From aab254a9894c8d04679e7aeffcab22f35eeadf7d Mon Sep 17 00:00:00 2001
From: Markus Krogh <markus@nordu.net>
Date: Mon, 2 Oct 2017 14:20:48 +0200
Subject: Rearange template files. Start on templating

---
 idp/templates/config/README.md                  |   5 +
 idp/templates/config/attribute-filter.xml       | 283 ++++++++++++++++++++++
 idp/templates/config/attribute-resolver.xml     | 223 +++++++++++++++++
 idp/templates/config/edupersontargetdid.xml.add |  16 ++
 idp/templates/config/logback.xml                | 199 ++++++++++++++++
 idp/templates/config/metadata-providers.xml     |  57 +++++
 idp/templates/edit-webapp/css/NORDUnet.css      | 302 ++++++++++++++++++++++++
 idp/templates/edit-webapp/images/nordunet.png   | Bin 0 -> 20823 bytes
 idp/templates/views/layout.vm                   |  32 +++
 idp/templates/views/login.vm                    | 116 +++++++++
 10 files changed, 1233 insertions(+)
 create mode 100644 idp/templates/config/README.md
 create mode 100644 idp/templates/config/attribute-filter.xml
 create mode 100644 idp/templates/config/attribute-resolver.xml
 create mode 100644 idp/templates/config/edupersontargetdid.xml.add
 create mode 100644 idp/templates/config/logback.xml
 create mode 100644 idp/templates/config/metadata-providers.xml
 create mode 100644 idp/templates/edit-webapp/css/NORDUnet.css
 create mode 100644 idp/templates/edit-webapp/images/nordunet.png
 create mode 100644 idp/templates/views/layout.vm
 create mode 100644 idp/templates/views/login.vm

(limited to 'idp/templates')

diff --git a/idp/templates/config/README.md b/idp/templates/config/README.md
new file mode 100644
index 0000000..6002238
--- /dev/null
+++ b/idp/templates/config/README.md
@@ -0,0 +1,5 @@
+# IDP config templates
+
+This directory contains the files which are being replaced after running install.
+
+Dockerfile should install these after running install.
diff --git a/idp/templates/config/attribute-filter.xml b/idp/templates/config/attribute-filter.xml
new file mode 100644
index 0000000..3514282
--- /dev/null
+++ b/idp/templates/config/attribute-filter.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+  xmlns="urn:mace:shibboleth:2.0:afp"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+  <AttributeFilterPolicy id="releaseTransientIdToAnyone">
+    <PolicyRequirementRule xsi:type="ANY" />
+
+    <AttributeRule attributeID="transientId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="persistentId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+
+  <!-- GEANT Data protection Code of Conduct -->
+  <AttributeFilterPolicy id="releaseToCoCo">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="cn">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="AND">
+        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        <Rule xsi:type="OR">
+          <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+          <Rule xsi:type="Value" value="student" ignoreCase="true" />
+          <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+          <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+          <Rule xsi:type="Value" value="member" ignoreCase="true" />
+          <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+          <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+          <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+        </Rule>
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAffiliation">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganizationType">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- REFEDS Research and Schoolarship -->
+  <AttributeFilterPolicy id="releaseToRandS">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- entity-category-swamid-research-and-education -->
+  <AttributeFilterPolicy id="entity-category-research-and-education">
+    <PolicyRequirementRule xsi:type="AND">
+      <Rule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/nren-service" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/hei-service" />
+      </Rule>
+      <Rule xsi:type="EntityAttributeExactMatch"
+        attributeName="http://macedir.org/entity-category"
+        attributeValue="http://www.swamid.se/category/research-and-education" />
+    </PolicyRequirementRule>
+
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAssurance">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- Release some attributes to an SP. -->
+  <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+  <AttributeFilterPolicy id="sp.nordu.dev">
+    <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+    <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="uid">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mail">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="employeeType">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mailLocalAddress">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- ukfederation + incommon -->
+  <AttributeFilterPolicy id="everyoneInSwamidFeed">
+    <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonTargetedID">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
diff --git a/idp/templates/config/attribute-resolver.xml b/idp/templates/config/attribute-resolver.xml
new file mode 100644
index 0000000..92fb1bb
--- /dev/null
+++ b/idp/templates/config/attribute-resolver.xml
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file. While the configuration
+    presented in this example file is semi-functional, it isn't very
+    interesting. It is here only as a starting point for your deployment
+    process.
