> -->
+    <!-- <import resource="krb5-authn-config.xml" /> -->
+    <import resource="ldap-authn-config.xml" />
+    
+    
+    <!-- Names of form fields to pull username and password from. -->
+    <bean id="shibboleth.authn.Password.UsernameFieldName" class="java.lang.String" c:_0="j_username" />
+    <bean id="shibboleth.authn.Password.PasswordFieldName" class="java.lang.String" c:_0="j_password" />
+    <bean id="shibboleth.authn.Password.SSOBypassFieldName" class="java.lang.String" c:_0="donotcache" />
+
+    <!-- Simple transforms to apply to username before validation. -->
+    <util:constant id="shibboleth.authn.Password.Lowercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.authn.Password.Uppercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.authn.Password.Trim" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Set to TRUE if you want the password kept in the resulting Subject as a private credential. -->
+    <util:constant id="shibboleth.authn.Password.RetainAsPrivateCredential" static-field="java.lang.Boolean.FALSE"/>
+
+    <!-- Apply any regular expression replacement pairs to username before validation. -->
+    <util:list id="shibboleth.authn.Password.Transforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+    
+    <!-- Uncomment to configure account lockout backed by in-memory storage. -->
+    <!--
+    <bean id="shibboleth.authn.Password.AccountLockoutManager"
+        parent="shibboleth.StorageBackedAccountLockoutManager"
+        p:maxAttempts="5"
+        p:counterInterval="PT5M"
+        p:lockoutDuration="PT5M"
+        p:extendLockoutDuration="false" />
+    -->
+
+    <!--
+    Define entries here to map error messages detected by validation actions and classify them as particular
+    kinds of errors for use in your templates and as events in flows.
+
+    Keys are events to signal, values are error codes.
+    -->
+    <util:map id="shibboleth.authn.Password.ClassifiedMessageMap">
+        <entry key="UnknownUsername">
+            <list>
+                <value>NoCredentials</value>
+                <value>CLIENT_NOT_FOUND</value>
+                <value>Client not found</value>
+                <value>DN_RESOLUTION_FAILURE</value>
+            </list>
+        </entry>
+        <entry key="InvalidPassword">
+            <list>
+                <value>InvalidCredentials</value>
+                <value>PREAUTH_FAILED</value>
+                <value>INVALID_CREDENTIALS</value>
+                <value>Checksum failed</value>
+            </list>
+        </entry>
+        <entry key="AccountLocked">
+            <list>
+                <value>AccountLocked</value>
+                <value>Clients credentials have been revoked</value>
+            </list>
+        </entry>
+        <entry key="ExpiredPassword">
+            <list>
+                <value>PASSWORD_EXPIRED</value>
+            </list>
+        </entry>
+        <entry key="ExpiringPassword">
+            <list>
+                <value>ACCOUNT_WARNING</value>
+            </list>
+        </entry>
+    </util:map>
+
+    <!--
+    Configuration of "extended" login methods to offer in the password login form.
+    
+    The String bean is a regular expression identifying the flows to offer. These flows
+    must also be enabled at the "top" level to be available for use.
+    
+    The ExtendedFlowParameters bean can be used to transfer custom parameters from the
+    login form into the context tree for use later by other flows.
+    
+    The last bean provides the set of custom Principals to use for results produced by the
+    Password flow itself. You would use this if you need the Password flow to run as a shell
+    to run the "extended" login methods, but want to limit its own results more narrowly.
+    -->
+    <!--
+    <bean id="shibboleth.authn.Password.ExtendedFlows" class="java.lang.String" c:_0="" />
+
+    <util:list id="shibboleth.authn.Password.ExtendedFlowParameters">
+    </util:list>
+
+    <util:list id="shibboleth.authn.Password.PrincipalOverride">
+        <bean parent="shibboleth.SAML2AuthnContextClassRef"
+            c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
+        <bean parent="shibboleth.SAML2AuthnContextClassRef"
+            c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:Password" />
+        <bean parent="shibboleth.SAML1AuthenticationMethod"
+            c:method="urn:oasis:names:tc:SAML:1.0:am:password" />
+    </util:list>
+    -->
+    
+</beans>
diff --git a/conf-from-container/conf/authn/remoteuser-authn-config.xml b/conf-from-container/conf/authn/remoteuser-authn-config.xml
new file mode 100644
index 0000000..4b7e722
--- /dev/null
+++ b/conf-from-container/conf/authn/remoteuser-authn-config.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Servlet context-relative path to wherever your implementation lives. -->
+    <bean id="shibboleth.authn.RemoteUser.externalAuthnPath" class="java.lang.String"
+        c:_0="contextRelative:Authn/RemoteUser" />
+    
+    <!--
+    Default is to always use the path in the bean above. If you want to determine it
+    dynamically, define a bean called "shibboleth.authn.RemoteUser.externalAuthnPathStrategy"
+    of type Function<ProfileRequestContext,String> that returns the path to use.
+    -->
+
+    <!--
+    Add authentication flow descriptor's supportedPrincipals collection to the resulting Subject?
+    You would normally only unset this if you plan to use the authnMethodHeader servlet parameter to
+    supply authentication method string(s) from the external authentication system.
+    -->
+    <util:constant id="shibboleth.authn.RemoteUser.addDefaultPrincipals" static-field="java.lang.Boolean.TRUE" />
+
+    <!--
+    <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
+        c:_0="^(.+)@example\.edu]$" />
+    -->
+
+    <!--
+    Define entries here to map error messages returned by external modules and classify them as particular
+    kinds of errors for use in your templates and as events in flows.
+
+    Keys are events to signal, values are error codes.
+
+    The examples here just allow external signaling of an exact condition.
+    
+    If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
+    -->
+    <util:map id="shibboleth.authn.RemoteUser.ClassifiedMessageMap">
+        <entry key="ReselectFlow">
+            <list>
+                <value>NoCredentials</value>
+            </list>
+        </entry>
+        <entry key="UnknownUsername">
+            <list>
+                <value>UnknownUsername</value>
+            </list>
+        </entry>
+        <entry key="InvalidPassword">
+            <list>
+                <value>InvalidPassword</value>
+            </list>
+        </entry>
+        <entry key="ExpiredPassword">
+            <list>
+                <value>ExpiredPassword</value>
+            </list>
+        </entry>
+        <entry key="ExpiringPassword">
+            <list>
+                <value>ExpiringPassword</value>
+            </list>
+        </entry>
+    </util:map>
+    
+</beans>
diff --git a/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml
new file mode 100644
index 0000000..9e68c85
--- /dev/null
+++ b/conf-from-container/conf/authn/remoteuser-internal-authn-config.xml
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Check getRemoteUser() for identity (the typical case). -->
+    <util:constant id="shibboleth.authn.RemoteUser.checkRemoteUser" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Populate one or both of the lists below to define HTTP headers or Servlet Attributes to check. -->
+    
+    <util:list id="shibboleth.authn.RemoteUser.checkHeaders">
+        <!--
+        <value>User-Identity</value>
+        -->
+    </util:list>
+
+    <util:list id="shibboleth.authn.RemoteUser.checkAttributes">
+        <!--
+        <value>User-Identity</value>
+        -->
+    </util:list>
+    
+    <!-- Simple transforms to apply to username before validation. -->
+    <util:constant id="shibboleth.authn.RemoteUser.Lowercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.authn.RemoteUser.Uppercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.authn.RemoteUser.Trim" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Apply any regular expression replacement pairs before validation. -->
+    <util:list id="shibboleth.authn.RemoteUser.Transforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+    
+    <!-- Uncomment/configure to install username whitelist, blacklist, and/or match expressions. -->
+    
+    <util:list id="shibboleth.authn.RemoteUser.whitelistedUsernames">
+        <!--
+        <value>goodguy</value>
+        -->
+    </util:list>
+
+    <util:list id="shibboleth.authn.RemoteUser.blacklistedUsernames">
+        <!--
+        <value>badguy</value>
+        -->
+    </util:list>
+    
+    <!--
+    <bean id="shibboleth.authn.RemoteUser.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
+        c:_0="^(.+)@example\.edu]$" />
+    -->
+    
+</beans>
diff --git a/conf-from-container/conf/authn/spnego-authn-config.xml b/conf-from-container/conf/authn/spnego-authn-config.xml
new file mode 100644
index 0000000..07563b9
--- /dev/null
+++ b/conf-from-container/conf/authn/spnego-authn-config.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--  General Configuration -->
+
+    <!--
+    Enforce running SPNEGO for all users, independent of user's autologin state.
+    TRUE means that SPNEGO login is always tried (if available).
+    FALSE means that SPNEGO login is run only if the user has enabled autologin.
+    -->
+    <util:constant id="shibboleth.authn.SPNEGO.EnforceRun" static-field="java.lang.Boolean.FALSE" />
+   
+    <!-- Kerberos Configuration-->
+
+    <!-- General Kerberos Settings -->
+    
+    <util:constant id="shibboleth.authn.SPNEGO.Krb5.RefreshConfig" static-field="java.lang.Boolean.FALSE" />
+
+    <!--  Kerberos Service Principal(s) -->
+    
+    <!--
+    For each service principal/realm, a "RealmSettings" bean must be created.
