diff --git a/application/configs/application.ini b/application/configs/application.ini
index 29aa5c2497..0780bb3105 100644
--- a/application/configs/application.ini
+++ b/application/configs/application.ini
@@ -1,20 +1,14 @@
 ;;;
-; Ini configuration for EngineBlock for all known environments.
+; Default ini configuration for OpenConext EngineBlock.
 ;
-; Divided in sections per environment like so:
-; [acceptance : base]
-;
-; Meaning 'these are the settings for the acceptance environment,
-; based on the base env (inherits from base)'
+; You can override this in /etc/openconext/engineblock.ini.
 ;
 ; Editting Rules:
 ; 1. The first rule of INI files is, you do not talk about INI files.
 ; 2. The second rule of INI files is is, you DO NOT talk about INI files.
 ; 3. Names in camelCase (note first character is lowerCase)
-; 4. Every configuration item should be present and documented for [base]
-; 5. All environments extend from base
-; 7. Section inheritance only works one level deep
-; 8. If this is your first time editing an INI file, have fun!
+; 4. Every configuration item should be present and documented for in application/configs/application.ini
+; 5. If this is your first time editing an INI file, have fun!
 ;;;
 [base]
 
@@ -90,7 +84,7 @@ auth.simplesamlphp.idp.certificate= "/etc/openconext/engineblock.crt"
 ; Note "123" means no access
 auth.simplesamlphp.adminPassword  = "123"
 
-auth.simplesamlphp.baseurlpath = "simplesamlphp/"
+auth.simplesamlphp.baseurlpath = "simplesaml/"
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;; LOGGING / ERROR HANDLING ;;;;;;;;;;
@@ -252,10 +246,34 @@ api.vovalidate.baseUrl = "https://api.demo.openconext.org"
 api.vovalidate.key = "oauth_key"
 api.vovalidate.secret = "oauth_secret"
 
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;; CRONJOB SETTINGS ;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; The time after which a user is deprovisioned
+cron.deprovision.idleTime = "6 months"
+
+; Warning time settings
+cron.deprovision.firstWarningTime = "4 weeks" ; Period before the idleTime
+cron.deprovision.secondWarningTime = "2 weeks" ; Period before the idleTime
+
+cron.deprovision.sendGroupMemberWarning = true ; do we send mails to teammembers who are about to loose their only admin
+cron.deprovision.sendDeprovisionWarning = true ; do we send mails as warnings
+
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;; MISCELLANEOUS SETTINGS ;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
+; the value for guest qualifier. Can be overridden for specific non-surfnet environments
+addgueststatus.guestqualifier = "urn:collab:org:surf.nl"
+
+; Language Cookie settings
+cookie.lang.domain = ".surfconext.nl"
+; Cookie expiry time, specify the time in seconds, set empty to let the cookie get expired after the session
+cookie.lang.expiry = 5184000 ; 60 days in seconds
+
 ; Skip the asset compiling and use the source .js files.
 dynamicAssets = false
 
@@ -264,20 +282,18 @@ defaults.header     = "SURFconext"
 defaults.subheader  = ""
 defaults.layout     = "1-column-blue-grey"
 
-; Profile URI settings
-profile.protocol    = "https"
-profile.host        = "profile.surfconext.nl"
-
-; Language Cookie settings
-cookie.lang.domain = ".surfconext.nl"
-; Cookie expiry time, specify the time in seconds, set empty to let the cookie get expired after the session
-cookie.lang.expiry = 5184000 ; 60 days in seconds
-
 ; EngineBlock default Group Provider ID
 ; This identifier is used when fetching the group provider configuration for deprovisioning
 ; In our case this identifier should point to the Grouper group provider
 defaultGroupProvider = "grouper"
 
+; edugain metadata
+edugain.publication.publisher = "https://engine.surfconext.nl/authentication/proxy/edugain-metadata"
+edugain.publication.policy = "http://www.edugain.org/policy/metadata-tou_1_0.txt"
+edugain.registration.authority = "http://www.surfconext.nl/"
+edugain.registration.policy = "https://wiki.surfnetlabs.nl/display/eduGAIN/EduGAIN"
+edugain.termsOfUse = "Use of this metadata is subject to the Terms of Use at http://www.edugain.org/policy/metadata-tou_1_0.txt"
+
 ; Do we send welcome emails
 email.sendWelcomeMail = false
 
@@ -295,31 +311,9 @@ email.idpDebugging.subject    = "IdP debug info van %1$s"
 ; terms of use surfconext
 openconext.termsOfUse = "https://wiki.surfnetlabs.nl/display/conextsupport/Terms+of+Service+%28EN%29"
 
-; edugain metadata
-edugain.registration.authority = "http://www.surfconext.nl/"
-edugain.registration.policy = "https://wiki.surfnetlabs.nl/display/eduGAIN/EduGAIN"
-
-edugain.publication.publisher = "https://engine.surfconext.nl/authentication/proxy/edugain-metadata"
-edugain.publication.policy = "http://www.edugain.org/policy/metadata-tou_1_0.txt"
-
-edugain.termsOfUse = "Use of this metadata is subject to the Terms of Use at http://www.edugain.org/policy/metadata-tou_1_0.txt"
-
-; the value for guest qualifier. Can be overridden for specific non-surfnet environments
-addgueststatus.guestqualifier = "urn:collab:org:surf.nl"
-
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;; CRONJOB SETTINGS ;;;;;;;;;;;;;;;
-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-; The time after which a user is deprovisioned
-cron.deprovision.idleTime = "6 months"
-
-; Warning time settings
-cron.deprovision.firstWarningTime = "4 weeks" ; Period before the idleTime
-cron.deprovision.secondWarningTime = "2 weeks" ; Period before the idleTime
-
-cron.deprovision.sendGroupMemberWarning = true ; do we send mails to teammembers who are about to loose their only admin
-cron.deprovision.sendDeprovisionWarning = true ; do we send mails as warnings
+; Profile URI settings
+profile.protocol    = "https"
+profile.host        = "profile.surfconext.nl"
 
 ; Configure trusted proxies to use their X-Forwarded-For header.
 ; trustedProxyIps[] = 192.168.1.1
\ No newline at end of file
diff --git a/application/layouts/scripts/1-column-blue-grey-narrow.phtml b/application/layouts/scripts/1-column-blue-grey-narrow.phtml
index 9c6e1fc325..43026d2ad8 100644
--- a/application/layouts/scripts/1-column-blue-grey-narrow.phtml
+++ b/application/layouts/scripts/1-column-blue-grey-narrow.phtml
@@ -10,7 +10,7 @@ require PARTIAL_DIR . 'header-start.php';
     </head>
     <body class="index">
         <div id="wrapper">
-            <div id="header"><b><font size="4"><?php echo htmlentities($this->layout()->header, 0, "UTF-8"); ?></font></b></div>
+            <div id="header"><h4><?php echo htmlentities($this->layout()->header, 0, "UTF-8"); ?></h4></div>
             <div id="main">
 
                 <?php require PARTIAL_DIR . 'nav.php'; ?>
@@ -20,8 +20,8 @@ require PARTIAL_DIR . 'header-start.php';
                 <?php echo $this->layout()->content; ?>
 
                 <div class="bottom">
+                    <hr />
                     <p>
-                        <hr />
                         <?php echo $this->layout()->footerText; ?>
                     </p>
                 </div>
diff --git a/application/layouts/scripts/1-column-blue-grey.phtml b/application/layouts/scripts/1-column-blue-grey.phtml
index 83984f49ca..0cc46587b6 100644
--- a/application/layouts/scripts/1-column-blue-grey.phtml
+++ b/application/layouts/scripts/1-column-blue-grey.phtml
@@ -1,4 +1,5 @@
 <?php
+/** @var Zend_View $this */
 define('PARTIAL_DIR', __DIR__ . '/partials/');
 require PARTIAL_DIR . 'header-start.php';
 ?>
@@ -26,10 +27,10 @@ require PARTIAL_DIR . 'header-start.php';
                 <!-- Language selection -->
                 <ul class="nav">
                     <li class="<?php if ($lang==='en'): ?>active<?php endif; ?>">
-                        <a href="<?php echo EngineBlock_View::setLanguage('en'); ?>">EN</a>
+                        <a href="<?php echo EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('en')); ?>">EN</a>
                     </li>
                     <li class="<?php if ($lang==='nl'): ?>active<?php endif; ?>">
-                        <a href="<?php echo EngineBlock_View::setLanguage('nl'); ?>">NL</a>
+                        <a href="<?php echo EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('nl')); ?>">NL</a>
                     </li>
                 </ul>
 
diff --git a/application/layouts/scripts/partials/header-start.php b/application/layouts/scripts/partials/header-start.php
index efa9677ddf..199b176d93 100644
--- a/application/layouts/scripts/partials/header-start.php
+++ b/application/layouts/scripts/partials/header-start.php
@@ -1,6 +1,6 @@
 <?php require __DIR__ . '/lang.php'; ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
+<!DOCTYPE html>
+<html>
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
     <meta name="robots" content="noindex, nofollow"/>
diff --git a/application/layouts/scripts/partials/nav.php b/application/layouts/scripts/partials/nav.php
index 3b14e95ae9..ee24f0ea2b 100644
--- a/application/layouts/scripts/partials/nav.php
+++ b/application/layouts/scripts/partials/nav.php
@@ -1,10 +1,10 @@
 <!-- Language selection -->
 <ul class="nav">
     <li class="<?php if ($lang==='en'): ?>active<?php endif; ?>">
-        <a href="<?php echo EngineBlock_View::setLanguage('en'); ?>">EN</a>
+        <a href="<?php echo EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('en')); ?>">EN</a>
     </li>
     <li class="<?php if ($lang==='nl'): ?>active<?php endif; ?>">
-        <a href="<?php echo EngineBlock_View::setLanguage('nl'); ?>">NL</a>
+        <a href="<?php echo EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('nl')); ?>">NL</a>
     </li>
     <?php if (EngineBlock_View::moduleName() == 'profile'): ?>
         <li data-external-link="true">
diff --git a/application/modules/Authentication/Controller/Feedback.php b/application/modules/Authentication/Controller/Feedback.php
index 323a6c93ad..21d079c773 100644
--- a/application/modules/Authentication/Controller/Feedback.php
+++ b/application/modules/Authentication/Controller/Feedback.php
@@ -66,6 +66,11 @@ public function receivedInvalidResponseAction()
         // @todo Send 4xx or 5xx header?
     }
 