+
+    Very few attribute definitions and data connectors are demonstrated,
+    and the data is derived statically from the logged-in username and a
+    static example connector.
+
+    Attribute-resolver-full.xml contains more examples of attributes,
+    encoders, and data connectors. Deployers should refer to the Shibboleth
+    documentation for a complete list of components and their options.
+
+    NOTE: This file is from the Nordunet template-config
+
+-->
+<AttributeResolver
+  xmlns="urn:mace:shibboleth:2.0:resolver"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
+
+
+  <!-- ========================================== -->
+  <!--      Attribute Definitions                 -->
+  <!-- ========================================== -->
+
+  <!--
+    The EPPN is the "standard" federated username in higher ed.
+    For guidelines on the implementation of this attribute, refer
+    to the Shibboleth and eduPerson documentation. Above all, do
+    not expose a value for this attribute without considering the
+    long term implications.
+    -->
+    <!--
+    The uid is the closest thing to a "standard" LDAP attribute
+    representing a local username, but you should generally *never*
+    expose uid to federated services, as it is rarely globally unique.
+    -->
+    <AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:uid" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
+    </AttributeDefinition>
+
+    <!--
+    In the rest of the world, the email address is the standard identifier,
+    despite the problems with that practice. Consider making the EPPN value
+    the same as your official email addresses whenever possible.
+    -->
+    <AttributeDefinition id="mail" xsi:type="Simple" sourceAttributeID="mail">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="email" xsi:type="Simple" sourceAttributeID="mail">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="commonName" xsi:type="Simple" sourceAttributeID="cn">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:cn" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="displayName" xsi:type="Simple" sourceAttributeID="cn"><!-- yes for ndn ldap this is correct -->
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="surname" xsi:type="Simple" sourceAttributeID="sn">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:sn" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="organizationName" xsi:type="Simple" sourceAttributeID="o">
+      <Dependency ref="staticAttributes" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:o" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="givenName" xsi:type="Simple" sourceAttributeID="givenName">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
+    </AttributeDefinition>
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <AttributeDefinition id="employeeType" xsi:type="Simple" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
+    </AttributeDefinition>
+
+    <!-- Schema: eduPerson attributes -->
+
+    <AttributeDefinition id="mappedEduPersonEntitlement" xsi:type="Mapped" sourceAttributeID="memberOf" dependencyOnly="true">
+      <Dependency ref="myLDAPGROUPS" />
+      <ValueMap>
+        <ReturnValue>urn:x-ldapgroup:ndn-sysadmin</ReturnValue>
+        <SourceValue>cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+      </ValueMap>
+      <ValueMap>
+        <ReturnValue>urn:x-ldapgroup:ndn-netadmin</ReturnValue>
+        <SourceValue>cn=ndn-netadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+      </ValueMap>
+      <ValueMap>
+        <ReturnValue>urn:x-ldapgroup:ndn-secadmin</ReturnValue>
+        <SourceValue>cn=ndn-secadmin,ou=groups,dc=nordu,dc=net</SourceValue>
+      </ValueMap>
+    </AttributeDefinition>
+
+    <AttributeDefinition id="eduPersonEntitlement" xsi:type="Simple" sourceAttributeID="staticeduPersonEntitlement">
+      <Dependency ref="mappedEduPersonEntitlement" />
+      <Dependency ref="staticAttributes" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="eduPersonPrimaryAffiliation" xsi:type="Simple" sourceAttributeID="eduPersonPrimaryAffiliation">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+      <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="uid"><!-- In ndn it is uid+scope -->
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+    </AttributeDefinition>
+
+    <AttributeDefinition id="eduPersonScopedAffiliation" xsi:type="Scoped" scope="%{idp.scope}" sourceAttributeID="employeeType">
+      <Dependency ref="myLDAP" />
+      <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+      <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+    </AttributeDefinition>
+
+<!-- from swamid installer -->
+  <AttributeDefinition id="norEduOrgAcronym" xsi:type="Simple" sourceAttributeID="norEduOrgAcronym">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:norEduOrgAcronym" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.2428.90.1.6" friendlyName="norEduOrgAcronym" />
+  </AttributeDefinition>
+
+  <AttributeDefinition id="schacHomeOrganization" xsi:type="Simple" sourceAttributeID="schacHomeOrganization">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+  </AttributeDefinition>
+
+  <AttributeDefinition id="schacHomeOrganizationType" xsi:type="Simple" sourceAttributeID="schacHomeOrganizationType">
+    <Dependency ref="staticAttributes" />
+    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:schacHomeOrganization" />
+    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.25178.1.2.9" friendlyName="schacHomeOrganization" />
+  </AttributeDefinition>
+
+  <!-- If we want to use google apps at some point we need: friendlyCountryName, countryName and principal -->
+
+
+
+  <!-- ========================================== -->
+  <!--      Data Connectors                       -->
+  <!-- ========================================== -->
+
+  <!--
+    Example LDAP Connector
+
+    The connectivity details can be specified in ldap.properties to
+    share them with your authentication settings if desired.