+    For each "RealmSettings" bean, the following settings are supported:
+      p:servicePrincipal: - kerberos service principal (required)
+      p:keytab:           - path to the keytab file containing the kerberos service principal's credentials
+                            (optional; either "p:keytab" or "p:password" is required)
+      p:password:         - kerberos service principal's password
+                            (optional; either "p:keytab" or "p:password" is required)
+    -->
+    <util:list id="shibboleth.authn.SPNEGO.Krb5.Realms">
+
+        <bean parent="shibboleth.KerberosRealmSettings"
+            p:servicePrincipal="HTTP/aai-logon.domain_a.com@DOMAIN_A.COM"
+            p:keytab="%{idp.home}/credentials/http_domainA.keytab" />
+
+    </util:list>
+
+    <!--
+    <bean id="shibboleth.authn.SPNEGO.matchExpression" class="java.util.regex.Pattern" factory-method="compile"
+        c:_0="^(.+)@example\.edu]$" />
+    -->
+
+    <!--
+    Define entries here to map events or error messages returned by the SPNEGO module
+    and classify them as particular kinds of errors for use in your templates and as
+    events in flows.
+
+    Keys are events to signal, values are error codes.
+    -->
+    <util:map id="shibboleth.authn.SPNEGO.ClassifiedMessageMap">
+        <entry key="SPNEGONotAvailable">
+            <list>
+                <value>SPNEGONotAvailable</value>
+            </list>
+        </entry>
+        <entry key="NTLMUnsupported">
+            <list>
+                <value>NTLMUnsupported</value>
+            </list>
+        </entry>
+    </util:map>
+ 
+</beans>
diff --git a/conf-from-container/conf/authn/x509-authn-config.xml b/conf-from-container/conf/authn/x509-authn-config.xml
new file mode 100644
index 0000000..18b015a
--- /dev/null
+++ b/conf-from-container/conf/authn/x509-authn-config.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Servlet context-relative path to wherever your implementation lives. -->
+    <bean id="shibboleth.authn.X509.externalAuthnPath" class="java.lang.String"
+        c:_0="contextRelative:x509-prompt.jsp" />
+
+    <!--
+    Default is to always use the path in the bean above. If you want to determine it
+    dynamically, define a bean called "shibboleth.authn.X509.externalAuthnPathStrategy"
+    of type Function<ProfileRequestContext,String> that returns the path to use.
+    -->
+
+    <!--
+    Define entries here to map error messages returned by external modules and classify them as particular
+    kinds of errors for use in your templates and as events in flows.
+
+    Keys are events to signal, values are error codes.
+    
+    The examples here just allow external signaling of an exact condition.
+    
+    If you want to "fall-through" to other login flows, include a mapping to "ReselectFlow".
+    -->
+    <util:map id="shibboleth.authn.X509.ClassifiedMessageMap">
+        <entry key="ReselectFlow">
+            <list>
+                <value>NoCredentials</value>
+                <value>InvalidCredentials</value>
+            </list>
+        </entry>
+    </util:map>
+    
+</beans>
diff --git a/conf-from-container/conf/authn/x509-internal-authn-config.xml b/conf-from-container/conf/authn/x509-internal-authn-config.xml
new file mode 100644
index 0000000..bad3029
--- /dev/null
+++ b/conf-from-container/conf/authn/x509-internal-authn-config.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    You can define a TrustEngine to apply to any candidate certificates by defining a bean named
+    "shibboleth.authn.X509.TrustEngine". You could also define that in conf/global.xml if you need
+    to share one between the internal and external versions of this flow.
+    -->
+    
+</beans>
diff --git a/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml b/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml
new file mode 100644
index 0000000..938b30f
--- /dev/null
+++ b/conf-from-container/conf/c14n/attribute-sourced-subject-c14n-config.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    A list of attributes to resolve for normalizing the subject. For example, you might
+    intend to lookup a uid in a directory based on what the user entered. You can make this
+    an empty list if you just want to resolve everything you normally would.
+    -->
+    <util:list id="shibboleth.c14n.attribute.AttributesToResolve">
+        <value>altuid</value>
+    </util:list>
+    
+    <!--
+    A list of attributes to search for a value to produce as the normalized subject name.
+    This will normally be something you resolve above.
+    -->
+    <util:list id="shibboleth.c14n.attribute.AttributeSourceIds">
+        <value>altuid</value>
+    </util:list>
+
+    <!-- Simple transforms to apply to attribute value used for canonicalization result. -->
+    <util:constant id="shibboleth.c14n.attribute.Lowercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.attribute.Uppercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.attribute.Trim" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Apply any regular expression replacement pairs. -->
+    <util:list id="shibboleth.c14n.attribute.Transforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+        
+</beans>
diff --git a/conf-from-container/conf/c14n/simple-subject-c14n-config.xml b/conf-from-container/conf/c14n/simple-subject-c14n-config.xml
new file mode 100644
index 0000000..3cddfa6
--- /dev/null
+++ b/conf-from-container/conf/c14n/simple-subject-c14n-config.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Simple transforms to apply to username after authentication. -->
+    <util:constant id="shibboleth.c14n.simple.Lowercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.simple.Uppercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.simple.Trim" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Apply any regular expression replacement pairs after authentication. -->
+    <util:list id="shibboleth.c14n.simple.Transforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+        
+</beans>
diff --git a/conf-from-container/conf/c14n/subject-c14n-events-flow.xml b/conf-from-container/conf/c14n/subject-c14n-events-flow.xml
new file mode 100644
index 0000000..d7458cd
--- /dev/null
+++ b/conf-from-container/conf/c14n/subject-c14n-events-flow.xml
@@ -0,0 +1,18 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+      abstract="true">
+
+    <!-- ADVANCED USE ONLY -->
+    
+    <!--
+    You can ignore this file unless you are creating your own custom c14n subflows that want to
+    report custom events in response to unusual error or warning conditions.
+    -->
+
+    <!-- Custom error events to reflect back from user-supplied c14n subflows. -->
+    <!--
+    <end-state id="MyCustomEvent" />
+    -->
+
+</flow>
diff --git a/conf-from-container/conf/c14n/subject-c14n.xml b/conf-from-container/conf/c14n/subject-c14n.xml
new file mode 100644
index 0000000..16fc6f1
--- /dev/null
+++ b/conf-from-container/conf/c14n/subject-c14n.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+    
+    <!-- ========================= Java Subject -> Principal Mapping ========================= -->
+
+    <!--
+    These are lists of Subject Canonicalization flows that turn complex Subject data into a string-based
+    principal name that the rest of the IdP can operate on. They're used both after authentication and
+    during operations like SAML attribute queries, to map the SAML Subject into a principal name. 
+    Flows are identified with an ID that corresponds to a Spring Web Flow subflow name.
+    -->
+
+    <!-- Flows used after authentication to produce canonical principal name. -->
+    <util:list id="shibboleth.PostLoginSubjectCanonicalizationFlows">
+        <!--
+        This is an advanced post-login step that performs attribute resolution and then produces a username
+        from an attribute value. Most of this configuration is handled by attribute-sourced-c14n-config.xml.
+        To enable universally, just uncomment, but if you want it to run under more specific conditions,
+        set an activationCondition property to a condition function to use to control when it should run. 
+        -->
+        <!-- <bean id="c14n/attribute" parent="shibboleth.PostLoginSubjectCanonicalizationFlow" /> -->
+
+        <!--
+        This is an alternative that handles Subjects containing an X500Principal object and
+        allows extraction from the DN.
+        -->
+        <ref bean="c14n/x500" />
+
+        <!--
+        This is the standard post-login step that returns a username derived from the login process. If you
+        have more complex needs such as mapping a certificate DN into a principal name, an alternative may
+        be required such as that above, but you can configure simple transforms in simple-subject-c14n-config.xml
+        -->
+        <ref bean="c14n/simple" />
+    </util:list>
+    
+    <!--
+    Flows used during SAML requests to reverse-map NameIdentifiers/NameIDs. The actual beans defining these
+    flows are in a system file. Below the list are some settings that might be useful to adjust.
+    -->
+    <util:list id="shibboleth.SAMLSubjectCanonicalizationFlows">
+
+        <!--
+        This is installed to support the old mechanism of using PrincipalConnectors in the attribute resolver
+        to map SAML Subjects back into principals. If you don't use those (or this is a new install) you can
+        remove this.
+        -->
+        <ref bean="c14n/LegacyPrincipalConnector" />
+        
+        <!-- The next four are for handling transient IDs (in-storage and stateless variants). -->
+        <ref bean="c14n/SAML2Transient" />
+        <ref bean="c14n/SAML2CryptoTransient" />
+        <ref bean="c14n/SAML1Transient" /> 
+        <ref bean="c14n/SAML1CryptoTransient" /> 
+        
+        <!-- Handle a SAML 2 persistent ID, provided a stored strategy is in use. -->
+        <!-- <ref bean="c14n/SAML2Persistent" /> -->
+        
+        <!--
+        Finally we have beans for decoding arbitrary SAML formats directly. By default, these are turned off,
+        having *no* circumstances for which they apply (see shibboleth.TransformNamePredicate below).
+        -->
+        <ref bean="c14n/SAML2Transform" />
+        <ref bean="c14n/SAML1Transform" />
+    </util:list>
+    
+    <!-- What SAML NameID formats do you want to support direct transformations for? -->
+    <util:list id="shibboleth.NameTransformFormats">
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</value>
+        <value>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</value>
+        <value>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</value>
+    </util:list>
+
+    <!--
+    Under what conditions should direct NameID mapping be allowed? By default, never.
+    Any condition can be used here; the example is suitable for enumerating a number of SPs to allow.
+    -->
+    <bean id="shibboleth.NameTransformPredicate" parent="shibboleth.Conditions.RelyingPartyId">
+        <constructor-arg>
+            <list>
+                <!-- <value>https://sp.example.org</value> -->
+            </list>
+        </constructor-arg>
+    </bean>
+    
+    <!--
+    Regular expression transforms to apply to incoming subject names. The default empty list just
+    echoes the name through unmodified.