+    public function receivedInvalidSignedResponseAction()
+    {
+        // @todo Send 4xx or 5xx header?
+    }
+
     public function noIdpsAction()
     {
         // @todo Send 4xx or 5xx header?
diff --git a/application/modules/Authentication/Controller/Proxy.php b/application/modules/Authentication/Controller/Proxy.php
index 34d44572b9..4a506bcde4 100644
--- a/application/modules/Authentication/Controller/Proxy.php
+++ b/application/modules/Authentication/Controller/Proxy.php
@@ -2,12 +2,6 @@
 
 class Authentication_Controller_Proxy extends EngineBlock_Controller_Abstract
 {
-    /**
-     *
-     *
-     * @param string $encodedIdPEntityId
-     * @return void
-     */
     public function idPsMetaDataAction()
     {
         $this->setNoRender();
@@ -22,13 +16,14 @@ public function idPsMetaDataAction()
                 } else if (substr($argument, 0, 4) === 'key:') {
                     $proxyServer->setKeyId(substr($argument, 4));
                 } else {
-                    EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->notice(
+                    $application->getLogInstance()->notice(
                         "Ignoring unknown argument '$argument'."
                     );
                 }
             }
             $proxyServer->idPsMetadata();
-        } catch(EngineBlock_Corto_ProxyServer_UnknownRemoteEntityException $e) {
+        }
+        catch(EngineBlock_Corto_ProxyServer_UnknownRemoteEntityException $e) {
             $application->getLogInstance()->log(
                 "Unknown remote entity: " . $e->getEntityId(),
                 EngineBlock_Log::NOTICE,
@@ -36,13 +31,14 @@ public function idPsMetaDataAction()
             );
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unknown-service-provider?entity-id=' . urlencode($e->getEntityId()));
-        } catch(Janus_Client_CacheProxy_Exception $e) {
+        }
+        catch(Janus_Client_CacheProxy_Exception $e) {
             $application->getLogInstance()->log(
                 "Unknown Service Provider?",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $spEntityId = EngineBlock_ApplicationSingleton::getInstance()->getHttpRequest()->getQueryParameter('sp-entity-id');
+            $spEntityId = $application->getHttpRequest()->getQueryParameter('sp-entity-id');
             $application->handleExceptionWithFeedback($e,
                 '/authentication/feedback/unknown-service-provider?entity-id=' . urlencode($spEntityId));
         }
@@ -54,14 +50,14 @@ public function edugainMetaDataAction()
 
         $application = EngineBlock_ApplicationSingleton::getInstance();
 
-        $queryString = EngineBlock_ApplicationSingleton::getInstance()->getHttpRequest()->getQueryString();
+        $queryString = $application->getHttpRequest()->getQueryString();
         $proxyServer = new EngineBlock_Corto_Adapter();
 
         foreach (func_get_args() as $argument) {
             if (substr($argument, 0, 4) === 'key:') {
                 $proxyServer->setKeyId(substr($argument, 4));
             } else {
-                EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->notice(
+                $application->getLogInstance()->notice(
                     "Ignoring unknown argument '$argument'."
                 );
             }
@@ -69,23 +65,27 @@ public function edugainMetaDataAction()
 
         try {
             $proxyServer->edugainMetadata($queryString);
-        } catch(EngineBlock_Corto_ProxyServer_UnknownRemoteEntityException $e) {
+        }
+        catch(EngineBlock_Corto_ProxyServer_UnknownRemoteEntityException $e) {
             $application->getLogInstance()->log(
                 "Unknown Service Provider?",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/unknown-service-provider?entity-id=' . urlencode($e->getEntityId())
             );
-        } catch(Janus_Client_CacheProxy_Exception $e) {
-            $spEntityId = EngineBlock_ApplicationSingleton::getInstance()->getHttpRequest()->getQueryParameter('sp-entity-id');
+        }
+        catch(Janus_Client_CacheProxy_Exception $e) {
+            $spEntityId = $application->getHttpRequest()->getQueryParameter('sp-entity-id');
             $application->getLogInstance()->log(
                 "Unknown Service Provider '$spEntityId'?",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/unknown-service-provider?entity-id=' . urlencode($spEntityId)
             );
         }
@@ -105,8 +105,10 @@ public function processedAssertionAction()
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/vomembershiprequired');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/vomembershiprequired'
+            );
         }
         catch (EngineBlock_Attributes_Manipulator_CustomException $e) {
             $application->getLogInstance()->log(
@@ -115,8 +117,10 @@ public function processedAssertionAction()
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
             $_SESSION['feedback_custom'] = $e->getFeedback();
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/custom');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/custom'
+            );
         }
     }
 }
diff --git a/application/modules/Authentication/Controller/ServiceProvider.php b/application/modules/Authentication/Controller/ServiceProvider.php
index ce24e4d0aa..e45ec73af2 100644
--- a/application/modules/Authentication/Controller/ServiceProvider.php
+++ b/application/modules/Authentication/Controller/ServiceProvider.php
@@ -18,8 +18,10 @@ public function consumeAssertionAction()
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/vomembershiprequired');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/vomembershiprequired'
+            );
         }
         catch (EngineBlock_Corto_Module_Services_SessionLostException $e) {
             $application->getLogInstance()->log(
@@ -27,8 +29,10 @@ public function consumeAssertionAction()
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/session-lost');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/session-lost'
+            );
         }
         catch (EngineBlock_Corto_Module_Bindings_UnableToReceiveMessageException $e) {
             $application->getLogInstance()->log(
@@ -36,8 +40,10 @@ public function consumeAssertionAction()
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/unable-to-receive-message');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/unable-to-receive-message'
+            );
         }
         catch (EngineBlock_Corto_Exception_UnknownIssuer $e) {
             $application->getLogInstance()->log(
@@ -46,7 +52,9 @@ public function consumeAssertionAction()
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
             $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/unknown-issuer?entity-id='.urlencode($e->getEntityId()).'&destination='.urlencode($e->getDestination()));
+                '/authentication/feedback/unknown-issuer?entity-id=' . urlencode($e->getEntityId()) .
+                    '&destination=' . urlencode($e->getDestination())
+            );
         }
         catch (EngineBlock_Corto_Exception_MissingRequiredFields $e) {
             $application->getLogInstance()->log(
@@ -54,40 +62,62 @@ public function consumeAssertionAction()
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/missing-required-fields');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/missing-required-fields'
+            );
         }
-
         catch (EngineBlock_Attributes_Manipulator_CustomException $e) {
             $_SESSION['feedback_custom'] = $e->getFeedback();
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/custom');
-        } catch (EngineBlock_Corto_Module_Bindings_UnsupportedBindingException $e) {
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/custom'
+            );
+        }
+        catch (EngineBlock_Corto_Module_Bindings_UnsupportedBindingException $e) {
             $application->getLogInstance()->log(
                 "Unsupported Binding",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/invalid-acs-binding');
-        } catch (EngineBlock_Corto_Exception_ReceivedErrorStatusCode $e) {
+        }
+        catch (EngineBlock_Corto_Exception_ReceivedErrorStatusCode $e) {
             // Add extra feedback info
             $application->getLogInstance()->log(
                 "Received Error Status Code",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
+            $application->handleExceptionWithFeedback(
+                $e,
                 '/authentication/feedback/received-error-status-code',
-                $e->getFeedbackInfo());
-        } catch (EngineBlock_Corto_Module_Bindings_VerificationException $e) {
+                $e->getFeedbackInfo()
+            );
+        }
+        catch (EngineBlock_Corto_Module_Bindings_SignatureVerificationException $e) {
+            $application->getLogInstance()->log(
+                "Unable to verify signature, cert wrong?",
+                EngineBlock_Log::WARN,
+                EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
+            );
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/received-invalid-signed-response'
+            );
+        }
+        catch (EngineBlock_Corto_Module_Bindings_VerificationException $e) {
             $application->getLogInstance()->log(
                 "Unable to verify message",
                 EngineBlock_Log::NOTICE,
                 EngineBlock_Log_Message_AdditionalInfo::createFromException($e)
             );
-            $application->handleExceptionWithFeedback($e,
-                '/authentication/feedback/received-invalid-response');
+            $application->handleExceptionWithFeedback(
+                $e,
+                '/authentication/feedback/received-invalid-response'
+            );
         }
     }
 
diff --git a/application/modules/Authentication/View/Feedback/ReceivedInvalidSignedResponse.phtml b/application/modules/Authentication/View/Feedback/ReceivedInvalidSignedResponse.phtml
new file mode 100644
index 0000000000..499de9a109
--- /dev/null
+++ b/application/modules/Authentication/View/Feedback/ReceivedInvalidSignedResponse.phtml
@@ -0,0 +1,19 @@
+<?php
+
+/**
+ * @var Zend_Layout $layout
+ */
+$layout = $this->layout();
+$layout->setLayout('1-column-blue-grey-narrow');
+
+// Set Layout properties
+$layout->title = $layout->title. ' - ' .$this->t('error_received_invalid_signed_response');
+$layout->header = $layout->title;
+$layout->subheader = $this->t('error_received_invalid_signed_response');
+$layout->footerText = $this->t('footer');
+?>
+<div class="error-wrapper">
+    <div class="error-icon"></div>
+    <div class="error-text">
+
+    <?php require_once realpath(__DIR__ . '/../../../Default/View/Error/include/footer.php');
\ No newline at end of file
diff --git a/application/modules/Authentication/View/IdentityProvider/RequestAccess.phtml b/application/modules/Authentication/View/IdentityProvider/RequestAccess.phtml
index fda70fbdb5..ebb6f5dbf0 100644
--- a/application/modules/Authentication/View/IdentityProvider/RequestAccess.phtml
+++ b/application/modules/Authentication/View/IdentityProvider/RequestAccess.phtml
@@ -4,7 +4,7 @@ $layout = $this->layout();
 $layout->setLayout('empty');
 ?>
 <p class="back"><a id="back_request_access" href="#"><?= $this->t('back'); ?></a></p>
-<h2><?= $this->t('sorry'); ?>&nbsp<i><?= $queryParameters['idpName']; ?></i> <?= $this->t('form_description'); ?>
+<h2><?= $this->t('sorry'); ?>&nbsp;<i><?= $queryParameters['idpName']; ?></i> <?= $this->t('form_description'); ?>
 