+    -->
+    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+      <FilterTemplate>
+        <![CDATA[
+        %{idp.attribute.resolver.LDAP.searchFilter}
+        ]]>
+      </FilterTemplate>
+    </DataConnector>
+    <DataConnector id="myLDAPGROUPS" xsi:type="LDAPDirectory"
+      ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+      baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
+      <FilterTemplate>
+        <![CDATA[
+        %{idp.attribute.resolver.LDAP.searchFilter}
+        ]]>
+      </FilterTemplate>
+      <ReturnAttributes>memberOf</ReturnAttributes>
+    </DataConnector>
+
+    <DataConnector id="staticAttributes" xsi:type="Static">
+      <Attribute id="o">
+        <Value>NORDUnet A/S</Value>
+      </Attribute>
+      <Attribute id="schacHomeOrganization">
+        <Value>nordu.net</Value>
+      </Attribute>
+      <Attribute id="schacHomeOrganizationType">
+        <Value>urn:schac:homeOrganizationType:int:NREN</Value>
+      </Attribute>
+      <Attribute id="norEduOrgAcronym">
+        <Value>NORDUNet</Value>
+      </Attribute>
+      <Attribute id="staticeduPersonEntitlement">
+        <Value>urn:mace:dir:entitlement:common-lib-terms</Value>
+        <Value>urn:mace:terena.org:tcs:escience-user</Value>
+        <Value>urn:mace:terena.org:tcs:personal-user</Value>
+        <Value>urn:mace:rediris.es:entitlement:wiki:tfemc2</Value>
+        <Value>urn:mace:swami.se:gmai:sunet-baas:admin</Value>
+        <Value>urn:mace:swami.se:gmai:sunet-iaas:admin</Value>
+        <Value>urn:mace:swami.se:gmai:sunet-iaas:user</Value>
+      </Attribute>
+    </DataConnector>
+
+  <!-- eduPersonTargetdID placeholder -->
+
+</AttributeResolver>
diff --git a/idp/templates/config/edupersontargetdid.xml.add b/idp/templates/config/edupersontargetdid.xml.add
new file mode 100644
index 0000000..8601da6
--- /dev/null
+++ b/idp/templates/config/edupersontargetdid.xml.add
@@ -0,0 +1,16 @@
+    <AttributeDefinition xsi:type="SAML2NameID" id="eduPersonTargetedID"
+                         nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+                         sourceAttributeID="computedId">
+        <Dependency ref="ComputedId" />
+        <AttributeEncoder xsi:type="SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <AttributeEncoder xsi:type="SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </AttributeDefinition>
+
+
+    <!--  The V3 IdP uses a new dedicated service for configuring NameID generation. The legacy V2 approach of encoding attributes into identifiers using attribute-resolver.xml and special attribute encoders that generate NameIdentifiers or NameIDs instead of Attributes is supported for compatibility purposes, but is deprecated and may be removed from a future version.-->
+  <DataConnector id="ComputedId" xsi:type="ComputedId"
+      generatedAttributeID="computedId"
+      sourceAttributeID="%{idp.persistentId.sourceAttribute}"
+      salt="%{idp.persistentId.salt}">
+      <Dependency ref="myLDAP" />
+  </DataConnector>
diff --git a/idp/templates/config/logback.xml b/idp/templates/config/logback.xml
new file mode 100644
index 0000000..6afa4ef
--- /dev/null
+++ b/idp/templates/config/logback.xml
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+    <!--
+    Variables for simplifying logging configuration.