+    -->
+    <util:list id="shibboleth.NameTransforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+    
+</beans>
diff --git a/conf-from-container/conf/c14n/x500-subject-c14n-config.xml b/conf-from-container/conf/c14n/x500-subject-c14n-config.xml
new file mode 100644
index 0000000..1ae25e4
--- /dev/null
+++ b/conf-from-container/conf/c14n/x500-subject-c14n-config.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- First priority is given to any subjectAltNames specified (emailAddress is 1) -->
+    <util:list id="shibboleth.c14n.x500.SubjectAltNameTypes">
+        <!-- <value>1</value> -->
+    </util:list>
+
+    <!-- Second priority is a list of Certificate Subject RDN OIDs to look for. -->
+    <util:list id="shibboleth.c14n.x500.ObjectIDs">
+        <value>2.5.4.3</value>
+    </util:list>
+
+    <!-- Simple transforms to apply to username after authentication. -->
+    <util:constant id="shibboleth.c14n.x500.Lowercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.x500.Uppercase" static-field="java.lang.Boolean.FALSE"/>
+    <util:constant id="shibboleth.c14n.x500.Trim" static-field="java.lang.Boolean.TRUE"/>
+
+    <!-- Apply any regular expression replacement pairs after authentication. -->
+    <util:list id="shibboleth.c14n.x500.Transforms">
+        <!--
+        <bean parent="shibboleth.Pair" p:first="^(.+)@example\.edu$" p:second="$1" />
+        -->
+    </util:list>
+        
+</beans>
diff --git a/conf-from-container/conf/cas-protocol.xml b/conf-from-container/conf/cas-protocol.xml
new file mode 100644
index 0000000..d0b3d55
--- /dev/null
+++ b/conf-from-container/conf/cas-protocol.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+       | The CAS service registry defines verified relying parties by endpoint URI.
+       | The default implementation treats the ID of each entry as a regular expression defining a logical group of
+       | services whose URIs match the expression.
+       |
+       | This bean is reloaded periodically according to %{idp.home}/conf/services.properties.
+       -->
+    <bean id="reloadableServiceRegistry"
+          class="%{idp.cas.serviceRegistryClass:net.shibboleth.idp.cas.service.PatternServiceRegistry}">
+        <property name="definitions">
+            <list>
+                <!--
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
+                      c:regex="https://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
+                      p:group="proxying-services"
+                      p:authorizedToProxy="true"
+                      p:singleLogoutParticipant="true" />
+                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
+                      c:regex="http://([A-Za-z0-9_-]+\.)*example\.org(:\d+)?/.*"
+                      p:group="non-proxying-services"
+                      p:authorizedToProxy="false" /
+                -->
+            </list>
+        </property>
+    </bean>
+
+    <!--
+       | The default ticket service as of 3.3.0 serializes ticket data into the opaque section of the ticket ID
+       | for service tickets and proxy tickets. Proxy-granting tickets still require server-side storage, and
+       | a StorageService defined by the idp.cas.StorageService is used. Thus for deployers that do not require
+       | CAS proxy capabilities, no stateful storage mechanism is required; that means no memcached or database
+       | is required for HA deployments that want CAS (without proxy) support. A notable limitation of the new
+       | component is that the one-time use feature of service and proxy tickets is not available due to the lack
+       | of a ticket-tracking mechanism. Instead, tickets expire when their expiration period is exceeded.
+       | If this limitation is of concern, one may consider decreasing ticketValidityPeriod on the profile
+       | configuration from the default 15000ms.
+       -->
+    <alias name="encodingTicketService" alias="shibboleth.CASTicketService" />
+
+    <!--
+       | Uncomment the following element and comment out the above to enable the previous default ticket service
+       | that uses a StorageService for ticket persistence. Use this if the one-time use limitation of
+       | EncodingTicketService is problematic and can't be mitigated by decreasing ticketValidityPeriod.
+       -->
+    <!--<alias name="simpleTicketService" alias="shibboleth.CASTicketService" /> -->
+
+    <!--
+       | The predicate used to determine whether IdP session validation is performed during the process of granting
+       | a proxy ticket. When the predicate evaluates to true, an IdP session is resolved and validated prior to
+       | granting a proxy ticket. This feature prevents issuing proxy tickets when an IdP session is expired, but comes
+       | at the cost of requiring server-side storage of IdP session data. If this is configured to a predicate that
+       | evaluates to true under any condition, a server-side storage service must be enabled for IdP session
+       | storage. The most common non-default value is "alwaysTrue."
+       -->
+    <bean id="shibboleth.CASProxyValidateIdPSessionPredicate"
+          class="com.google.common.base.Predicates"
+          factory-method="alwaysFalse" />
+
+
+    <!-- ============== Advanced CAS Configuration ============== -->
+
+    <!-- Configure a third-party ticket service. -->
+    <!--
+    <bean id="shibboleth.CASTicketService"
+          class="org.example.idp.cas.CustomTicketService" />
+    -->
+
+    <!-- Configure a third-party proxy authenticator. -->
+    <!--
+    <bean id="shibboleth.CASProxyAuthenticator"
+          class="org.example.idp.cas.CustomProxyAuthenticator" />
+    -->
+</beans>
\ No newline at end of file
diff --git a/conf-from-container/conf/credentials.xml b/conf-from-container/conf/credentials.xml
new file mode 100644
index 0000000..7462879
--- /dev/null
+++ b/conf-from-container/conf/credentials.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    NOTE: if you're using a legacy relying-party.xml file from a V2 configuration, this file is ignored.
+
+    This defines the signing and encryption key and certificate pairs referenced by your relying-party.xml
+    configuration. You don't normally need to touch this, unless you have advanced requirements such as
+    supporting multiple sets of keys for different relying parties, in which case you may want to define
+    all your credentials here for convenience.
+    -->
+
+    <!--
+    The list of ALL of your IdP's signing credentials. If you define additional signing credentials,
+    for example for specific relying parties or different key types, make sure to include them within this list.
+    -->
+    <util:list id="shibboleth.SigningCredentials">
+        <ref bean="shibboleth.DefaultSigningCredential" />
+    </util:list>
+    
+    <!-- Your IdP's default signing key, set via property file. -->
+    <bean id="shibboleth.DefaultSigningCredential"
+        class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+        p:privateKeyResource="%{idp.signing.key}"
+        p:certificateResource="%{idp.signing.cert}"
+        p:entityId-ref="entityID" />
+        
+    <!--
+    The list of ALL of your IdP's encryption credentials. By default this is just an alias
+    for 'shibboleth.DefaultEncryptionCredentials'. It could be re-defined as
+    a list with additional credentials if needed.
+    -->
+    <alias alias="shibboleth.EncryptionCredentials" name="shibboleth.DefaultEncryptionCredentials" />
+        
+    <!-- Your IdP's default encryption (really decryption) keys, set via property file. -->
+    <util:list id="shibboleth.DefaultEncryptionCredentials">
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key}"
+            p:certificateResource="%{idp.encryption.cert}"
+            p:entityId-ref="entityID" />
+
+        <!--
+        For key rollover, uncomment and point to your original keypair, and use the one above
+        to point to your new keypair. Once metadata has propagated, comment this one out again.
+        -->
+        <!--
+        <bean class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
+            p:privateKeyResource="%{idp.encryption.key.2}"
+            p:certificateResource="%{idp.encryption.cert.2}"
+            p:entityId-ref="entityID" />
+        -->
+    </util:list>
+
+</beans>
diff --git a/conf-from-container/conf/errors.xml b/conf-from-container/conf/errors.xml
new file mode 100644
index 0000000..5de522f
--- /dev/null
+++ b/conf-from-container/conf/errors.xml
@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <bean id="shibboleth.DefaultErrorView" class="java.lang.String" c:_0="%{idp.errors.defaultView:error}" />
+
+    <!-- Map local events to alternate view templates. -->
+    <util:map id="shibboleth.EventViewMap">
+        <!-- <entry key="EventToChange" value="viewname" /> -->
+    </util:map>
+
+    <!--
+    Map of events to trap and handle with local views, without returning to SPs.
+    The map values are flags indicating whether to write an audit log record.