 <form id="request_access_form" action="#" method="post" class="apply clearfix">
     <input name="idpName" type="hidden" value="<?= $queryParameters['idpName']; ?>">
diff --git a/application/modules/Authentication/View/Index/Index.phtml b/application/modules/Authentication/View/Index/Index.phtml
index b4a39733f8..2705297f50 100644
--- a/application/modules/Authentication/View/Index/Index.phtml
+++ b/application/modules/Authentication/View/Index/Index.phtml
@@ -4,7 +4,7 @@ $layout = $this->layout();
 $layout->setLayout('1-column-blue-grey');
 
 // Set Layout properties
-$layout->title = $layout->title. ' - Metadata & Cerfiticates';
+$layout->title = $layout->title. ' - Metadata & Certificates';
 $layout->header = $layout->title;
 $layout->subheader = 'IdP Certificate and Metadata';
 $layout->footerText = $this->t('footer');
diff --git a/application/modules/Authentication/View/Proxy/consent.phtml b/application/modules/Authentication/View/Proxy/consent.phtml
index bfb5063b40..79955c0c76 100644
--- a/application/modules/Authentication/View/Proxy/consent.phtml
+++ b/application/modules/Authentication/View/Proxy/consent.phtml
@@ -37,7 +37,7 @@ $layout->setLayout('consent');
 
 // Set Layout variables
 $layout->use_header = false;
-$layout->title      = $layout->title . ' - '. $this->t('consent_header', $this->htmlSpecialCharsText($spName));
+$layout->title      = $layout->title . ' - '. $this->t('consent_header', EngineBlock_View::htmlSpecialCharsText($spName));
 $layout->subheader  = $this->t('consent_subheader', $spName);
 $layout->footerText = $this->t('footer');
 
@@ -75,15 +75,15 @@ $inlineScriptHelper->appendScript('
         <?php if ($attributeName) : ?>
             <tr>
                 <td>
-                    <?=$this->htmlSpecialCharsText($attributeName) ?>
+                    <?=EngineBlock_View::htmlSpecialCharsText($attributeName) ?>
                 </td>
                 <td>
                     <?php /** Single attribute value */ if (count($attributeValues)==1) : ?>
-                        <?=$this->htmlSpecialCharsText($attributeValues[0]);?>
+                        <?=EngineBlock_View::htmlSpecialCharsText($attributeValues[0]);?>
                     <?php /** Multiple attribute values */ else: ?>
                         <ul>
                             <?php foreach ($attributeValues as $value) : ?>
-                                <li><?=$this->htmlSpecialCharsText($value); ?></li>
+                                <li><?=EngineBlock_View::htmlSpecialCharsText($value); ?></li>
                             <?php endforeach ?>
                         </ul>
                     <?php endif ?>
@@ -102,8 +102,8 @@ $inlineScriptHelper->appendScript('
 
 <div id="approve">
 <!-- YES -->
-<form id="accept" method="post" action="<?= $this->htmlSpecialCharsAttributeValue($action); ?>">
-        <input type="hidden" name="ID"      value="<?= $this->htmlSpecialCharsAttributeValue($ID); ?>">
+<form id="accept" method="post" action="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($action); ?>">
+        <input type="hidden" name="ID"      value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($ID); ?>">
         <input type="hidden" name="consent" value="yes" />
 
         <input id="accept_terms_button"
@@ -114,8 +114,8 @@ $inlineScriptHelper->appendScript('
 </form>
 
 <!-- NO -->
-<form id="reject" method="post" action="<?= $this->htmlSpecialCharsAttributeValue($action); ?>">
-        <input type="hidden" name="ID"      value="<?=$this->htmlSpecialCharsAttributeValue($ID); ?>">
+<form id="reject" method="post" action="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($action); ?>">
+        <input type="hidden" name="ID"      value="<?=EngineBlock_View::htmlSpecialCharsAttributeValue($ID); ?>">
         <input type="hidden" name="consent" value="no" />
 
         <a id="decline_terms_button" style="line-height: 40px;" href="javascript:;" onclick="document.getElementById('reject').submit();">
diff --git a/application/modules/Authentication/View/Proxy/debugidpresponse.phtml b/application/modules/Authentication/View/Proxy/debugidpresponse.phtml
index 0c95248049..cd7367e924 100644
--- a/application/modules/Authentication/View/Proxy/debugidpresponse.phtml
+++ b/application/modules/Authentication/View/Proxy/debugidpresponse.phtml
@@ -56,7 +56,7 @@ $attributesValidated = $validator->validate();
             <?= $this->t('name'); ?>
         </th>
         <td>
-            <?= $this->htmlSpecialCharsText($idp['Name']['en'], ENT_COMPAT, 'UTF-8') ?>
+            <?= EngineBlock_View::htmlSpecialCharsText($idp['Name']['en'], ENT_COMPAT, 'UTF-8') ?>
         </td>
     </tr>
     <tr>
@@ -64,7 +64,7 @@ $attributesValidated = $validator->validate();
             Entity ID
         </th>
         <td>
-            <?= $this->htmlSpecialCharsText($idp['EntityID']) ?>
+            <?= EngineBlock_View::htmlSpecialCharsText($idp['EntityID']) ?>
         </td>
     </tr>
     <tr>
@@ -72,7 +72,7 @@ $attributesValidated = $validator->validate();
             Workflow Status
         </th>
         <td <?php if ($idp['WorkflowState']==='production') { echo 'style="color: green"';} ?>>
-            <?= $this->htmlSpecialCharsText($idp['WorkflowState']) ?>
+            <?= EngineBlock_View::htmlSpecialCharsText($idp['WorkflowState']) ?>
         </td>
     </tr>
 </table>
@@ -83,7 +83,7 @@ $attributesValidated = $validator->validate();
         <th>NameID</th>
 
         <td>
-            <?php $nameId = $response->getAssertion()->getNameId(); echo $this->htmlSpecialCharsText($nameId['Value']); ?>
+            <?php $nameId = $response->getAssertion()->getNameId(); echo EngineBlock_View::htmlSpecialCharsText($nameId['Value']); ?>
         </td>
     </tr>
 </table>
@@ -92,13 +92,13 @@ $attributesValidated = $validator->validate();
 <?php foreach ($validator->getErrorsForMissingAttributes() as $error): ?>
     <p class="error">
         <img src="/media/famfamfam_silk_icons_v013/icons/exclamation.png" alt="[error]" style="vertical-align: bottom" /> <?php
-    echo $this->htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $error));
+    echo EngineBlock_View::htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $error));
     ?></p>
 <?php endforeach; ?>
 <?php foreach ($validator->getWarningsForMissingAttributes() as $warning): ?>
     <p class="warning">
         <img src="/media/famfamfam_silk_icons_v013/icons/error.png" alt="[error]" style="vertical-align: bottom" /> <?php
-    echo $this->htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $warning));
+    echo EngineBlock_View::htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $warning));
     ?></p>
 <?php endforeach; ?>
 <table>
@@ -125,15 +125,15 @@ $attributesValidated = $validator->validate();
                 <?= $this->getAttributeName($attributeName, 'en', false) ?>
             </td>
             <td>
-                <?= $this->htmlSpecialCharsText($attributeName); ?>
+                <?= EngineBlock_View::htmlSpecialCharsText($attributeName); ?>
             </td>
             <td>
                 <?php /** Single attribute value */ if (count($attributeValues)==1) { ?>
-                <?= $this->htmlSpecialCharsText($attributeValues[0]);?>
+                <?= EngineBlock_View::htmlSpecialCharsText($attributeValues[0]);?>
                 <?php } /** Multiple attribute values */ else { ?>
                 <ul>
                     <?php foreach ($attributeValues as $value) { ?>
-                    <li><?= $this->htmlSpecialCharsText($value); ?></li>
+                    <li><?= EngineBlock_View::htmlSpecialCharsText($value); ?></li>
                     <?php } ?>
                 </ul>
                 <?php } ?>
@@ -145,13 +145,13 @@ $attributesValidated = $validator->validate();
                     foreach ($validator->getErrors($attributeName) as $error) {
                         echo '<p class="error">' .
                                 '<img src="/media/famfamfam_silk_icons_v013/icons/exclamation.png" alt="[error]" style="vertical-align: bottom" /> ' .
-                                $this->htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $error)) .
+                                EngineBlock_View::htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $error)) .
                             '</p>';
                     }
                     foreach ($validator->getWarnings($attributeName) as $warning) {
                         echo '<p class="warning">'.
                                 '<img src="/media/famfamfam_silk_icons_v013/icons/error.png" alt="[error]" style="vertical-align: bottom" /> ' .
-                                $this->htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $warning)) .
+                                EngineBlock_View::htmlSpecialCharsText(call_user_func_array(array($this, 'translate'), $warning)) .
                             '</p>';
                     }
                 endif; ?>
@@ -162,9 +162,9 @@ $attributesValidated = $validator->validate();
 </table>
 <hr />
 <p>
-    <?= $this->htmlSpecialCharsText($this->t('idp_debugging_mail_explain')); ?>
+    <?= EngineBlock_View::htmlSpecialCharsText($this->t('idp_debugging_mail_explain')); ?>
 </p>
 <form method="post">
     <input type="hidden" name="mail" value="true" />
-    <input type="submit" value="<?= $this->htmlSpecialCharsAttributeValue($this->t('idp_debugging_mail_button')); ?>" />
+    <input type="submit" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($this->t('idp_debugging_mail_button')); ?>" />
 </form>
diff --git a/application/modules/Authentication/View/Proxy/discover.phtml b/application/modules/Authentication/View/Proxy/discover.phtml
index 658966e57c..27cd251b18 100644
--- a/application/modules/Authentication/View/Proxy/discover.phtml
+++ b/application/modules/Authentication/View/Proxy/discover.phtml
@@ -62,7 +62,7 @@ if ($preselectedIdp) {
 }
 
 ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
@@ -80,10 +80,10 @@ if ($preselectedIdp) {
                 <ul class="nav">
                     <li id="help_nav"><a href="#" data-help-type="discover">HELP</a></li>
                     <li class="lang <?php if ($lang==='en'): ?>active<?php endif; ?>">
-                        <a href="<?= EngineBlock_View::setLanguage('en'); ?>">EN</a>
+                        <a href="<?= EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('en')); ?>">EN</a>
                     </li>
                     <li class="lang <?php if ($lang==='nl'): ?>active<?php endif; ?>">
-                        <a href="<?= EngineBlock_View::setLanguage('nl'); ?>">NL</a>
+                        <a href="<?= EngineBlock_View::htmlSpecialCharsText(EngineBlock_View::setLanguage('nl')); ?>">NL</a>
                     </li>
                 </ul>
 
@@ -91,9 +91,9 @@ if ($preselectedIdp) {
 
                 <!-- Main content -->
                 <div id="content">
-                    <form id="IdpListForm" method="post" action="<?= $this->htmlSpecialCharsAttributeValue($action); ?>">
+                    <form id="IdpListForm" method="post" action="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($action); ?>">
                         <p>
-                            <input id="ID" type="hidden" name="ID" value="<?= $this->htmlSpecialCharsAttributeValue($ID); ?>" />
+                            <input id="ID" type="hidden" name="ID" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($ID); ?>" />
                             <input id="Idp" type="hidden" name="idp" value="" />
                         </p>
                     </form>
@@ -104,12 +104,12 @@ if ($preselectedIdp) {
                     <!-- Preselected IdP -->
                     <div id="IdpSuggestion" class="suggestion">
                         <noscript>
-                            <form method="post" action="<?= $this->htmlSpecialCharsAttributeValue($action); ?>">
+                            <form method="post" action="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($action); ?>">
                                 <p>
-                                    <input type="hidden" name="ID" value="<?= $this->htmlSpecialCharsAttributeValue($ID); ?>" />
-                                    <input type="hidden" name="idp" value="<?= $this->htmlSpecialCharsAttributeValue($preselectedIdp); ?>" />
+                                    <input type="hidden" name="ID" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($ID); ?>" />
+                                    <input type="hidden" name="idp" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($preselectedIdp); ?>" />
 
-                                    <input type="submit" value="<?= $this->htmlSpecialCharsAttributeValue($preselectedIdpName); ?>" />
+                                    <input type="submit" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($preselectedIdpName); ?>" />
                                 </p>
                             </form>
                         </noscript>
@@ -130,9 +130,9 @@ if ($preselectedIdp) {
                                 <?php foreach ($idpList as $idp) : ?>
                                 <form method="post" action="<?= $action ?>">
                                     <p>
-                                        <input type="hidden" name="ID" value="<?= $this->htmlSpecialCharsAttributeValue($ID); ?>" />
-                                        <input type="hidden" name="idp" value="<?= $this->htmlSpecialCharsAttributeValue($idp['EntityID']); ?>" />
-                                        <input type="submit" value="<?= $this->htmlSpecialCharsAttributeValue($idp['Name_en']); ?>" />
+                                        <input type="hidden" name="ID" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($ID); ?>" />
+                                        <input type="hidden" name="idp" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($idp['EntityID']); ?>" />
+                                        <input type="submit" value="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($idp['Name_en']); ?>" />
                                     </p>
                                 </form>
                                 <?php endforeach; ?>
diff --git a/application/modules/Authentication/View/Proxy/form.phtml b/application/modules/Authentication/View/Proxy/form.phtml
index ca837469eb..09e9c99c40 100644
--- a/application/modules/Authentication/View/Proxy/form.phtml
+++ b/application/modules/Authentication/View/Proxy/form.phtml
@@ -19,7 +19,7 @@ $layout->setLayout('empty');
 // Set Layout properties
 $layout->title = $layout->title. ' - '. $this->t('post_data');
 ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE html>
 <html xmlns="http://www.w3.org/1999/xhtml">
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
diff --git a/application/modules/Authentication/View/Proxy/redirect.phtml b/application/modules/Authentication/View/Proxy/redirect.phtml
index 23133d7c28..06369eab39 100644
--- a/application/modules/Authentication/View/Proxy/redirect.phtml
+++ b/application/modules/Authentication/View/Proxy/redirect.phtml
@@ -3,15 +3,14 @@
 $layout = $this->layout();
 $layout->setLayout('empty');
 ?>
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-        "http://www.w3.org/TR/html4/loose.dtd">
+<!DOCTYPE html>
 <html>
     <head>
         <title>EngineBLock Debugging - Redirecting to...</title>
     </head>
     <body>
         <p>
-           <a href="<?= $this->htmlSpecialCharsAttributeValue($location); ?>">GO</a>
+           <a href="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($location); ?>">GO</a>
         <p>
         <pre>
             <?php print_r($message, 1) ?>
diff --git a/application/modules/Default/View/Error/include/footer.php b/application/modules/Default/View/Error/include/footer.php
index 9b217dfe06..ed1ded8668 100644
--- a/application/modules/Default/View/Error/include/footer.php
+++ b/application/modules/Default/View/Error/include/footer.php
@@ -15,8 +15,8 @@
             }
         ?>
             <tr>
-                <td><strong><?= $this->htmlSpecialCharsText($this->t($name))?>:</strong></td>
-                <td><?= $this->htmlSpecialCharsText($value);?></td>
+                <td><strong><?= EngineBlock_View::htmlSpecialCharsText($this->t($name))?>:</strong></td>
+                <td><?= EngineBlock_View::htmlSpecialCharsText($value);?></td>
             </tr>
         <?php
         }
diff --git a/application/modules/Default/View/Index/Index.phtml b/application/modules/Default/View/Index/Index.phtml
index ebc11078ae..9b516c8e94 100644
--- a/application/modules/Default/View/Index/Index.phtml
+++ b/application/modules/Default/View/Index/Index.phtml
@@ -4,9 +4,8 @@ $layout = $this->layout();
 $layout->setLayout('empty');
 
 ?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
-"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
+<!DOCTYPE html>
+<html>
     <head>
         <title>SURFnet Collaboration Infrastructure EngineBlock - Default Homepage</title>
     </head>
diff --git a/application/modules/Profile/Controller/AttributeSupport.php b/application/modules/Profile/Controller/AttributeSupport.php
index 3aac7575f4..dca5aa02a2 100644
--- a/application/modules/Profile/Controller/AttributeSupport.php
+++ b/application/modules/Profile/Controller/AttributeSupport.php
@@ -32,6 +32,4 @@ protected function _sendAttributeSupportMail() {
         $mailer->setBodyHtml($body);
         $mailer->send();
     }
-
-
 }
diff --git a/application/modules/Profile/Controller/DeleteOauthConsent.php b/application/modules/Profile/Controller/DeleteOauthConsent.php
deleted file mode 100644
index f13d11d81b..0000000000
--- a/application/modules/Profile/Controller/DeleteOauthConsent.php
+++ /dev/null
@@ -1,14 +0,0 @@
-<?php
-
-class Profile_Controller_DeleteOauthConsent extends Default_Controller_LoggedIn
-{
-    public function indexAction()
-    {
-        $consumerKey = $this->_getRequest()->getQueryParameter('consumer_key');
-        $this->user->deleteOauthConsent(urldecode($consumerKey));
-
-        $this->setNoRender(true);
-        $this->_redirectToUrl('/profile/#MyApps');
-    }
-
-}
diff --git a/application/modules/Profile/Controller/GroupOauth.php b/application/modules/Profile/Controller/GroupOauth.php
deleted file mode 100644
index 2abff59cfd..0000000000
--- a/application/modules/Profile/Controller/GroupOauth.php
+++ /dev/null
@@ -1,114 +0,0 @@
-<?php
-
-class Profile_Controller_GroupOauth extends Default_Controller_LoggedIn
-{
-    /**
-     * @example /profile/group-oauth/authenticate/provider2
-     *
-     * @param string $providerId
-     * @return void
-     */
-    public function authenticateAction($providerId)
-    {
-        $this->setNoRender();
-
-        $_SESSION['return_url'] = $this->_getRequest()->getQueryParameter('return_url');
-
-        $providerConfig = $this->_getProviderConfiguration($providerId);
-        $consumer = new Zend_Oauth_Consumer($providerConfig->auth);
-
-        // Do an HTTP request to the provider to fetch a request token
-        $requestToken = $consumer->getRequestToken();
-
-        // persist the token to session as we redirect the user to the provider
-        if (!isset($_SESSION['request_token'])) {
-            $_SESSION['request_token'] = array();
-        }
-        $_SESSION['request_token'][$providerId] = serialize($requestToken);
-
-        // redirect the user to the provider
-        $consumer->redirect();
-    }
-
-    /**
-     *
-     * @example /profile/group-oauth/consume/provider2?oauth_token=request-token
-     *
-     * @param string $providerId
-     * @throws EngineBlock_Exception
-     */
-    public function consumeAction($providerId)
-    {
-        $this->setNoRender();
-
-        $providerConfig = $this->_getProviderConfiguration($providerId);
-        $consumer = new Zend_Oauth_Consumer($providerConfig->auth);
-
-        $queryParameters = $this->_getRequest()->getQueryParameters();
-
-        if (empty($queryParameters)) {
-            throw new EngineBlock_Exception(
-                'Unable to consume access token, no query parameters given',
-                EngineBlock_Exception::CODE_NOTICE
-            );
-        }
-
-        if (!isset($_SESSION['request_token'][$providerId])) {
-            throw new EngineBlock_Exception(
-                "Unable to consume access token, no request token (session lost?)",
-                EngineBlock_Exception::CODE_NOTICE
-            );
-        }
-
-        $requestToken = unserialize($_SESSION['request_token'][$providerId]);
-
-        $token = $consumer->getAccessToken(
-            $queryParameters,
-            $requestToken
-        );
-        $userId = $this->attributes['nameid'][0];
-        $provider = EngineBlock_Group_Provider_OpenSocial_Oauth_ThreeLegged::createFromConfigs(
-            $providerConfig,
-            $userId
-        );
-        $provider->setAccessToken($token);
-
-        if (!$provider->validatePreconditions()) {
-
-            EngineBlock_ApplicationSingleton::getLog()->notice(
-                "Unable to test OpenSocial 3-legged Oauth provider because not all preconditions have been matched?",
-                EngineBlock_Log_Message_AdditionalInfo::create()->setUserId($userId)
-            );
-            $this->providerId = $providerId;
-            $this->renderAction("Error"); 
-        } else {
-            // Now that we have an Access Token, we can discard the Request Token
-            $_SESSION['request_token'][$providerId] = null;
-
-            $this->_redirectToUrl($_SESSION['return_url']);
-        }
-    }
-
-    /**
-     *
-     * @example /profile/group-oauth/revoke?provider=providerId
-     *
-     * @return void
-     */
-    public function revokeAction()
-    {
-        $this->setNoRender();
-
-        $providerId = $this->_getRequest()->getQueryParameter('provider');
-
-        $this->user->deleteOauthGroupConsent($providerId);
-
-        $this->_redirectToUrl('/#MyGroups');
-    }
-
-    protected function _getProviderConfiguration($providerId)
-    {
-        $configReader = new EngineBlock_Group_Provider_ProviderConfig();
-        return $configReader->createFromDatabaseFor($providerId)->current();
-    }
-}
\ No newline at end of file
diff --git a/application/modules/Profile/Controller/Index.php b/application/modules/Profile/Controller/Index.php
index b5fe9feeb8..ab68d41ee9 100644
--- a/application/modules/Profile/Controller/Index.php
+++ b/application/modules/Profile/Controller/Index.php
@@ -7,9 +7,6 @@ public function indexAction()
         $this->userAttributes = $this->_normalizeAttributes();
 