+    http://logback.qos.ch/manual/configuration.html#variableSubstitution
+    -->
+    
+    <variable name="idp.logfiles" value="${idp.home}/logs" />
+    <variable name="idp.loghistory" value="180" />
+    
+    <!-- Much higher performance if you operate on DEBUG. -->
+    <!-- <variable name="idp.process.appender" value="ASYNC_PROCESS" /> -->
+    
+    <!-- Logging level shortcuts. -->
+    <variable name="idp.loglevel.idp" value="INFO" />
+    <variable name="idp.loglevel.ldap" value="WARN" />
+    <variable name="idp.loglevel.messages" value="INFO" />
+    <variable name="idp.loglevel.encryption" value="INFO" />
+    <variable name="idp.loglevel.opensaml" value="INFO" />
+    <variable name="idp.loglevel.props" value="INFO" />
+    
+    <!-- Don't turn these up unless you want a *lot* of noise. -->
+    <variable name="idp.loglevel.spring" value="ERROR" />
+    <variable name="idp.loglevel.container" value="ERROR" />
+    <variable name="idp.loglevel.xmlsec" value="INFO" />
+
+    <!--
+    If you want to use custom properties in this config file,
+    we load the main property file for you.
+    -->
+    <variable file="${idp.home}/conf/idp.properties" />
+    
+    <!-- =========================================================== -->
+    <!-- ============== Logging Categories and Levels ============== -->
+    <!-- =========================================================== -->
+
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="net.shibboleth.idp" level="${idp.loglevel.idp:-INFO}"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml.saml" level="${idp.loglevel.opensaml:-INFO}"/>
+    
+    <!-- Logs LDAP related messages -->
+    <logger name="org.ldaptive" level="${idp.loglevel.ldap:-WARN}"/>
+    
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <logger name="PROTOCOL_MESSAGE" level="${idp.loglevel.messages:-INFO}" />
+
+    <!-- Logs unencrypted SAML at DEBUG level -->
+    <logger name="org.opensaml.saml.saml2.encryption.Encrypter" level="${idp.loglevel.encryption:-INFO}" />
+
+    <!-- Logs system properties during startup at DEBUG level -->
+    <logger name="net.shibboleth.idp.log.LogbackLoggingService" level="${idp.loglevel.props:-INFO}" />
+
+    <!-- Especially chatty. -->
+    <logger name="net.shibboleth.idp.saml.attribute.mapping" level="INFO" />
+    <logger name="org.apache.xml.security" level="${idp.loglevel.xmlsec:-INFO}" />
+    <logger name="org.springframework" level="${idp.loglevel.spring:-ERROR}"/>
+    <logger name="org.apache.catalina" level="${idp.loglevel.container:-ERROR}"/>
+    <logger name="org.eclipse.jetty" level="${idp.loglevel.container:-ERROR}"/>
+
+
+    <!-- =========================================================== -->
+    <!-- ============== Low Level Details or Changes =============== -->
+    <!-- =========================================================== -->
+    
+    <!-- Process log. -->
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-process.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-process-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+
+    <appender name="ASYNC_PROCESS" class="ch.qos.logback.classic.AsyncAppender">
+        <appender-ref ref="IDP_PROCESS" />
+        <discardingThreshold>0</discardingThreshold>
+    </appender>
+
+    <appender name="IDP_WARN" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <!-- Suppress anything below WARN. -->
+        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+            <level>WARN</level>
+        </filter>
+        
+        <File>${idp.logfiles}/idp-warn.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-warn-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+        
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{ISO8601} - %level [%logger:%line] - %msg%n%ex{short}</Pattern>
+        </encoder>
+        
+        <!-- Ignore Velocity status page error. -->
+        <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
+            <evaluator>
+                <matcher>
+                    <Name>VelocityStatusMatcher</Name>
+                    <regex>ResourceManager : unable to find resource 'status.vm' in any resource loader.</regex>
+                </matcher>