+    -->
+    <util:map id="shibboleth.LocalEventMap">
+        <entry key="ContextCheckDenied" value="true" />
+        <entry key="AttributeReleaseRejected" value="true" />
+        <entry key="TermsRejected" value="true" />
+        <entry key="RuntimeException" value="false" />
+        <!--
+        <entry key="IdentitySwitch" value="false" />
+        <entry key="NoPotentialFlow" value="false" />
+        -->
+    </util:map>
+    
+    <!-- Mappings of error events during requests to SAML status codes and SOAP fault codes. -->
+
+    <util:map id="shibboleth.SAML1StatusMappings">
+        <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML1Status.VersionMismatch" />
+        
+        <entry key="UnableToDecode" value-ref="shibboleth.SAML1Status.Requester" />
+        
+        <entry key="UnableToEncode" value-ref="shibboleth.SAML1Status.Requester" />
+
+        <entry key="MessageReplay" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="MessageExpired" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML1Status.Requester" />
+
+        <entry key="RequestUnsupported" value-ref="shibboleth.SAML1Status.Requester" />
+        
+        <entry key="NoPassive" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="NoPotentialFlow" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="NoCredentials" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="InvalidCredentials" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="AccountError" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="IdentitySwitch" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="AuthenticationException" value-ref="shibboleth.SAML1Status.Requester" />
+        
+        <entry key="InvalidSubject" value-ref="shibboleth.SAML1Status.Requester" />
+        <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML1Status.Requester" />
+    </util:map>
+    
+    <util:map id="shibboleth.SAML2StatusMappings">
+        <entry key="InvalidMessageVersion" value-ref="shibboleth.SAML2Status.VersionMismatch" />
+        
+        <entry key="UnableToDecode" value-ref="shibboleth.SAML2Status.RequestUnsupported" />
+        
+        <entry key="UnableToEncode" value-ref="shibboleth.SAML2Status.UnsupportedBinding" />
+
+        <entry key="MessageReplay" value-ref="shibboleth.SAML2Status.RequestDenied" />
+        <entry key="MessageExpired" value-ref="shibboleth.SAML2Status.RequestDenied" />
+        <entry key="MessageAuthenticationError" value-ref="shibboleth.SAML2Status.RequestDenied" />
+        
+        <entry key="RequestUnsupported" value-ref="shibboleth.SAML2Status.NoAuthnContext" />
+        
+        <entry key="NoPassive" value-ref="shibboleth.SAML2Status.NoPassive" />
+        
+        <entry key="NoPotentialFlow" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        <entry key="NoCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        <entry key="InvalidCredentials" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        <entry key="AccountError" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        <entry key="IdentitySwitch" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        <entry key="AuthenticationException" value-ref="shibboleth.SAML2Status.AuthnFailed" />
+        
+        <entry key="InvalidSubject" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
+        <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
+        <entry key="SessionNotFound" value-ref="shibboleth.SAML2Status.UnknownPrincipal" />
+        
+        <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SAML2Status.InvalidNameIDPolicy" />
+        
+        <entry key="ChannelBindingsError" value-ref="shibboleth.SAML2Status.ChannelBindingsError" />
+    </util:map>
+
+    <util:map id="shibboleth.SOAPFaultCodeMappings">
+        <entry key="InvalidMessageVersion" value-ref="shibboleth.SOAP.VersionMismatch" />
+        
+        <entry key="UnableToDecode" value-ref="shibboleth.SOAP.Client" />
+
+        <entry key="MessageReplay" value-ref="shibboleth.SOAP.Client" />
+        <entry key="MessageExpired" value-ref="shibboleth.SOAP.Client" />
+        <entry key="MessageAuthenticationError" value-ref="shibboleth.SOAP.Client" />
+        
+        <entry key="RequestUnsupported" value-ref="shibboleth.SOAP.Client" />
+    
+        <entry key="NoPassive" value-ref="shibboleth.SOAP.Client" />
+        
+        <entry key="NoPotentialFlow" value-ref="shibboleth.SOAP.Client" />
+        <entry key="NoCredentials" value-ref="shibboleth.SOAP.Client" />
+        <entry key="InvalidCredentials" value-ref="shibboleth.SOAP.Client" />
+        <entry key="AccountError" value-ref="shibboleth.SOAP.Client" />
+        <entry key="AuthenticationException" value-ref="shibboleth.SOAP.Client" />
+
+        <entry key="InvalidSubject" value-ref="shibboleth.SOAP.Client" />
+        <entry key="SubjectCanonicalizationError" value-ref="shibboleth.SOAP.Client" />
+        
+        <entry key="InvalidNameIDPolicy" value-ref="shibboleth.SOAP.Client" />
+        
+        <entry key="ChannelBindingsError" value-ref="shibboleth.SOAP.Client" />
+    </util:map>
+    
+</beans>
diff --git a/conf-from-container/conf/global.xml b/conf-from-container/conf/global.xml
new file mode 100644
index 0000000..60562e3
--- /dev/null
+++ b/conf-from-container/conf/global.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Use this file to define any custom beans needed globally. -->
+
+    <!--
+    Algorithm whitelists and blacklists that override or merge with library defaults. Normally you can leave
+    these empty or commented and use the system defaults, but you can override those defaults using these lists.
+    Each <value> element is an algorithm URI, or you can use <util:constant> elements in place of literal values.
+    -->
+    
+    <!--
+    <util:list id="shibboleth.SignatureWhitelist">
+    </util:list>
+
+    <util:list id="shibboleth.SignatureBlacklist">
+    </util:list>
+
+    <util:list id="shibboleth.EncryptionWhitelist">
+    </util:list>
+
+    <util:list id="shibboleth.EncryptionBlacklist">
+    </util:list>
+    -->
+
+    <!--
+    If you need to define and inject custom Java object(s) into the various views used throughout the
+    system (errors, login, logout, etc.), you can uncomment and define the bean below to be of any
+    type required. It will appear in the view scope as a variable named "custom".
+    
+    The example below defines the bean as a map, which allows you to inject multiple objects under
+    named keys to expand the feature to support multiple injected objects.
+    -->
+    
+    <!--
+    <util:map id="shibboleth.CustomViewContext">
+        <entry key="foo" value="bar"/>
+    </util:map>
+    -->
+    
+    
+</beans>
diff --git a/conf-from-container/conf/idp.properties b/conf-from-container/conf/idp.properties
new file mode 100644
index 0000000..80f23b8
--- /dev/null
+++ b/conf-from-container/conf/idp.properties
@@ -0,0 +1,195 @@
+# Load any additional property resources from a comma-delimited list
+idp.additionalProperties= /conf/ldap.properties, /conf/saml-nameid.properties, /conf/services.properties, /conf/authn/duo.properties
+
+# Set the entityID of the IdP
+idp.entityID= https://idp.nordu.dev/idp/shibboleth
+
+# Set the scope used in the attribute resolver for scoped attributes
+idp.scope= nordu.dev
+
+# General cookie properties (maxAge only applies to persistent cookies)
+#idp.cookie.secure = false
+#idp.cookie.httpOnly = true
+#idp.cookie.domain =
+#idp.cookie.path =
+#idp.cookie.maxAge = 31536000
+
+# Set the location of user-supplied web flow definitions
+#idp.webflows = %{idp.home}/flows
+
+# Set the location of Velocity view templates
+#idp.views = %{idp.home}/views
+
+# Settings for internal AES encryption key
+#idp.sealer.storeType = JCEKS
+#idp.sealer.updateInterval = PT15M
+#idp.sealer.aliasBase = secret
+idp.sealer.storeResource= %{idp.home}/credentials/sealer.jks
+idp.sealer.versionResource= %{idp.home}/credentials/sealer.kver
+idp.sealer.storePassword= password
+idp.sealer.keyPassword= password
+
+# Settings for public/private signing and encryption key(s)
+# During decryption key rollover, point the ".2" properties at a second
+# keypair, uncomment in credentials.xml, then publish it in your metadata.
+idp.signing.key= %{idp.home}/credentials/idp-signing.key
+idp.signing.cert= %{idp.home}/credentials/idp-signing.crt
+idp.encryption.key= %{idp.home}/credentials/idp-encryption.key
+idp.encryption.cert= %{idp.home}/credentials/idp-encryption.crt
+#idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
+#idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
+
+# Sets the bean ID to use as a default security configuration set
+#idp.security.config = shibboleth.DefaultSecurityConfiguration
+
+# To default to SHA-1, set to shibboleth.SigningConfiguration.SHA1
+#idp.signing.config = shibboleth.SigningConfiguration.SHA256
+
+# Configures trust evaluation of keys used by services at runtime
+# Defaults to supporting both explicit key and PKIX using SAML metadata.
+#idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
+#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+# To pick only one set to one of:
+#   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
+
+# If true, encryption will happen whenever a key to use can be located, but
+# failure to encrypt won't result in request failure.
+#idp.encryption.optional = false
+
+# Configuration of client- and server-side storage plugins
+#idp.storage.cleanupInterval = PT10M
+#idp.storage.htmlLocalStorage = false
+
+# Set to true to expose more detailed errors in responses to SPs
+#idp.errors.detailed = false
+# Set to false to skip signing of SAML response messages that signal errors
+#idp.errors.signed = true
+# Name of bean containing a list of Java exception classes to ignore
+#idp.errors.excludedExceptions = ExceptionClassListBean
+# Name of bean containing a property set mapping exception names to views
+#idp.errors.exceptionMappings = ExceptionToViewPropertyBean
+# Set if a different default view name for events and exceptions is needed
+#idp.errors.defaultView = error
+
+# Set to false to disable the IdP session layer
+#idp.session.enabled = true
+
+# Set to "shibboleth.StorageService" for server-side storage of user sessions
+#idp.session.StorageService = shibboleth.ClientSessionStorageService
+
+# Size of session IDs
+#idp.session.idSize = 32
+# Bind sessions to IP addresses
+#idp.session.consistentAddress = true
+# Inactivity timeout
+#idp.session.timeout = PT60M
+# Extra time to store sessions for logout
+#idp.session.slop = PT0S
+# Tolerate storage-related errors
+#idp.session.maskStorageFailure = false
+# Track information about SPs logged into
+#idp.session.trackSPSessions = false
+# Support lookup by SP for SAML logout
+#idp.session.secondaryServiceIndex = false
+# Length of time to track SP sessions
+#idp.session.defaultSPlifetime = PT2H
+
+# Regular expression matching login flows to enable, e.g. IPAddress|Password
+idp.authn.flows= Password
+
+# Regular expression of forced "initial" methods when no session exists,
+# usually in conjunction with the idp.authn.resolveAttribute property below.
+#idp.authn.flows.initial = Password
+
+# Set to an attribute ID to resolve prior to selecting authentication flows;
+# its values are used to filter the flows to allow.
+#idp.authn.resolveAttribute = eduPersonAssurance
+
+# Default lifetime and timeout of various authentication methods
+#idp.authn.defaultLifetime = PT60M
+#idp.authn.defaultTimeout = PT30M
+
+# Whether to populate relying party user interface information for display
+# during authentication, consent, terms-of-use.