         $this->metadata = new EngineBlock_Attributes_Metadata();
-        $this->aggregator = EngineBlock_Group_Provider_Aggregator_MemoryCacheProxy::createFromDatabaseFor(
-            $this->attributes['nameid'][0]
-        );
 
         $serviceRegistryClient = $this->_getServiceRegistryClient();
         $this->spList = $serviceRegistryClient->getSpList();
diff --git a/application/modules/Profile/View/AttributeSupport/ProfileMail.phtml b/application/modules/Profile/View/AttributeSupport/ProfileMail.phtml
index a91ce9e6e9..4930bf44d5 100644
--- a/application/modules/Profile/View/AttributeSupport/ProfileMail.phtml
+++ b/application/modules/Profile/View/AttributeSupport/ProfileMail.phtml
@@ -11,18 +11,18 @@
     <?php foreach ($userAttributes as $attributeId => $attributeValues) { ?>
         <tr>
             <td>
-                <?=$this->htmlSpecialCharsText($attributeId)?>
+                <?=EngineBlock_View::htmlSpecialCharsText($attributeId)?>
             </td>
             <td>
-                <?=$this->htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
+                <?=EngineBlock_View::htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
             </td>
             <td>
                 <?php if (count($attributeValues)==1) { ?>
-                    <?=$this->htmlSpecialCharsText($attributeValues[0]);?>
+                    <?=EngineBlock_View::htmlSpecialCharsText($attributeValues[0]);?>
                 <?php } else { ?>
                     <ul>
                         <?php foreach ($attributeValues as $value) { ?>
-                            <li><?=$this->htmlSpecialCharsText($value)?></li>
+                            <li><?=EngineBlock_View::htmlSpecialCharsText($value)?></li>
                         <?php } ?>
                     </ul>
                 <?php } ?>
diff --git a/application/modules/Profile/View/GroupOauth/Error.phtml b/application/modules/Profile/View/GroupOauth/Error.phtml
deleted file mode 100644
index 313d2f48dc..0000000000
--- a/application/modules/Profile/View/GroupOauth/Error.phtml
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-/** @var Zend_Layout $layout */
-$layout = $this->layout();
-$layout->setLayout('1-column-blue-grey-narrow');
-
-// Set Layout properties
-$layout->title = $layout->title. ' - ' .$this->t('error_group_oauth');
-$layout->header = $layout->title;
-$layout->subheader = $this->t('error_group_oauth');
-$layout->footerText = $this->t('footer');
-
-?>
-<div class="error-wrapper">
-    <div class="error-icon"></div>
-    <div class="error-text">
-        <?= $this->t('error_group_oauth_desc',$providerId); ?>
-        <div class="button-row">
-            <a href="/profile#MyGroups">
-            <?= $this->t('go_back'); ?>
-            <span class="btn-wrap-right">&nbsp;</span>
-            </a>
-        </div>
-    </div>
-</div>
-
-<?php if ($exception) { ?>
-<pre>
-    <?php var_dump($exception); ?>
-</pre>
-
-<?php if ($exception->xdebug_message) { echo $exception->xdebug_message; } ?>
-<?php } ?>
diff --git a/application/modules/Profile/View/Index/Index.phtml b/application/modules/Profile/View/Index/Index.phtml
index dac925185e..556cf92973 100644
--- a/application/modules/Profile/View/Index/Index.phtml
+++ b/application/modules/Profile/View/Index/Index.phtml
@@ -6,13 +6,6 @@ if (!isset($userAttributes)) {
     throw new EngineBlock_View_Exception("Missing required parameter for view /profile/index: userAttributes");
 }
 
-/**
- * @var EngineBlock_Group_Provider_Aggregator $aggregator
- */
-if (!isset($aggregator)) {
-    throw new EngineBlock_View_Exception("Missing required parameter for view /profile/index: aggregator");
-}
-
 /**
  * @var EngineBlock_Attributes_Metadata $metadata
  */
@@ -95,15 +88,15 @@ foreach ($spList as $spId => $sp) {
     <?php foreach ($userAttributes as $attributeId => $attributeValues) { ?>
         <tr>
             <td style="font-weight: bold;" title="<?= $attributeId?>">
-                <?=$this->htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
+                <?=EngineBlock_View::htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
             </td>
             <td>
                 <?php /** Single attribute value */ if (count($attributeValues)==1) { ?>
-                <?=$this->htmlSpecialCharsText($attributeValues[0])?>
+                <?=EngineBlock_View::htmlSpecialCharsText($attributeValues[0])?>
                 <?php } /** Multiple attribute values */ else { ?>
                 <ul>
                 <?php foreach ($attributeValues as $value) { ?>
-                    <li><?=$this->htmlSpecialCharsText($value)?></li>
+                    <li><?=EngineBlock_View::htmlSpecialCharsText($value)?></li>
                 <?php } ?>
                 </ul>
                 <?php } ?>
@@ -148,23 +141,23 @@ foreach ($spList as $spId => $sp) {
                     <td>
                         <a href="#" class="show-details">
                             <span class="ui-icon ui-icon-triangle-1-e left"></span>
-                            <?= $this->htmlSpecialCharsText($this->getDisplayName($sp)); ?>
+                            <?= EngineBlock_View::htmlSpecialCharsText($this->getDisplayName($sp)); ?>
                         </a>
                     </td>
                     <td>
                         <?php if ($sp['coin:eula']) : ?>
-                            <a href="<?= $this->htmlSpecialCharsAttributeValue($sp['coin:eula']); ?>"><?php
+                            <a href="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($sp['coin:eula']); ?>"><?php
 	                            echo $this->t('profile_eula_link');
 	                        ?></a>
                         <?php endif; ?>
                     </td>
                     <td>
                         <?php if (isset($sp['url:en']) && $sp['url:en'] != ''): ?>
-                            <a href="<?= $this->htmlSpecialCharsAttributeValue($sp['url:en']); ?>"><?php
+                            <a href="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($sp['url:en']); ?>"><?php
 	                            echo $this->t('profile_support_link');
 	                        ?></a>
                         <?php elseif (isset($sp['url:nl']) && $sp['url:nl'] != ''): ?>
-                            <a href="<?= $this->htmlSpecialCharsAttributeValue($sp['url:nl']); ?>"><?php
+                            <a href="<?= EngineBlock_View::htmlSpecialCharsAttributeValue($sp['url:nl']); ?>"><?php
 	                            echo $this->t('profile_support_link');
 	                        ?></a>
                         <?php else: ?>
@@ -172,8 +165,8 @@ foreach ($spList as $spId => $sp) {
                     </td>
                     <td>
                         <?php if (isset($sp['supportContact'])) : ?>
-                            <a href="mailto:<?= $this->htmlSpecialCharsAttributeValue($sp['supportContact']['emailAddress']); ?>"><?php
-                                echo $this->htmlSpecialCharsText($sp['supportContact']['emailAddress']); ?>
+                            <a href="mailto:<?= EngineBlock_View::htmlSpecialCharsAttributeValue($sp['supportContact']['emailAddress']); ?>"><?php
+                                echo EngineBlock_View::htmlSpecialCharsText($sp['supportContact']['emailAddress']); ?>
                             </a>
                         <?php endif; ?>
                     </td>
@@ -193,15 +186,15 @@ foreach ($spList as $spId => $sp) {
                                 <?php foreach ($spAttributesList[$spId] as $attributeId => $attributeValues) { ?>
                                     <tr>
                                         <td style="font-weight: bold;">
-                                            <?=$this->htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
+                                            <?=EngineBlock_View::htmlSpecialCharsText($metadata->getName($attributeId, $lang))?>
                                         </td>
                                         <td>
                                             <?php /** Single attribute value */ if (count($attributeValues)==1) { ?>
-                                            <?=$this->htmlSpecialCharsText($attributeValues[0]);?>
+                                            <?=EngineBlock_View::htmlSpecialCharsText($attributeValues[0]);?>
                                             <?php } /** Multiple attribute values */ else { ?>
                                             <ul>
                                             <?php foreach ($attributeValues as $value) { ?>
-                                                <li><?=$this->htmlSpecialCharsText($value)?></li>
+                                                <li><?=EngineBlock_View::htmlSpecialCharsText($value)?></li>
                                             <?php } ?>
                                             </ul>
                                             <?php } ?>
diff --git a/bin/assets_pipelines.php b/bin/assets_pipelines.php
index 5a5cef0c97..7da78e9300 100644
--- a/bin/assets_pipelines.php
+++ b/bin/assets_pipelines.php
@@ -1,28 +1,5 @@
 #!/usr/bin/env php
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 require realpath(__DIR__ . '/../vendor') . '/autoload.php';
 