+                <expression>VelocityStatusMatcher.matches(formattedMessage)</expression>
+            </evaluator>
+            <OnMatch>DENY</OnMatch>
+        </filter>
+    </appender>
+    
+    <!-- Audit log. -->
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+    
+    <!-- Consent audit log. -->
+    <appender name="IDP_CONSENT_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>${idp.logfiles}/idp-consent-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>${idp.logfiles}/idp-consent-audit-%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+            <maxHistory>${idp.loghistory:-180}</maxHistory>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <!-- F-TICKS syslog destination. -->
+    <appender name="IDP_AUDIT_FTICKS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <File>${idp.home}/logs/idp-audit-fticks.log</File>
+    <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+        <fileNamePattern>${idp.home}/logs/idp-audit-fticks%d{yyyy-MM-dd}.log.gz</fileNamePattern>
+        <maxHistory>180</maxHistory>
+    </rollingPolicy>
+    <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+        <charset>UTF-8</charset>
+        <Pattern>%msg%n</Pattern>
+    </encoder>
+    </appender>
+
+    <appender name="IDP_FTICKS" class="ch.qos.logback.classic.net.SyslogAppender">
+        <syslogHost>${idp.fticks.loghost:-localhost}</syslogHost>
+        <port>${idp.fticks.logport:-514}</port>
+        <facility>AUTH</facility>
+        <suffixPattern>[%thread] %logger %msg</suffixPattern>
+    </appender>
+
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="${idp.audit.appender:-IDP_AUDIT}"/>
+    </logger>
+
+    <logger name="Shibboleth-FTICKS" level="ALL" additivity="false">
+        <appender-ref ref="${idp.fticks.appender:-IDP_FTICKS}"/>
+        <appender-ref ref="IDP_AUDIT_FTICKS"/>
+    </logger>
+
+    <logger name="Shibboleth-Consent-Audit" level="ALL">
+        <appender-ref ref="${idp.consent.appender:-IDP_CONSENT_AUDIT}"/>
+    </logger>
+    
+    <root level="${idp.loglevel.root:-INFO}">
+        <appender-ref ref="${idp.process.appender:-IDP_PROCESS}"/>
+        <appender-ref ref="${idp.warn.appender:-IDP_WARN}" />
+    </root>
+
+</configuration>
diff --git a/idp/templates/config/metadata-providers.xml b/idp/templates/config/metadata-providers.xml
new file mode 100644
index 0000000..d813c06
--- /dev/null
+++ b/idp/templates/config/metadata-providers.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file is an EXAMPLE metadata configuration file. -->
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd">
+
+    <!-- ========================================================================================== -->
+    <!--                             Metadata Configuration                                         -->
+    <!--                                                                                            -->
+    <!--  Below you place the mechanisms which define how to load the metadata for SP(s) you will   -->
+    <!--  provide service to.                                                                       -->
+    <!--                                                                                            -->
+    <!--  Two examples are provided.  The Shibboleth Documentation at                               -->
+    <!--  https://wiki.shibboleth.net/confluence/display/IDP30/MetadataConfiguration                -->
+    <!--  provides more details.                                                                    -->
+    <!--                                                                                            -->
+    <!--  NOTE.  This file SHOULD NOT contain the metadata for this IdP.                            -->
+    <!-- ========================================================================================== -->
+
+    <!--
+    <MetadataProvider id="HTTPMetadata"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      backingFile="%{idp.home}/metadata/localCopyFromXYZHTTP.xml"
+                      metadataURL="http://WHATEVER">
+
+        <MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/metaroot.pem" />