+#idp.authn.rpui = true
+
+# Whether to prioritize "active" results when an SP requests more than
+# one possible matching login method (V2 behavior was to favor them)
+#idp.authn.favorSSO = false
+
+# Whether to fail requests when a user identity after authentication
+# doesn't match the identity in a pre-existing session.
+#idp.authn.identitySwitchIsError = false
+
+# Set to "shibboleth.StorageService" or custom bean for alternate storage of consent
+#idp.consent.StorageService = shibboleth.ClientPersistentStorageService
+
+# Set to "shibboleth.consent.AttributeConsentStorageKey" to use an attribute
+# to key user consent storage records (and set the attribute name)
+#idp.consent.userStorageKey = shibboleth.consent.PrincipalConsentStorageKey
+#idp.consent.userStorageKeyAttribute = uid
+
+# Flags controlling how built-in attribute consent feature operates
+#idp.consent.allowDoNotRemember = true
+#idp.consent.allowGlobal = true
+#idp.consent.allowPerAttribute = false
+
+# Whether attribute values and terms of use text are compared
+#idp.consent.compareValues = false
+# Maximum number of consent records for space-limited storage (e.g. cookies)
+#idp.consent.maxStoredRecords = 10
+# Maximum number of consent records for larger/server-side storage (0 = no limit)
+#idp.consent.expandedMaxStoredRecords = 0
+
+# Time in milliseconds to expire consent storage records.
+#idp.consent.storageRecordLifetime = P1Y
+
+# Whether to lookup metadata, etc. for every SP involved in a logout
+# for use by user interface logic; adds overhead so off by default.
+#idp.logout.elaboration = false
+
+# Whether to require logout requests/responses be signed/authenticated.
+#idp.logout.authenticated = true
+
+# Message freshness and replay cache tuning
+#idp.policy.messageLifetime = PT3M
+#idp.policy.clockSkew = PT3M
+
+# Set to custom bean for alternate storage of replay cache
+#idp.replayCache.StorageService = shibboleth.StorageService
+
+# Toggles whether to allow outbound messages via SAML artifact
+#idp.artifact.enabled = true
+# Suppresses typical signing/encryption when artifact binding used
+#idp.artifact.secureChannel = true
+# May differ to direct SAML 2 artifact lookups to specific server nodes
+#idp.artifact.endpointIndex = 2
+# Set to custom bean for alternate storage of artifact map state
+#idp.artifact.StorageService = shibboleth.StorageService
+
+# Comma-delimited languages to use if not match can be found with the
+# browser-supported languages, defaults to an empty list.
+idp.ui.fallbackLanguages= en,fr,de
+
+# Storage service used by CAS protocol
+# Defaults to shibboleth.StorageService (in-memory)
+# MUST be server-side storage (e.g. in-memory, memcached, database)
+# NOTE that idp.session.StorageService requires server-side storage
+# when CAS protocol is enabled
+#idp.cas.StorageService=shibboleth.StorageService
+
+# CAS service registry implementation class
+#idp.cas.serviceRegistryClass=net.shibboleth.idp.cas.service.PatternServiceRegistry
+
+# Profile flows in which the ProfileRequestContext should be exposed
+# in servlet request under the key "opensamlProfileRequestContext"
+#idp.profile.exposeProfileRequestContextInServletRequest = SAML2/POST/SSO,SAML2/Redirect/SSO
+
+# F-TICKS auditing - set a salt to include hashed username
+#idp.fticks.federation=MyFederation
+#idp.fticks.algorithm=SHA-256
+#idp.fticks.salt=somethingsecret
+#idp.fticks.loghost=localhost
+#idp.fticks.logport=514
diff --git a/conf-from-container/conf/intercept/consent-intercept-config.xml b/conf-from-container/conf/intercept/consent-intercept-config.xml
new file mode 100644
index 0000000..ca183a7
--- /dev/null
+++ b/conf-from-container/conf/intercept/consent-intercept-config.xml
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- Terms of Use configuration -->
+    
+    <!--
+    Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties
+    
+    The default mapping returns the relying party / SP name as the key. The second example below
+    demonstrates use of a custom mapping table from the relying party name to the key to use. 
+    -->
+    
+    <alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" />
+    
+    <!--
+    <bean id="shibboleth.consent.terms-of-use.Key"
+            class="com.google.common.base.Functions" factory-method="compose">
+        <constructor-arg name="g">
+            <bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use">
+                <constructor-arg name="map">
+                    <map>
+                        <entry key="https://sp.example.org/shibboleth" value="example-terms" />
+                    </map>
+                </constructor-arg>
+            </bean>
+        </constructor-arg>
+        <constructor-arg name="f">
+            <ref bean="shibboleth.RelyingPartyIdLookup.Simple" />
+        </constructor-arg>
+    </bean>
+    -->
+
+    <!-- Attribute Release configuration -->
+
+    <!--
+    Attribute release whitelist, blacklist, and match expressions to determine 
+    whether consent should be obtained for an attribute based on the attribute ID.
+    -->
+    
+    <util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs">
+        <!--
+        <value>mail</value>
+        -->
+    </util:list>
+
+    <util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs">
+        <value>transientId</value>
+        <value>persistentId</value>
+        <value>eduPersonTargetedID</value>
+    </util:list>
+
+    <!-- 
+    <bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile" 
+        c:_0="^exampleAttribute.*$" />
+    -->
+
+    <!--
+    Customize the order in which attributes are displayed.
+    Attribute IDs not present in this list will be sorted according to their
+    natural order and displayed subsequent to any attribute IDs specified here.
+    -->
+    <!--
+    <util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder">
+        <value>mail</value>
+    </util:list>
+    -->
+
+    <!--
+    These beans define mappings between audit log categories and formatting strings.
+    -->
+
+    <!--
+    For terms-of-use acceptance, the default entry is :
+     'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true'
+
+    For terms-of-use refusal, the default entry is :
+     'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false'
+    -->
+    <util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap">
+        <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
+    </util:map>
+
+    <!--
+    For attribute-release consent, the default entry is :
+     'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false'
+    -->
+    <util:map id="shibboleth.consent.attribute-release.AuditFormattingMap">
+        <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" />
+    </util:map>
+
+    <!--
+    The beans below need to be defined, even if left empty. They can be ignored in most cases.
+    
+    If you write your own function to extract a new piece of data for auditing, you can install it into one or more
+    of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting.
+    -->
+    <bean id="shibboleth.consent.PreConsentAuditExtractors" parent="shibboleth.consent.DefaultPreConsentAuditExtractors" lazy-init="true">
+        <property name="sourceMap">
+            <map merge="true">
+            </map>
+        </property>
+    </bean>
+
+    <bean id="shibboleth.consent.ConsentAuditExtractors" parent="shibboleth.consent.DefaultConsentAuditExtractors" lazy-init="true">
+        <property name="sourceMap">
+            <map merge="true">
+            </map>
+        </property>
+    </bean>
+
+    <!--
+    Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage 
+    such as cookies.
+    -->
+    <bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true">
+        <property name="sourceMap">
+            <map merge="true">
+                <!--
+                <entry key="myAttribute" value="900" />
+                -->
+            </map>
+        </property>
+    </bean>
+
+</beans>
\ No newline at end of file
diff --git a/conf-from-container/conf/intercept/context-check-intercept-config.xml b/conf-from-container/conf/intercept/context-check-intercept-config.xml
new file mode 100644
index 0000000..809f1d4
--- /dev/null
+++ b/conf-from-container/conf/intercept/context-check-intercept-config.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing.
+    
+    Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls
+    whether to proceed if the flow is activated. The most common use for this flow is to check the set of
+    resolved/filtered attributes and values to see if the user is authorized or provisioned into a service.
+    -->
+    <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND">
+        <constructor-arg>
+            <list>
+                <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{ 'https://sp.example.org' }" />
+                <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
+                        p:useUnfilteredAttributes="true">
+                    <property name="attributeValueMap">
+                        <map>
+                            <entry key="eppn">
+                                <list>
+                                    <value>*</value>
+                                </list>
+                            </entry>
+                        </map>
+                    </property>
+                </bean>
+            </list>
+        </constructor-arg>
+    </bean>
+
+</beans>
\ No newline at end of file
diff --git a/conf-from-container/conf/intercept/expiring-password-intercept-config.xml b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml
new file mode 100644
index 0000000..5447b16
--- /dev/null
+++ b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Condition to evaluate to determine if expiring password view should be displayed, false means to notify.
+    
+    The example uses a built-in class to evaluate an attribute containing a date/time of password expiration.
+    The format pattern parses the value and the negative offset determines how soon to warn the user beforehand.
+    -->
+    <bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate"
+            c:attribute="passwordExpiration" p:resultIfMissing="true">
+        <constructor-arg name="formatter">
+            <bean class="org.joda.time.format.DateTimeFormat" factory-method="forPattern" c:_0="yyyyMMddHHmmss'T'" />
+        </constructor-arg>
+        <property name="systemTimeOffset">
+            <bean class="org.joda.time.Duration" factory-method="standardDays" c:_0="-14" />
+        </property>
+    </bean>
+    
+    <!-- Name of cookie to track when user was last notified. -->
+    <bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" />
+
+    <!-- Interval (milliseconds) between notifications, default is 8 hours. -->
+    <bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" />
+    
+</beans>
diff --git a/conf-from-container/conf/intercept/intercept-events-flow.xml b/conf-from-container/conf/intercept/intercept-events-flow.xml
new file mode 100644
index 0000000..5cb30d5
--- /dev/null
+++ b/conf-from-container/conf/intercept/intercept-events-flow.xml
@@ -0,0 +1,18 @@
+<flow xmlns="http://www.springframework.org/schema/webflow"
+      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
+      abstract="true">
+
+    <!-- ADVANCED USE ONLY -->
+    
+    <!--
+    You can ignore this file unless you are creating your own custom intercept subflows that want to
+    report custom events in response to unusual conditions.