diff --git a/bin/composer.phar b/bin/composer.phar
index 02d9021d5b..19fa5c7f27 100755
Binary files a/bin/composer.phar and b/bin/composer.phar differ
diff --git a/bin/dbpatch.php b/bin/dbpatch.php
index a9549d035f..4afe7de8f4 100755
--- a/bin/dbpatch.php
+++ b/bin/dbpatch.php
@@ -1,28 +1,5 @@
 #!/usr/bin/env php
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 require realpath(__DIR__ . '/../vendor') . '/autoload.php';
 
diff --git a/composer.json b/composer.json
index cdaa4d0c98..fc6d1bd3d4 100644
--- a/composer.json
+++ b/composer.json
@@ -1,30 +1,30 @@
 {
-    "name": "surfnet/openconextengineblock",
-    "description": "Surfnet OpenConext SAML proxy",
+    "name": "openconext/engineblock",
+    "description": "OpenConext SAML proxy",
     "type": "project",
-    "keywords": ["saml", "proxy", "openconext", "SURFnet"],
+    "keywords": ["saml", "proxy", "openconext"],
     "homepage": "http://www.openconext.org",
     "license": "Apache-2.0",
     "support": {
-        "email": "openconext-users@list.surfnet.nl",
+        "email": "info@openconext.org",
         "issues": "https://github.com/OpenConext/OpenConext-engineblock/issues",
         "source": "https://github.com/OpenConext/OpenConext-engineblock"
     },
     "require": {
         "cssmin/cssmin": "3.0.1",
         "dbpatch/dbpatch": "~1.2",
-        "kriswallsmith/assetic": "1.2.*@dev",
-        "mrclay/minify": "~2.1",
-        "openconext/engineblock-fixtures": "*",
+        "kriswallsmith/assetic": "~1.2.0",
+        "mrclay/minify": "~2.2",
+        "openconext/engineblock-fixtures": "~0.4",
         "openid/php-openid": "dev-master#a287b2d85e753c84b3b883ed8ee3ffe8692c8477 as 2.2.2",
-        "pimple/pimple": "~2.0",
-        "simplesamlphp/saml2": "~0.4",
-        "simplesamlphp/simplesamlphp": "~1.12",
+        "pimple/pimple": "~2.1",
+        "simplesamlphp/saml2": "~0.5",
+        "simplesamlphp/simplesamlphp": "~1.13",
         "zendframework/zendframework1":"~1.12"
     },
     "require-dev": {
-        "phake/phake": "2.0.0-alpha2",
-        "phpunit/phpunit": "3.7.19"
+        "phake/phake": "2.0.0-beta2",
+        "phpunit/phpunit": "~4.3"
     },
     "scripts": {
         "pre-autoload-dump": [
@@ -49,14 +49,11 @@
             "DbPatch_": "vendor/dbpatch/dbpatch/src/",
             "EngineBlock_": "library/",
             "EngineBlock_Test": "tests/library/",
-            "Grouper_": "library/",
             "Janus_": "library/",
-            "OpenSocial_": "library/",
             "SurfConext_": "library/",
             "Surfnet_": "library/",
             "Authentication_":"application/modules/",
             "Default_":"application/modules/",
-            "Dummy_":"application/modules/",
             "Logout_":"application/modules/",
             "Profile_":"application/modules/"
         }
diff --git a/composer.lock b/composer.lock
index 8afa017944..4c66e50d30 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "05d561827bbe1f88e90628a9212f0416",
+    "hash": "48a2f86311f2e02f9fe4cb55c8e30d29",
     "packages": [
         {
             "name": "cssmin/cssmin",
@@ -66,16 +66,16 @@
         },
         {
             "name": "kriswallsmith/assetic",
-            "version": "dev-master",
+            "version": "v1.2.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/kriswallsmith/assetic.git",
-                "reference": "de93760710c59b4fd598ab136642d8737e04665c"
+                "reference": "df991c124a2212371443b586a1be767500036dee"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/kriswallsmith/assetic/zipball/de93760710c59b4fd598ab136642d8737e04665c",
-                "reference": "de93760710c59b4fd598ab136642d8737e04665c",
+                "url": "https://api.github.com/repos/kriswallsmith/assetic/zipball/df991c124a2212371443b586a1be767500036dee",
+                "reference": "df991c124a2212371443b586a1be767500036dee",
                 "shasum": ""
             },
             "require": {
@@ -90,8 +90,8 @@
                 "leafo/scssphp": "*",
                 "leafo/scssphp-compass": "*",
                 "mrclay/minify": "*",
-                "patchwork/jsqueeze": "*",
-                "phpunit/phpunit": "~3.7",
+                "patchwork/jsqueeze": "~1.0",
+                "phpunit/phpunit": "~4",
                 "psr/log": "~1.0",
                 "ptachoire/cssembed": "*",
                 "twig/twig": "~1.6"
@@ -136,7 +136,7 @@
                 "compression",
                 "minification"
             ],
-            "time": "2014-09-22 17:24:20"
+            "time": "2014-10-14 14:45:32"
         },
         {
             "name": "mrclay/minify",
@@ -180,16 +180,16 @@
         },
         {
             "name": "openconext/engineblock-fixtures",
-            "version": "0.3.0",
+            "version": "0.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/OpenConext/OpenConext-engineblock-fixtures.git",
-                "reference": "c0cdd2db1d2e46d841273b97602d535d5cb9ed14"
+                "reference": "07c3739acce58126491eb177d3304c17476f31fb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/OpenConext/OpenConext-engineblock-fixtures/zipball/c0cdd2db1d2e46d841273b97602d535d5cb9ed14",
-                "reference": "c0cdd2db1d2e46d841273b97602d535d5cb9ed14",
+                "url": "https://api.github.com/repos/OpenConext/OpenConext-engineblock-fixtures/zipball/07c3739acce58126491eb177d3304c17476f31fb",
+                "reference": "07c3739acce58126491eb177d3304c17476f31fb",
                 "shasum": ""
             },
             "require": {
@@ -201,15 +201,12 @@
                     "OpenConext\\Component\\EngineBlockFixtures\\": "src/"
                 }
             },
+            "notification-url": "https://packagist.org/downloads/",
             "license": [
                 "Apache-2.0"
             ],
             "description": "OpenConext Component for EngineBlock Fixtures",
-            "support": {
-                "source": "https://github.com/OpenConext/OpenConext-engineblock-fixtures/tree/0.3.0",
-                "issues": "https://github.com/OpenConext/OpenConext-engineblock-fixtures/issues"
-            },
-            "time": "2014-02-20 09:30:41"
+            "time": "2014-10-08 05:47:39"
         },
         {
             "name": "openid/php-openid",
@@ -346,16 +343,16 @@
         },
         {
             "name": "simplesamlphp/saml2",
-            "version": "v0.4.2",
+            "version": "v0.5.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/simplesamlphp/saml2.git",
-                "reference": "37cff16d954b53a57813899c439f1ad8ae3c4c08"
+                "reference": "497152245ec73c3f96c84306dcddf850017b84a8"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/37cff16d954b53a57813899c439f1ad8ae3c4c08",
-                "reference": "37cff16d954b53a57813899c439f1ad8ae3c4c08",
+                "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/497152245ec73c3f96c84306dcddf850017b84a8",
+                "reference": "497152245ec73c3f96c84306dcddf850017b84a8",
                 "shasum": ""
             },
             "require": {
@@ -390,20 +387,20 @@
                 }
             ],
             "description": "SAML2 PHP library from SimpleSAMLphp",
-            "time": "2014-08-07 14:33:36"
+            "time": "2014-10-07 13:40:34"
         },
         {
             "name": "simplesamlphp/simplesamlphp",
-            "version": "v1.12.0",
+            "version": "v1.13.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/simplesamlphp/simplesamlphp.git",
-                "reference": "b5ff6f0d44be3ef7ac29087368e6570fbfefbb36"
+                "reference": "423bdf0bc97ad32467183e0994f72b20370194d6"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/simplesamlphp/simplesamlphp/zipball/b5ff6f0d44be3ef7ac29087368e6570fbfefbb36",
-                "reference": "b5ff6f0d44be3ef7ac29087368e6570fbfefbb36",
+                "url": "https://api.github.com/repos/simplesamlphp/simplesamlphp/zipball/423bdf0bc97ad32467183e0994f72b20370194d6",
+                "reference": "423bdf0bc97ad32467183e0994f72b20370194d6",
                 "shasum": ""
             },
             "require": {
@@ -425,15 +422,13 @@
                 "LGPL-2.1"
             ],
             "authors": [
-                {
-                    "name": "Andreas Åkre Solberg",
-                    "email": "andreas.solberg@uninett.no",
-                    "homepage": "http://rnd.feide.no",
-                    "role": "Developer"
-                },
                 {
                     "name": "Olav Morken",
                     "email": "olav.morken@uninett.no"
+                },
+                {
+                    "name": "Andreas Åkre Solberg",
+                    "email": "andreas.solberg@uninett.no"
                 }
             ],
             "description": "A PHP implementation of SAML 2.0 service provider and identity provider functionality. And is also compatible with Shibboleth 1.3 and 2.0.",
@@ -448,7 +443,7 @@
                 "sp",
                 "ws-federation"
             ],
-            "time": "2014-03-24 13:26:31"
+            "time": "2014-09-25 12:16:14"
         },
         {
             "name": "simplesamlphp/xmlseclibs",
@@ -503,17 +498,17 @@
         },
         {
             "name": "symfony/process",
-            "version": "v2.5.4",
+            "version": "v2.5.5",
             "target-dir": "Symfony/Component/Process",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/Process.git",
-                "reference": "136cf0bdaacea81f779583376d47dd8aef4fc6ba"
+                "reference": "8a1ec96c4e519cee0fb971ea48a1eb7369dda54b"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/Process/zipball/136cf0bdaacea81f779583376d47dd8aef4fc6ba",
-                "reference": "136cf0bdaacea81f779583376d47dd8aef4fc6ba",
+                "url": "https://api.github.com/repos/symfony/Process/zipball/8a1ec96c4e519cee0fb971ea48a1eb7369dda54b",
+                "reference": "8a1ec96c4e519cee0fb971ea48a1eb7369dda54b",
                 "shasum": ""
             },
             "require": {
@@ -546,7 +541,7 @@
             ],
             "description": "Symfony Process Component",
             "homepage": "http://symfony.com",
-            "time": "2014-08-31 03:22:04"
+            "time": "2014-09-23 05:25:11"
         },
         {
             "name": "zendframework/zendframework1",
@@ -597,32 +592,86 @@
         }
     ],
     "packages-dev": [
+        {
+            "name": "doctrine/instantiator",