+        <MetadataFilter xsi:type="RequiredValidUntil" maxValidityInterval="P30D"/>
+        <MetadataFilter xsi:type="EntityRoleWhiteList">
+            <RetainedRole>md:SPSSODescriptor</RetainedRole>
+        </MetadataFilter>
+    </MetadataProvider>
+    -->
+
+    <MetadataProvider id="SWAMID2"
+                      xsi:type="FileBackedHTTPMetadataProvider"
+                      metadataURL="https://mds.swamid.se/md/swamid-2.0.xml"
+                      backingFile="%{idp.home}/metadata/swamid-2.0.xml">
+
+      <MetadataFilter xsi:type="SignatureValidation"
+                      requireSignedRoot="true"
+                      certificateFile="%{idp.home}/credentials/md-signer2.crt" />
+      <MetadataFilter xsi:type="EntityRoleWhiteList">
+        <RetainedRole>md:SPSSODescriptor</RetainedRole>
+      </MetadataFilter>
+    </MetadataProvider>
+
+
+    <!--<MetadataProvider id="sp.nordu.dev" xsi:type="FilesystemMetadataProvider" metadataFile="/metadata/sp-metadata.xml" /> -->
+
+</MetadataProvider>
diff --git a/idp/templates/edit-webapp/css/NORDUnet.css b/idp/templates/edit-webapp/css/NORDUnet.css
new file mode 100644
index 0000000..f7c3ef2
--- /dev/null
+++ b/idp/templates/edit-webapp/css/NORDUnet.css
@@ -0,0 +1,302 @@
+#wrapper {
+	width: 100%;
+	font-family: Arial, Helvetica, sans-serif;
+	font-size: 12px;
+	color: #000; 
+	// background: #fff url('images/pipes_back.jpg') repeat-y top left;
+}
+
+#top {
+	display: block;
+	width: 100%;
+	background: #00B2E4 url('images/top_back.gif') repeat-x bottom left;
+	overflow: hidden;
+	
+}
+#top_table {
+	margin:0;
+	padding:0;
+	margin-top: 33px;
+	width: 900px;
+	border-collapse: collapse;
+	margin-bottom: -1px;
+
+	
+}
+
+#top_table td {
+	vertical-align:bottom;
+}
+
+#top_table td img {
+	margin-bottom: 20px;
+	display: block;
+	padding-right:10px;
+	
+}
+
+#main_nav {
+	margin:0;
+	padding:0;
+	list-style:none;
+	color: #fff;
+	height: 40px;
+	display: block;
+	
+}
+
+#main_nav li {
+	display: block;
+	float: left;
+	background: url('images/main_nav_left.gif') no-repeat bottom left; 
+	padding: 0 0 0 11px;
+	
+}
+#main_nav li#selectedPage {
+	background: url('images/main_nav_left_selected.gif') no-repeat bottom left; 
+} 
+#main_nav li a {
+	display: block;
+	float: left;
+	padding: 0 11px 0 0;
+	height: 40px;
+	color: #fff;
+	text-decoration: none;
+	outline: 0;
+	background: url('images/main_nav_back.gif') no-repeat bottom right; 
+}
+
+#main_nav li#selectedPage a {
+	background: url('images/main_nav_back_selected.jpg') no-repeat bottom right; 
+	color: #000;
+
+}
+#main_nav li a span {
+	 vertical-align: middle;
+     display: block;
+	 padding-top: 10px;
+	
+}
+
+#left {
+	clear: both;
+	background: #fff url('images/left_back.gif') repeat-y top left;
+	width: 200px;
+	float: left;
+}
+
+#search_form  {
+	padding-left: 8px;
+	width: 200px;
+	margin: 10px 0 20px 0;
+}
+
+#search_form .input_image {
+	
+	vertical-align: middle;
+}
+
+#nav {
+	
+    width: 200px;
+    font-size: 12px;
+	clear: both;
+}
+
+#nav #intro {
+	width: 179px;
+	background: #fff url('images/intro_top.jpg') no-repeat top left;
+    padding: 15px 10px 1px 10px;
+}
+
+#nav #intro_footer {
+	width: 199px;
+	height:27px;
+	background: #fff url('images/intro_bottom.jpg') no-repeat top left;
+}
+
+
+#nav ul.site_tree,
+#nav ul.site_tree ul,
+#nav ul.site_tree li {
+    margin: 0;
+    padding: 0;
+    list-style: none;
+
+}
+#nav ul.site_tree {
+	background: transparent url(images/subnavback.gif) no-repeat bottom left;
+	padding-bottom:2px;
+}
+
+#nav ul.site_tree a {
+    color: #4F4E4E;
+    text-decoration: none;
+    display: block;
+}
+
+#nav ul.site_tree a:hover {
+    text-decoration: none;
+}
+
+#nav ul.site_tree strong.level1 {
+    color: #000;
+    display: block;
+	background-color: #59BAE7;
+}
+
+#nav ul.site_tree li.level2 {
+	background: transparent url(images/subnavback.gif) no-repeat top left;
+}
+
+
+#nav ul.site_tree a.level1, 
+#nav ul.site_tree strong.level1  {
+	padding:5px 0 5px 10px;
+    
+}
+
+#nav ul.site_tree li.level2 {
+	display:block;
+	padding: 5px 0 2px 15px;	
+}
+
+#nav ul.site_tree a.level2 {
+		
+}
+
+#nav #nav_pic {
+	display: block;
+	margin: 0;
+	padding: 0;
+}
+
+