+    -->
+
+    <!-- Custom error events to reflect back from user-supplied intercept subflows. -->
+    <!--
+    <end-state id="MyCustomEvent" />
+    -->
+
+</flow>
diff --git a/conf-from-container/conf/intercept/profile-intercept.xml b/conf-from-container/conf/intercept/profile-intercept.xml
new file mode 100644
index 0000000..4040a10
--- /dev/null
+++ b/conf-from-container/conf/intercept/profile-intercept.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Intercept flows are used at various injection points to modify processing. This is the master list
+    of flows available that provide interesting features to deployers, but flows are actually enabled by
+    specifying them in various profile configuration beans via relying-party.xml 
+    
+    This list of flows is merged with a built-in set defined in a system configuration file, and may be
+    empty, but should not be removed. You must add your own custom flows to this list if you create any.
+    -->
+    
+    <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true">
+        <property name="sourceList">
+            <list merge="true">
+                <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" />
+                
+                <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" />
+        
+                <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
+        
+                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
+            </list>
+        </property>
+    </bean>
+
+</beans>
diff --git a/conf-from-container/conf/ldap.properties b/conf-from-container/conf/ldap.properties
new file mode 100644
index 0000000..e9d9ffb
--- /dev/null
+++ b/conf-from-container/conf/ldap.properties
@@ -0,0 +1,74 @@
+# LDAP authentication configuration, see authn/ldap-authn-config.xml
+# Note, this doesn't apply to the use of JAAS
+
+## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
+idp.authn.LDAP.authenticator= bindSearchAuthenticator
+
+## Connection properties ##
+idp.authn.LDAP.ldapURL= ldaps://ldap.nordu.net
+idp.authn.LDAP.useStartTLS= false
+idp.authn.LDAP.useSSL= false
+# Time in milliseconds that connects will block
+#idp.authn.LDAP.connectTimeout                  = PT3S
+# Time in milliseconds to wait for responses
+#idp.authn.LDAP.responseTimeout                 = PT3S
+
+## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
+idp.authn.LDAP.sslConfig= certificateTrust
+## If using certificateTrust above, set to the trusted certificate's path
+idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt
+## If using keyStoreTrust above, set to the truststore path
+idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore
+
+## Return attributes during authentication
+idp.authn.LDAP.returnAttributes= passwordExpirationTime,loginGraceRemaining
+
+## DN resolution properties ##
+
+# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
+# for AD: CN=Users,DC=example,DC=org
+idp.authn.LDAP.baseDN= dc=nordu,dc=net
+#idp.authn.LDAP.subtreeSearch                   = false
+idp.authn.LDAP.userFilter= (uid={user})
+# bind search configuration
+# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
+idp.authn.LDAP.bindDN= dc=nordu,dc=net
+idp.authn.LDAP.bindDNCredential= blahblah
+
+# Format DN resolution, used by directAuthenticator, adAuthenticator
+# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
+idp.authn.LDAP.dnFormat= uid=%s,ou=people,dc=example,dc=org
+
+# LDAP attribute configuration, see attribute-resolver.xml
+# Note, this likely won't apply to the use of legacy V2 resolver configurations
+idp.attribute.resolver.LDAP.ldapURL= %{idp.authn.LDAP.ldapURL}
+idp.attribute.resolver.LDAP.connectTimeout= %{idp.authn.LDAP.connectTimeout:PT3S}
+idp.attribute.resolver.LDAP.responseTimeout= %{idp.authn.LDAP.responseTimeout:PT3S}
+idp.attribute.resolver.LDAP.baseDN= %{idp.authn.LDAP.baseDN:undefined}
+idp.attribute.resolver.LDAP.bindDN= %{idp.authn.LDAP.bindDN:undefined}
+idp.attribute.resolver.LDAP.bindDNCredential= %{idp.authn.LDAP.bindDNCredential:undefined}
+idp.attribute.resolver.LDAP.useStartTLS= %{idp.authn.LDAP.useStartTLS:true}
+idp.attribute.resolver.LDAP.trustCertificates= %{idp.authn.LDAP.trustCertificates:undefined}
+idp.attribute.resolver.LDAP.searchFilter= (uid=$resolutionContext.principal)
+
+# LDAP pool configuration, used for both authn and DN resolution
+#idp.pool.LDAP.minSize                          = 3
+#idp.pool.LDAP.maxSize                          = 10
+#idp.pool.LDAP.validateOnCheckout               = false
+#idp.pool.LDAP.validatePeriodically             = true
+#idp.pool.LDAP.validatePeriod                   = PT5M
+#idp.pool.LDAP.prunePeriod                      = PT5M
+#idp.pool.LDAP.idleTime                         = PT10M
+#idp.pool.LDAP.blockWaitTime                    = PT3S
+#idp.pool.LDAP.failFastInitialize               = false
+%{idp.attribute.resolver.LDAP.searchFilter}= 
+principalCredential= "%{idp.attribute.resolver.LDAP.bindDNCredential}"
+baseDN= "%{idp.attribute.resolver.LDAP.baseDN}"
+useStartTLS= "%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+trustFile= "%{idp.attribute.resolver.LDAP.trustCertificates}"
+responseTimeout= "%{idp.attribute.resolver.LDAP.responseTimeout}">
+ldapURL= "%{idp.attribute.resolver.LDAP.ldapURL}"
+connectTimeout= "%{idp.attribute.resolver.LDAP.connectTimeout}"
+<![CDATA[= 
+principal= "%{idp.attribute.resolver.LDAP.bindDN}"
+<FilterTemplate>= 
diff --git a/conf-from-container/conf/logback.xml b/conf-from-container/conf/logback.xml
new file mode 100644
index 0000000..104ec4c
--- /dev/null
+++ b/conf-from-container/conf/logback.xml
@@ -0,0 +1,186 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <!--
+    Variables for simplifying logging configuration.
+    http://logback.qos.ch/manual/configuration.html#variableSubstitution
+    -->
+    
+    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.loghistory" value="180" />
+    
+    <!-- Much higher performance if you operate on DEBUG. -->
+    <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+    
+    <!-- Logging level shortcuts. -->
+    <variable name="idp.loglevel.idp" value="INFO" />
+    <variable name="idp.loglevel.ldap" value="WARN" />
+    <variable name="idp.loglevel.messages" value="INFO" />
+    <variable name="idp.loglevel.encryption" value="INFO" />
+    <variable name="idp.loglevel.opensaml" value="INFO" />
+    <variable name="idp.loglevel.props" value="INFO" />
+    
+    <!-- Don't turn these up unless you want a *lot* of noise. -->
+    <variable name="idp.loglevel.spring" value="ERROR" />
+    <variable name="idp.loglevel.container" value="ERROR" />
+    <variable name="idp.loglevel.xmlsec" value="INFO" />
+
+    <!--
+    If you want to use custom properties in this config file,
+    we load the main property file for you.
+    -->
+    <variable file="${idp.home}/conf/idp.properties" />
+    
+    <!-- =========================================================== -->
+    <!-- ============== Logging Categories and Levels ============== -->
+    <!-- =========================================================== -->
+
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/>
+    
+    <!-- Logs LDAP related messages -->
+    <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>
+    
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" />
+
+    <!-- Logs unencrypted SAML at DEBUG level -->
+    <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" />
+
+    <!-- Logs system properties during startup at DEBUG level -->
+    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" />
+
+    <!-- Especially chatty. -->
+    <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
+    <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" />
+    <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/>
+    <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/>
+    <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/>
+
+
+    <!-- =========================================================== -->
+    <!-- ============== Low Level Details or Changes =============== -->
+    <!-- =========================================================== -->
+    
+    <!-- Process log. -->
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-process.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+        <appender-ref ref="IDP_PROCESS" />
+        <discardingThreshold>0</discardingThreshold>
+    </appender>
+
+    <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <!-- Suppress anything below WARN. -->
+        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+            <level>WARN</level>
+        </filter>
+        
+        <File>${idp.logfiles}/idp-warn.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+        
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+        
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+    
+    <!-- Audit log. -->
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <!-- Consent audit log. -->
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-consent-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- F-TICKS syslog destination. -->
+    <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+        <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+        <port>${idp.fticks.logport:-514}</port>
+        <facility>AUTH</facility>
+        <suffixPattern>[%thread] %logger %msg</suffixPattern>
+    </appender>
+
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+    </logger>
+
+    <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+        <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+    </logger>
+
+    <logger name="Shibboleth-Consent-Audit" level="ALL">
+        <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+    </logger>
+    
+    <root level="${idp.loglevel.root:-INFO}">
+        <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+        <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+    </root>
+
+</configuration>
\ No newline at end of file
diff --git a/conf-from-container/conf/metadata-providers.xml b/conf-from-container/conf/metadata-providers.xml
new file mode 100644
index 0000000..facc296
--- /dev/null
+++ b/conf-from-container/conf/metadata-providers.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+                        
+    <!-- ========================================================================================== -->
+    <!--                             Metadata Configuration                                         -->
+    <!--                                                                                            -->
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
+    <!--  provide service to.                                                                       -->
+    <!--                                                                                            -->
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
+    <!--  provides more details.                                                                    --> 
+    <!--                                                                                            -->
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
+    <!-- ========================================================================================== -->
+
+    <!--
+    Example HTTP metadata provider.  Use this if you want to download the metadata
+    from a remote source.