+            "version": "1.0.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/doctrine/instantiator.git",
+                "reference": "f976e5de371104877ebc89bd8fecb0019ed9c119"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/doctrine/instantiator/zipball/f976e5de371104877ebc89bd8fecb0019ed9c119",
+                "reference": "f976e5de371104877ebc89bd8fecb0019ed9c119",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3,<8.0-DEV"
+            },
+            "require-dev": {
+                "athletic/athletic": "~0.1.8",
+                "ext-pdo": "*",
+                "ext-phar": "*",
+                "phpunit/phpunit": "~4.0",
+                "squizlabs/php_codesniffer": "2.0.*@ALPHA"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-0": {
+                    "Doctrine\\Instantiator\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Marco Pivetta",
+                    "email": "ocramius@gmail.com",
+                    "homepage": "http://ocramius.github.com/"
+                }
+            ],
+            "description": "A small, lightweight utility to instantiate objects in PHP without invoking their constructors",
+            "homepage": "https://github.com/doctrine/instantiator",
+            "keywords": [
+                "constructor",
+                "instantiate"
+            ],
+            "time": "2014-10-13 12:58:55"
+        },
         {
             "name": "phake/phake",
-            "version": "v2.0.0-alpha2",
+            "version": "v2.0.0-beta2",
             "source": {
                 "type": "git",
                 "url": "https://github.com/mlively/Phake.git",
-                "reference": "62915ebb99871aeb9f486973afc00cb024c4a799"
+                "reference": "917a5d1e426548ead7910a8cb89336cd8641eba7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/mlively/Phake/zipball/62915ebb99871aeb9f486973afc00cb024c4a799",
-                "reference": "62915ebb99871aeb9f486973afc00cb024c4a799",
+                "url": "https://api.github.com/repos/mlively/Phake/zipball/917a5d1e426548ead7910a8cb89336cd8641eba7",
+                "reference": "917a5d1e426548ead7910a8cb89336cd8641eba7",
                 "shasum": ""
             },
             "require": {
                 "php": ">=5.3.3"
             },
             "require-dev": {
-                "davedevelopment/hamcrest-php": "dev-master",
                 "doctrine/common": "2.3.*",
                 "ext-soap": "*",
+                "hamcrest/hamcrest-php": "1.1.*",
                 "phpunit/phpunit": "3.7.*"
             },
             "suggest": {
-                "davedevelopment/hamcrest-php": "Use Hamcrest matchers.",
-                "doctrine/common": "Allows mock annotations to use import statements for classes."
+                "doctrine/common": "Allows mock annotations to use import statements for classes.",
+                "hamcrest/hamcrest-php": "Use Hamcrest matchers."
             },
             "type": "library",
             "extra": {
@@ -651,44 +700,48 @@
                 "mock",
                 "testing"
             ],
-            "time": "2013-07-17 00:59:25"
+            "time": "2014-05-05 14:08:12"
         },
         {
             "name": "phpunit/php-code-coverage",
-            "version": "1.2.18",
+            "version": "2.0.11",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/php-code-coverage.git",
-                "reference": "fe2466802556d3fe4e4d1d58ffd3ccfd0a19be0b"
+                "reference": "53603b3c995f5aab6b59c8e08c3a663d2cc810b7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/fe2466802556d3fe4e4d1d58ffd3ccfd0a19be0b",
-                "reference": "fe2466802556d3fe4e4d1d58ffd3ccfd0a19be0b",
+                "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/53603b3c995f5aab6b59c8e08c3a663d2cc810b7",
+                "reference": "53603b3c995f5aab6b59c8e08c3a663d2cc810b7",
                 "shasum": ""
             },
             "require": {
                 "php": ">=5.3.3",
-                "phpunit/php-file-iterator": ">=1.3.0@stable",
-                "phpunit/php-text-template": ">=1.2.0@stable",
-                "phpunit/php-token-stream": ">=1.1.3,<1.3.0"
+                "phpunit/php-file-iterator": "~1.3",
+                "phpunit/php-text-template": "~1.2",
+                "phpunit/php-token-stream": "~1.3",
+                "sebastian/environment": "~1.0",
+                "sebastian/version": "~1.0"
             },
             "require-dev": {
-                "phpunit/phpunit": "3.7.*@dev"
+                "ext-xdebug": ">=2.1.4",
+                "phpunit/phpunit": "~4.1"
             },
             "suggest": {
                 "ext-dom": "*",
-                "ext-xdebug": ">=2.0.5"
+                "ext-xdebug": ">=2.2.1",
+                "ext-xmlwriter": "*"
             },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.2.x-dev"
+                    "dev-master": "2.0.x-dev"
                 }
             },
             "autoload": {
                 "classmap": [
-                    "PHP/"
+                    "src/"
                 ]
             },
             "notification-url": "https://packagist.org/downloads/",
@@ -712,7 +765,7 @@
                 "testing",
                 "xunit"
             ],
-            "time": "2014-09-02 10:13:14"
+            "time": "2014-08-31 06:33:04"
         },
         {
             "name": "phpunit/php-file-iterator",
@@ -849,45 +902,44 @@
         },
         {
             "name": "phpunit/php-token-stream",
-            "version": "1.2.2",
+            "version": "1.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/php-token-stream.git",
-                "reference": "ad4e1e23ae01b483c16f600ff1bebec184588e32"
+                "reference": "f8d5d08c56de5cfd592b3340424a81733259a876"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/ad4e1e23ae01b483c16f600ff1bebec184588e32",
-                "reference": "ad4e1e23ae01b483c16f600ff1bebec184588e32",
+                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/f8d5d08c56de5cfd592b3340424a81733259a876",
+                "reference": "f8d5d08c56de5cfd592b3340424a81733259a876",
                 "shasum": ""
             },
             "require": {
                 "ext-tokenizer": "*",
                 "php": ">=5.3.3"
             },
+            "require-dev": {
+                "phpunit/phpunit": "~4.2"
+            },
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.2-dev"
+                    "dev-master": "1.3-dev"
                 }
             },
             "autoload": {
                 "classmap": [
-                    "PHP/"
+                    "src/"
                 ]
             },
             "notification-url": "https://packagist.org/downloads/",
-            "include-path": [
-                ""
-            ],
             "license": [
                 "BSD-3-Clause"
             ],
             "authors": [
                 {
                     "name": "Sebastian Bergmann",
-                    "email": "sb@sebastian-bergmann.de",
-                    "role": "lead"
+                    "email": "sebastian@phpunit.de"
                 }
             ],
             "description": "Wrapper around PHP's tokenizer extension.",
@@ -895,56 +947,56 @@
             "keywords": [
                 "tokenizer"
             ],
-            "time": "2014-03-03 05:10:30"
+            "time": "2014-08-31 06:12:13"
         },
         {
             "name": "phpunit/phpunit",
-            "version": "3.7.19",
+            "version": "4.3.4",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/phpunit.git",
-                "reference": "dadeb425e35e923e284b0b1dfeb182f55714b0ec"
+                "reference": "23e4e0310f037aae873cc81b8658dbbb82878f71"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/dadeb425e35e923e284b0b1dfeb182f55714b0ec",
-                "reference": "dadeb425e35e923e284b0b1dfeb182f55714b0ec",
+                "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/23e4e0310f037aae873cc81b8658dbbb82878f71",
+                "reference": "23e4e0310f037aae873cc81b8658dbbb82878f71",
                 "shasum": ""
             },
             "require": {
                 "ext-dom": "*",
+                "ext-json": "*",
                 "ext-pcre": "*",
                 "ext-reflection": "*",
                 "ext-spl": "*",
                 "php": ">=5.3.3",
-                "phpunit/php-code-coverage": ">=1.2.1,<1.3.0",
-                "phpunit/php-file-iterator": ">=1.3.1",
-                "phpunit/php-text-template": ">=1.1.1",
-                "phpunit/php-timer": ">=1.0.2,<1.1.0",
-                "phpunit/phpunit-mock-objects": ">=1.2.0,<1.3.0",
-                "symfony/yaml": ">=2.0.0,<2.3.0"
-            },
-            "require-dev": {
-                "pear-pear/pear": "1.9.4"
+                "phpunit/php-code-coverage": "~2.0",
+                "phpunit/php-file-iterator": "~1.3.2",
+                "phpunit/php-text-template": "~1.2",
+                "phpunit/php-timer": "~1.0.2",
+                "phpunit/phpunit-mock-objects": "~2.3",
+                "sebastian/comparator": "~1.0",
+                "sebastian/diff": "~1.1",
+                "sebastian/environment": "~1.0",
+                "sebastian/exporter": "~1.0",
+                "sebastian/version": "~1.0",
+                "symfony/yaml": "~2.0"
             },
             "suggest": {
-                "ext-json": "*",
-                "ext-simplexml": "*",
-                "ext-tokenizer": "*",
-                "phpunit/php-invoker": ">=1.1.0,<1.2.0"
+                "phpunit/php-invoker": "~1.1"
             },
             "bin": [
-                "composer/bin/phpunit"
+                "phpunit"
             ],
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "3.7.x-dev"
+                    "dev-master": "4.3.x-dev"
                 }
             },
             "autoload": {
                 "classmap": [
-                    "PHPUnit/"
+                    "src/"
                 ]
             },
             "notification-url": "https://packagist.org/downloads/",
@@ -969,39 +1021,45 @@
                 "testing",
                 "xunit"
             ],
-            "time": "2013-03-25 11:45:06"
+            "time": "2014-10-22 11:43:12"
         },
         {
             "name": "phpunit/phpunit-mock-objects",
-            "version": "1.2.3",
+            "version": "2.3.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/phpunit-mock-objects.git",