+h1 {
+	font-size: 20px;
+	color: #004788;
+}
+
+h2 {
+	font-size: 18px;
+	color: #004788;
+}
+
+h3 {
+	font-size: 16px;
+	color: #004788;
+}
+
+h4 {
+	font-size: 14px;
+	color: #004788;
+}
+
+h5  {
+	font-size: 12px;
+	color: #004788;
+}
+
+p   {
+        font-size: 12px;
+        color: #004788;
+
+}
+
+ul  {
+        font-size: 12px;
+        color: #004788;
+
+}
+
+#content {
+	margin-left: 200px;
+	padding: 20px;
+	width: auto;
+	line-height: 1.5em;		
+}
+
+#content table {
+	border-collapse: collapse;
+}
+
+#content th {
+	background-color: #f0f0f0;
+	padding: 5px;
+	color: #036;
+}
+
+#content td {
+	vertical-align: middle;
+	padding: 5px;
+}
+
+*html #content table { width:99%; } 
+
+#footer {
+	clear: both;
+	width: 100%;
+	height: 35px;
+	background-color: #D8D8D8;
+	border-top: 1px solid #989898;
+	border-bottom: 1px solid #989898;
+}
+
+#footer p {
+	vertical-align: middle;
+	margin: 12px 10px 10px 200px;
+	font-size: 10px;
+	color: #848484;
+}
+
+#footer img {
+    float: left; 
+    margin: 0px 0px 0px 2px; 
+}
+
+hr {
+  border: 0;
+  color: #696969;
+  background-color:#696969;
+  height: 1px;
+}
+
+
+#intro  img{
+	padding-top: 5px;
+	border: none;
+}
+
+/* Open trouble tickets */
+#opentickets {
+	margin-left: 200px;
+	padding: 0 20px 20px 20px;
+	width: auto;
+}
+
+.blue {
+background:#004788 none repeat scroll 0 0;
+}
+
+.text {
+  font-size: 12px;
+  color: #004788;
+}
+
+.group_heading {
+color:#004788;
+font-size:12px;
+font-weight:bolder;
+}
+
+.list_info {
+background-color:#D9EFFA;
+color:#004788;
+padding:0.6em;
+}
+
+.whitebold {
+color:#FFFFFF;
+font-size:12px;
+font-weight:bold;
+}
diff --git a/idp/templates/edit-webapp/images/nordunet.png b/idp/templates/edit-webapp/images/nordunet.png
new file mode 100644
index 0000000..9948f66
Binary files /dev/null and b/idp/templates/edit-webapp/images/nordunet.png differ
diff --git a/idp/templates/views/layout.vm b/idp/templates/views/layout.vm
new file mode 100644
index 0000000..7dca3b5
--- /dev/null
+++ b/idp/templates/views/layout.vm
@@ -0,0 +1,32 @@
+#macro(layout)
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1.0">
+    <title>$title - $titleSuffix</title>
+    <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+  </head>
+
+  <body>
+    <div class="wrapper">
+      <div class="container">
+        <header>
+          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+          #if ($titleSuffix)
+            <h3>#springMessageText("idp.title", "Web Login Service") - $titleSuffix</h3>
+          #end
+        </header>
+        <div class="content">
+          $!bodyContent
+        </div>
+      </div>
+      <footer>
+        <div class="contatiner container-footer">
+          <p class="footer-text">#springMessageText("idp.footer", "Your footer here.")</p>
+        </div>
+      </footer>
+    </div>
+  </body>
+</html>
+#end
diff --git a/idp/templates/views/login.vm b/idp/templates/views/login.vm
new file mode 100644
index 0000000..b4f02d0
--- /dev/null
+++ b/idp/templates/views/login.vm
@@ -0,0 +1,116 @@
+##
+## Velocity Template for DisplayUsernamePasswordPage view-state
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## authenticationContext - context with authentication request information
+## authenticationErrorContext - context with login error state
+## authenticationWarningContext - context with login warning state
+## ldapResponseContext - context with LDAP state (if using native LDAP)
+## rpUIContext - the context with SP UI information from the metadata
+## extendedAuthenticationFlows - collection of "extended" AuthenticationFlowDescriptor objects
+## passwordPrincipals - contents of the shibboleth.authn.Password.PrincipalOverride bean
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
+#set ($username = $authenticationContext.getSubcontext('net.shibboleth.idp.authn.context.UsernamePasswordContext', true).getUsername())
+#set ($passwordEnabled = false)
+#if (!$passwordPrincipals or $passwordPrincipals.isEmpty() or $authenticationContext.isAcceptable($passwordPrincipals))
+  #set ($passwordEnabled = true)
+#end
+##
+#parse("layout.vm")
+
+#@layout()
+        <div class="column one">
+          #parse("login-error.vm")