+
+    You *MUST* provide the SignatureValidationFilter in order to function securely.
+    Get the public key certificate from the party publishing the metadata, and validate
+    it with them via some out of band mechanism (e.g., a fingerprint on a secure page).
+
+    The EntityRoleWhiteList saves memory by only loading metadata from SAML roles
+    that the IdP needs to interoperate with. 
+    -->
+    
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER"> 
+        
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->   
+
+    <!--
+    Example file metadata provider.  Use this if you want to load metadata
+    from a local file.  You might use this if you have some local SPs
+    which are not "federated" but you wish to offer a service to.
+    
+    If you do not provide a SignatureValidation filter, then you have the
+    responsibility to ensure that the contents on disk are trustworthy.
+    -->
+    
+    <!--
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
+    -->
+          
+    
+</MetadataProvider>
diff --git a/conf-from-container/conf/mvc-beans.xml b/conf-from-container/conf/mvc-beans.xml
new file mode 100644
index 0000000..98d9bcd
--- /dev/null
+++ b/conf-from-container/conf/mvc-beans.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:mvc="http://www.springframework.org/schema/mvc"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Use this file to define any custom MVC beans needed. Its contents are imported
+    by system/conf/mvc-beans.xml, which configures a lot of the low-level Spring Web
+    behavior of the IdP. You can ignore this file otherwise.
+    -->
+    
+</beans>
diff --git a/conf-from-container/conf/relying-party.xml b/conf-from-container/conf/relying-party.xml
new file mode 100644
index 0000000..28c9193
--- /dev/null
+++ b/conf-from-container/conf/relying-party.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
+    to enable specific default profile settings (as below), or create new beans inline to override defaults.
+    
+    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
+    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
+    -->
+    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+            <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
+            </list>
+        </property>
+    </bean>
+
+    <!--
+    Default configuration, with default settings applied for all profiles, and enables
+    the attribute-release consent flow.
+    -->
+    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML1.AttributeQuery" />
+                <ref bean="SAML1.ArtifactResolution" />
+                <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML2.ECP" />
+                <ref bean="SAML2.Logout" />
+                <ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />
+                <ref bean="Liberty.SSOS" />
+            </list>
+        </property>
+    </bean>
+
+    <!-- Container for any overrides you want to add. -->
+
+    <util:list id="shibboleth.RelyingPartyOverrides">
+    
+        <!--
+        Override example that identifies a single RP by name and configures it
+        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
+        -->
+        <!--
+        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
+                </list>
+            </property>
+        </bean>
+        -->
+        
+    </util:list>
+
+</beans>
diff --git a/conf-from-container/conf/saml-nameid.properties b/conf-from-container/conf/saml-nameid.properties
new file mode 100644
index 0000000..8530c4f
--- /dev/null
+++ b/conf-from-container/conf/saml-nameid.properties
@@ -0,0 +1,35 @@
+# Properties involving SAML NameIdentifier/NameID generation/consumption
+
+# For the most part these settings only deal with "transient" and "persistent"
+# identifiers. See saml-nameid.xml and c14n/subject-c14n.xml for advanced
+# settings
+
+# Comment out to disable legacy NameID generation via Attribute Resolver
+#idp.nameid.saml2.legacyGenerator = shibboleth.LegacySAML2NameIDGenerator
+#idp.nameid.saml1.legacyGenerator = shibboleth.LegacySAML1NameIdentifierGenerator
+
+# Default NameID Formats to use when nothing else is called for.
+# Don't change these just to change the Format used for a single SP!
+#idp.nameid.saml2.default = urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+#idp.nameid.saml1.default = urn:mace:shibboleth:1.0:nameIdentifier
+
+# Set to shibboleth.StoredTransientIdGenerator for server-side transient ID storage
+#idp.transientId.generator = shibboleth.CryptoTransientIdGenerator
+
+# Persistent IDs can be computed on the fly with a hash, or managed in a database
+
+# For computed IDs, set a source attribute and a secret salt:
+#idp.persistentId.sourceAttribute = changethistosomethingreal
+#idp.persistentId.useUnfilteredAttributes = true
+# Do *NOT* share the salt with other people, it's like divulging your private key.
+#idp.persistentId.algorithm = SHA
+#idp.persistentId.salt = changethistosomethingrandom
+
+# To use a database, use shibboleth.StoredPersistentIdGenerator
+#idp.persistentId.generator = shibboleth.ComputedPersistentIdGenerator
+# For basic use, set this to a JDBC DataSource bean name:
+#idp.persistentId.dataSource = PersistentIdDataSource
+# For advanced use, set to a bean inherited from shibboleth.JDBCPersistentIdStore
+#idp.persistentId.store = MyPersistentIdStore
+# Set to an empty property to skip hash-based generation of first stored ID
+#idp.persistentId.computed = shibboleth.ComputedPersistentIdGenerator
diff --git a/conf-from-container/conf/saml-nameid.xml b/conf-from-container/conf/saml-nameid.xml
new file mode 100644
index 0000000..ea97448
--- /dev/null
+++ b/conf-from-container/conf/saml-nameid.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+                           
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!-- ========================= SAML NameID Generation ========================= -->
+
+    <!--
+    These generator lists handle NameID/Nameidentifier generation going forward. By default,
+    transient IDs for both SAML versions are enabled. The commented examples are for persistent IDs
+    and generating more one-off formats based on resolved attributes. The suggested approach is to
+    control their use via release of the underlying source attribute in the filter policy rather
+    than here, but you can set a property on any generator called "activationCondition" to limit
+    use in the most generic way.
+    
+    Most of the relevant configuration settings are controlled using properties; an exception is
+    the generation of arbitrary/custom formats based on attribute information, examples of which
+    are shown below.
+    
+    -->
+    
+    <!-- SAML 2 NameID Generation -->
+    <util:list id="shibboleth.SAML2NameIDGenerators">
+    
+        <ref bean="shibboleth.SAML2TransientGenerator" />
+        
+        <!-- Uncommenting this bean requires configuration in saml-nameid.properties. -->
+        <!--
+        <ref bean="shibboleth.SAML2PersistentGenerator" />
+        -->
+
+        <!--
+        <bean parent="shibboleth.SAML2AttributeSourcedGenerator"
+            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+            p:attributeSourceIds="#{ {'mail'} }" />
+        -->
+                
+    </util:list>
+
+    <!-- SAML 1 NameIdentifier Generation -->
+    <util:list id="shibboleth.SAML1NameIdentifierGenerators">
+
+        <ref bean="shibboleth.SAML1TransientGenerator" />
+
+        <!--
+        <bean parent="shibboleth.SAML1AttributeSourcedGenerator"
+            p:format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+            p:attributeSourceIds="#{ {'mail'} }" />
+        -->
+                
+    </util:list>
+    
+</beans>
diff --git a/conf-from-container/conf/services.properties b/conf-from-container/conf/services.properties
new file mode 100644
index 0000000..eee86ee
--- /dev/null
+++ b/conf-from-container/conf/services.properties
@@ -0,0 +1,65 @@
+# Configure the resources to load for various services,
+# and the settings for failure handling and auto-reload.
+
+# failFast=true prevents IdP startup if a configuration is bad
+# checkInterval = PT0S means never reload (this is the default)
+
+# Global default for fail-fast behavior of most subsystems
+# with individual override possible below.
+#idp.service.failFast = false
+
+#idp.service.logging.resource = %{idp.home}/conf/logback.xml
+#idp.service.logging.failFast = true
+idp.service.logging.checkInterval = PT5M
+
+# Set to shibboleth.LegacyRelyingPartyResolverResources with legacy V2 relying-party.xml
+#idp.service.relyingparty.resources = shibboleth.RelyingPartyResolverResources
+#idp.service.relyingparty.failFast = false
+idp.service.relyingparty.checkInterval = PT15M
+
+#idp.service.metadata.resources = shibboleth.MetadataResolverResources
+#idp.service.metadata.failFast = false
+#idp.service.metadata.checkInterval = PT0S
+
+#idp.service.attribute.resolver.resources = shibboleth.AttributeResolverResources
+#idp.service.attribute.resolver.failFast = false
+idp.service.attribute.resolver.checkInterval = PT15M
+#idp.service.attribute.resolver.maskFailures = true
+
+#idp.service.attribute.filter.resources = shibboleth.AttributeFilterResources
+# NOTE: Failing the filter fast leaves no filters enabled.
+#idp.service.attribute.filter.failFast = false
+idp.service.attribute.filter.checkInterval = PT15M
+#idp.service.attribute.filter.maskFailures = true
+
+#idp.service.nameidGeneration.resources = shibboleth.NameIdentifierGenerationResources
+#idp.service.nameidGeneration.failFast = false
+idp.service.nameidGeneration.checkInterval = PT15M
+
+#idp.service.access.resources = shibboleth.AccessControlResources
+#idp.service.access.failFast = true
+idp.service.access.checkInterval = PT5M
+
+#idp.service.cas.registry.resources = shibboleth.CASServiceRegistryResources
+#idp.service.cas.registry.failFast = false
+idp.service.cas.registry.checkInterval = PT15M
+
+#idp.message.resources = shibboleth.MessageSourceResources
+#idp.message.cacheSeconds = 300
+
+# Parameters for pre-defined HttpClient instances which perform in-memory and filesystem caching.
+# These are used with components such as remote configuration resources that are explicitly wired
+# with these client instances, *not* by default with HTTP metadata resolvers.