+        
+          <form action="$flowExecutionUrl" method="post">
+        
+          #set ($serviceName = $rpUIContext.serviceName)
+          #if ($serviceName && !$rpContext.getRelyingPartyId().contains($serviceName))
+            <legend>
+              #springMessageText("idp.login.loginTo", "Login to") $encoder.encodeForHTML($serviceName)
+            </legend>
+          #end
+                      
+          #if ($passwordEnabled)
+            <div class="form-element-wrapper">
+              <label for="username">#springMessageText("idp.login.username", "Username")</label>
+              <input class="form-element form-field" id="username" name="j_username" type="text"
+              	value="#if($username)$encoder.encodeForHTML($username)#end">
+            </div>
+        
+            <div class="form-element-wrapper">
+              <label for="password">#springMessageText("idp.login.password", "Password")</label>
+              <input class="form-element form-field" id="password" name="j_password" type="password" value="">
+            </div>
+        
+            <div class="form-element-wrapper">
+              <input type="checkbox" name="donotcache" value="1" id="donotcache">
+              <label for="donotcache">#springMessageText("idp.login.donotcache", "Don't Remember Login")</label>
+             </div>
+          #end
+        
+            <div class="form-element-wrapper">
+              <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
+              <label for="_shib_idp_revokeConsent">#springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")</label>
+            </div>
+        
+          #if ($passwordEnabled)
+            <div class="form-element-wrapper">
+              <button class="form-element form-button" type="submit" name="_eventId_proceed"
+                  onClick="this.childNodes[0].nodeValue='#springMessageText("idp.login.pleasewait", "Logging in, please wait...")'"
+                  >#springMessageText("idp.login.login", "Login")</button>
+            </div>
+          #end
+        
+          #foreach ($extFlow in $extendedAuthenticationFlows)
+            #if ($authenticationContext.isAcceptable($extFlow) and $extFlow.apply(profileRequestContext))
+              <div class="form-element-wrapper">
+                <button class="form-element form-button" type="submit" name="_eventId_$extFlow.getId()">
+                  #springMessageText("idp.login.$extFlow.getId().replace('authn/','')", $extFlow.getId().replace('authn/',''))
+                </button>
+              </div>
+            #end
+          #end
+          </form>
+        
+          #*        
+            //
+            //    SP Description & Logo (optional)
+            //    These idpui lines will display added information (if available
+            //    in the metadata) about the Service Provider (SP) that requested
+            //    authentication. These idpui lines are "active" in this example
+            //    (not commented out) - this extra SP info will be displayed.
+            //    Remove or comment out these lines to stop the display of the
+            //    added SP information.
+            //
+          *#
+          #set ($logo = $rpUIContext.getLogo())
+          #if ($logo)
+            <img src= "$encoder.encodeForHTMLAttribute($logo)"
+                alt="$encoder.encodeForHTMLAttribute($serviceName)">
+          #end
+          #set ($desc = $rpUIContext.getServiceDescription())
+          #if ($desc)
+            $encoder.encodeForHTML($desc)
+          #end
+          
+        </div>
+        <div class="column two">
+          <ul class="list list-help">
+            #if ($passwordEnabled)
+              <li class="list-help-item"><a href="#springMessageText("idp.url.password.reset", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.forgotPassword", "Forgot your password?")</a></li>
+            #end
+            <li class="list-help-item"><a href="#springMessageText("idp.url.helpdesk", "#")"><span class="item-marker">&rsaquo;</span> #springMessageText("idp.login.needHelp", "Need Help?")</a></li>
+          </ul>
+        </div>
+#end
-- 
cgit v1.1