+#idp.httpclient.useTrustEngineTLSSocketFactory = false
+#idp.httpclient.useSecurityEnhancedTLSSocketFactory = false
+#idp.httpclient.connectionDisregardTLSCertificate = false
+#idp.httpclient.connectionRequestTimeout = 60000
+#idp.httpclient.connectionTimeout = 60000
+#idp.httpclient.socketTimeout = 60000
+#idp.httpclient.maxConnectionsTotal = 100
+#idp.httpclient.maxConnectionsPerRoute = 100
+#idp.httpclient.memorycaching.maxCacheEntries = 50
+#idp.httpclient.memorycaching.maxCacheEntrySize = 1048576
+#idp.httpclient.filecaching.maxCacheEntries = 100
+#idp.httpclient.filecaching.maxCacheEntrySize = 10485760
+idp.httpclient.filecaching.cacheDirectory = %{idp.home}/tmp/httpClientCache
\ No newline at end of file
diff --git a/conf-from-container/conf/services.xml b/conf-from-container/conf/services.xml
new file mode 100644
index 0000000..313b636
--- /dev/null
+++ b/conf-from-container/conf/services.xml
@@ -0,0 +1,144 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+                           
+    <!-- Advanced configuration of services from SVN.
+       
+       To use an SVN resource you need to construct it and then inject it into 
+       The appropriate bean. To use property replacement you will need a separate 
+       resource pointing to the replacement phrase. 
+        
+       For example: 
+        
+    <bean id="AuthnMgr" class="org.tmatesoft.svn.core.auth.BasicAuthenticationManager">
+        <constructor-arg>
+            <null />
+        </constructor-arg>
+    </bean>
+    <bean id="ClientMgr" factory-method="newInstance"
+        class="org.tmatesoft.svn.core.wc.SVNClientManager"
+        p:authenticationManager-ref="AuthnMgr" />
+    <bean id="TheSVNURL" factory-method="create"
+        class="org.tmatesoft.svn.core.SVNURL">
+        <constructor-arg value="https" />
+        <constructor-arg>
+            <null />
+        </constructor-arg>
+        <constructor-arg value="svn.shibboleth.net" />
+        <constructor-arg value="-1" />
+        <constructor-arg
+            value="/utilities/spring-extensions/trunk/src/test/resources/data/" />
+        <constructor-arg value="false" />
+    </bean>
+    <bean id="TheSVNResource" class="net.shibboleth.ext.spring.resource.SVNResource">
+        <constructor-arg ref="ClientMgr" />
+        <constructor-arg ref="TheSVNURL" />
+        <constructor-arg value="D:/testdir/dir" />
+        <constructor-arg value="-1" />
+        <constructor-arg value="TestResource.txt" />
+    </bean>
+    
+    <util:list id="shibboleth.AttributeResolverResources">
+       <ref bean="TheSVNResource"/>
+       <value>path_to_properties_specifyingBean_file</value>
+    </util:list>
+    
+     see also https://wiki.shibboleth.net/confluence/display/IDP30/SVNResource
+              http://svnkit.com/javadoc/org/tmatesoft/svn/core/auth/BasicAuthenticationManager.html#constructor_detail 
+              http://svnkit.com/javadoc/org/tmatesoft/svn/core/SVNURL.html
+              
+    -->
+    
+    <!-- Advanced configuration of services from HTTP.
+    
+      To use an HTTP resource you first need to configure the Apache HttpClient which will be used
+      to communicate with the web server.  Any HttpClient can be used, but two Factory Beans allow simple
+      configuration of in-memory or file-based caching clients.
+      
+      Examples are:
+      
+        A resource which will be supplied from an in-memory cache for as long as the file on the webserver does not change.  
+        If the webserver becomes unavailable the resource will be unavailable.
+         
+        <bean id="inMemoryResource" class="net.shibboleth.ext.spring.resource.HTTPResource"
+              c:client-ref="shibboleth.MemoryCachingHttpClient" 
+              c:url="http://example.org/path/to/file.xml" />
+              
+        Two resources which will be supplied from an on disk cache (suitable for multiple or large files) for as long 
+        as the file on the webserver does not change.  If the webserver becomes unavailable the last used contents
+        of the file will be returned (even if that was in a previous IdP lifetime).
+        
+        <bean id="fileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
+              c:client-ref="shibboleth.FileCachingHttpClient" 
+              c:url="http://example.org/path/to/file.xml"
+              c:backingFile="/var/shibboleth/caches/resourcecache/file.xml"/>
+       
+        <bean id="otherFileResource" class="net.shibboleth.ext.spring.resource.FileBackedHTTPResource"
+              c:client-ref="shibboleth.FileCachingHttpClient" 
+              c:url="http://another.server.example.org/path/to/different/file.xml"
+              c:backingFile="/var/shibboleth/caches/resourcecache/differentFile.xml"/>
+              
+        In all cases you should review the "idp.httpclient.*" properties defined in services.properties
+    -->
+    
+    <!--
+    Otherwise by default we look at resources whose names are derived from %{idp.home}. Services not configured
+    using native Spring syntax also need to load the property-placeholder file in order to pull settings from
+    property sources.
+    -->
+
+    <!-- This set of resources supports a native Spring relying-party.xml file. -->
+    <util:list id="shibboleth.RelyingPartyResolverResources">
+        <value>%{idp.home}/conf/relying-party.xml</value>
+        <value>%{idp.home}/conf/credentials.xml</value>
+        <value>%{idp.home}/system/conf/relying-party-system.xml</value>
+    </util:list>
+
+    <!-- This set of resources supports a legacy 2.x relying-party.xml file. -->
+    <util:list id="shibboleth.LegacyRelyingPartyResolverResources">
+        <value>%{idp.home}/conf/relying-party.xml</value>
+        <value>%{idp.home}/system/conf/legacy-relying-party-defaults.xml</value>
+    </util:list>
+
+    <util:list id="shibboleth.MetadataResolverResources">
+        <value>%{idp.home}/conf/metadata-providers.xml</value>
+        <value>%{idp.home}/system/conf/metadata-providers-system.xml</value>
+    </util:list>
+
+    <util:list id ="shibboleth.AttributeResolverResources">
+        <value>%{idp.home}/conf/attribute-resolver.xml</value>
+    </util:list>
+
+    <util:list id ="shibboleth.AttributeFilterResources">
+        <value>%{idp.home}/conf/attribute-filter.xml</value>
+    </util:list>
+
+    <util:list id ="shibboleth.NameIdentifierGenerationResources">
+        <value>%{idp.home}/conf/saml-nameid.xml</value>
+        <value>%{idp.home}/system/conf/saml-nameid-system.xml</value>
+    </util:list>
+    
+    <util:list id="shibboleth.AccessControlResources">
+        <value>%{idp.home}/conf/access-control.xml</value>
+        <value>%{idp.home}/system/conf/access-control-system.xml</value>
+    </util:list>
+
+    <util:list id="shibboleth.CASServiceRegistryResources">
+        <value>%{idp.home}/conf/cas-protocol.xml</value>
+    </util:list>
+
+    <!--
+    This collection of resources differs slightly in that it should not include the file extension.
+    Message sources are internationalized, and Spring will search for a compatible language extension
+    and fall back to one with only a .properties extension.
+    -->
+    <util:list id="shibboleth.MessageSourceResources">
+        <value>%{idp.home}/messages/messages</value>
+        <value>%{idp.home}/system/messages/messages</value>
+    </util:list>
+    
+</beans>
diff --git a/conf-from-container/conf/session-manager.xml b/conf-from-container/conf/session-manager.xml
new file mode 100644
index 0000000..f195014
--- /dev/null
+++ b/conf-from-container/conf/session-manager.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <!-- Flows that propagate logout to additional services using supported protocols. -->
+    <util:list id="shibboleth.LogoutPropagationFlows">
+        <ref bean="logoutprop/cas" />
+        <ref bean="logoutprop/saml2" />
+    </util:list>
+
+    <!-- Modify only to add extension types associated with non-built-in SSO protocols. -->
+    <bean id="shibboleth.SPSessionSerializerRegistry" parent="shibboleth.DefaultSPSessionSerializerRegistry">
+        <property name="mappings">
+            <map merge="true">
+            </map>
+        </property>
+    </bean>
+    
+    <!-- Modify only to add extension types associated with non-built-in SSO protocols. -->
+    <bean id="shibboleth.SessionTypeProtocolMap" parent="shibboleth.DefaultSessionTypeProtocolMap">
+        <property name="sourceMap">
+            <map merge="true">
+            </map>
+        </property>
+    </bean>
+        
+    <!--
+    List of client-side storage service plugins. If you use server-side storage and don't need these
+    services, you can remove or comment out the <ref> elements, but don't remove the list bean or
+    a default list will be substituted for backward compatibility.
+    -->
+    <util:list id="shibboleth.ClientStorageServices">
+        <ref bean="shibboleth.ClientSessionStorageService" />
+        <ref bean="shibboleth.ClientPersistentStorageService" />
+    </util:list>
+    
+</beans>
diff --git a/conf-from-container/run.sh b/conf-from-container/run.sh
new file mode 100644
index 0000000..ce896e5
--- /dev/null
+++ b/conf-from-container/run.sh
@@ -0,0 +1 @@
+docker cp `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"`:/opt/shibboleth-idp/conf /Users/hlk/projects/shibboleth-docker/conf-from-container
diff --git a/conf-from-container/shell.sh b/conf-from-container/shell.sh
new file mode 100644
index 0000000..182d4c1
--- /dev/null
+++ b/conf-from-container/shell.sh
@@ -0,0 +1 @@
+docker exec -ti  `docker ps | cut -f 1 -d ' ' | grep -v "CONTAINER"` bash
-- 
cgit v1.1