-                "reference": "5794e3c5c5ba0fb037b11d8151add2a07fa82875"
+                "reference": "c63d2367247365f688544f0d500af90a11a44c65"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/phpunit-mock-objects/zipball/5794e3c5c5ba0fb037b11d8151add2a07fa82875",
-                "reference": "5794e3c5c5ba0fb037b11d8151add2a07fa82875",
+                "url": "https://api.github.com/repos/sebastianbergmann/phpunit-mock-objects/zipball/c63d2367247365f688544f0d500af90a11a44c65",
+                "reference": "c63d2367247365f688544f0d500af90a11a44c65",
                 "shasum": ""
             },
             "require": {
+                "doctrine/instantiator": "~1.0,>=1.0.1",
                 "php": ">=5.3.3",
-                "phpunit/php-text-template": ">=1.1.1@stable"
+                "phpunit/php-text-template": "~1.2"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~4.3"
             },
             "suggest": {
                 "ext-soap": "*"
             },
             "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.3.x-dev"
+                }
+            },
             "autoload": {
                 "classmap": [
-                    "PHPUnit/"
+                    "src/"
                 ]
             },
             "notification-url": "https://packagist.org/downloads/",
-            "include-path": [
-                ""
-            ],
             "license": [
                 "BSD-3-Clause"
             ],
@@ -1018,21 +1076,287 @@
                 "mock",
                 "xunit"
             ],
-            "time": "2013-01-13 10:24:48"
+            "time": "2014-10-03 05:12:11"
+        },
+        {
+            "name": "sebastian/comparator",
+            "version": "1.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/sebastianbergmann/comparator.git",
+                "reference": "e54a01c0da1b87db3c5a3c4c5277ddf331da4aef"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/sebastianbergmann/comparator/zipball/e54a01c0da1b87db3c5a3c4c5277ddf331da4aef",
+                "reference": "e54a01c0da1b87db3c5a3c4c5277ddf331da4aef",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.3",
+                "sebastian/diff": "~1.1",
+                "sebastian/exporter": "~1.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~4.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "classmap": [
+                    "src/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Jeff Welch",
+                    "email": "whatthejeff@gmail.com"
+                },
+                {
+                    "name": "Volker Dusch",
+                    "email": "github@wallbash.com"
+                },
+                {
+                    "name": "Bernhard Schussek",
+                    "email": "bschussek@2bepublished.at"
+                },
+                {
+                    "name": "Sebastian Bergmann",
+                    "email": "sebastian@phpunit.de"
+                }
+            ],
+            "description": "Provides the functionality to compare PHP values for equality",
+            "homepage": "http://www.github.com/sebastianbergmann/comparator",
+            "keywords": [
+                "comparator",
+                "compare",
+                "equality"
+            ],
+            "time": "2014-05-11 23:00:21"
+        },
+        {
+            "name": "sebastian/diff",
+            "version": "1.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/sebastianbergmann/diff.git",
+                "reference": "5843509fed39dee4b356a306401e9dd1a931fec7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/5843509fed39dee4b356a306401e9dd1a931fec7",
+                "reference": "5843509fed39dee4b356a306401e9dd1a931fec7",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.3"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~4.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.2-dev"
+                }
+            },
+            "autoload": {
+                "classmap": [
+                    "src/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Kore Nordmann",
+                    "email": "mail@kore-nordmann.de"
+                },
+                {
+                    "name": "Sebastian Bergmann",
+                    "email": "sebastian@phpunit.de"
+                }
+            ],
+            "description": "Diff implementation",
+            "homepage": "http://www.github.com/sebastianbergmann/diff",
+            "keywords": [
+                "diff"
+            ],
+            "time": "2014-08-15 10:29:00"
+        },
+        {
+            "name": "sebastian/environment",
+            "version": "1.2.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/sebastianbergmann/environment.git",
+                "reference": "0d9bf79554d2a999da194a60416c15cf461eb67d"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/sebastianbergmann/environment/zipball/0d9bf79554d2a999da194a60416c15cf461eb67d",
+                "reference": "0d9bf79554d2a999da194a60416c15cf461eb67d",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.3"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~4.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.2.x-dev"
+                }
+            },
+            "autoload": {
+                "classmap": [
+                    "src/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Sebastian Bergmann",
+                    "email": "sebastian@phpunit.de"
+                }
+            ],
+            "description": "Provides functionality to handle HHVM/PHP environments",
+            "homepage": "http://www.github.com/sebastianbergmann/environment",
+            "keywords": [
+                "Xdebug",
+                "environment",
+                "hhvm"
+            ],
+            "time": "2014-10-22 06:38:05"
+        },
+        {
+            "name": "sebastian/exporter",
+            "version": "1.0.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/sebastianbergmann/exporter.git",
+                "reference": "c7d59948d6e82818e1bdff7cadb6c34710eb7dc0"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/sebastianbergmann/exporter/zipball/c7d59948d6e82818e1bdff7cadb6c34710eb7dc0",
+                "reference": "c7d59948d6e82818e1bdff7cadb6c34710eb7dc0",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.3"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~4.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "classmap": [
+                    "src/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Jeff Welch",
+                    "email": "whatthejeff@gmail.com"
+                },
+                {
+                    "name": "Volker Dusch",
+                    "email": "github@wallbash.com"
+                },
+                {
+                    "name": "Bernhard Schussek",
+                    "email": "bschussek@2bepublished.at"
+                },
+                {
+                    "name": "Sebastian Bergmann",
+                    "email": "sebastian@phpunit.de"
+                },
+                {
+                    "name": "Adam Harvey",
+                    "email": "aharvey@php.net"
+                }
+            ],
+            "description": "Provides the functionality to export PHP variables for visualization",
+            "homepage": "http://www.github.com/sebastianbergmann/exporter",
+            "keywords": [
+                "export",
+                "exporter"
+            ],
+            "time": "2014-09-10 00:51:36"
+        },
+        {
+            "name": "sebastian/version",
+            "version": "1.0.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/sebastianbergmann/version.git",
+                "reference": "b6e1f0cf6b9e1ec409a0d3e2f2a5fb0998e36b43"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/sebastianbergmann/version/zipball/b6e1f0cf6b9e1ec409a0d3e2f2a5fb0998e36b43",
+                "reference": "b6e1f0cf6b9e1ec409a0d3e2f2a5fb0998e36b43",
+                "shasum": ""
+            },
+            "type": "library",
+            "autoload": {
+                "classmap": [
+                    "src/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Sebastian Bergmann",
+                    "email": "sebastian@phpunit.de",
+                    "role": "lead"
+                }
+            ],
+            "description": "Library that helps with managing the version number of Git-hosted PHP projects",
+            "homepage": "https://github.com/sebastianbergmann/version",
+            "time": "2014-03-07 15:35:33"
         },
         {
             "name": "symfony/yaml",
-            "version": "v2.2.11",
+            "version": "v2.5.5",
             "target-dir": "Symfony/Component/Yaml",
             "source": {
                 "type": "git",
                 "url": "https://github.com/symfony/Yaml.git",
-                "reference": "4f3569bb23953116281fb3a642c4266ce84a2f44"
+                "reference": "b1dbc53593b98c2d694ebf383660ac9134d30b96"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/symfony/Yaml/zipball/4f3569bb23953116281fb3a642c4266ce84a2f44",
-                "reference": "4f3569bb23953116281fb3a642c4266ce84a2f44",
+                "url": "https://api.github.com/repos/symfony/Yaml/zipball/b1dbc53593b98c2d694ebf383660ac9134d30b96",
+                "reference": "b1dbc53593b98c2d694ebf383660ac9134d30b96",
                 "shasum": ""
             },
             "require": {
@@ -1041,7 +1365,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "2.2-dev"
+                    "dev-master": "2.5-dev"
                 }
             },
             "autoload": {
@@ -1054,20 +1378,18 @@
                 "MIT"
             ],
             "authors": [
-                {
-                    "name": "Fabien Potencier",
-                    "email": "fabien@symfony.com",
-                    "homepage": "http://fabien.potencier.org",
-                    "role": "Lead Developer"
-                },
                 {
                     "name": "Symfony Community",
                     "homepage": "http://symfony.com/contributors"
+                },
+                {
+                    "name": "Fabien Potencier",
+                    "email": "fabien@symfony.com"
                 }
             ],
             "description": "Symfony Yaml Component",
             "homepage": "http://symfony.com",
-            "time": "2013-11-25 10:21:43"
+            "time": "2014-09-22 09:14:18"
         }
     ],
     "aliases": [
@@ -1080,15 +1402,10 @@
     ],
     "minimum-stability": "stable",
     "stability-flags": {
-        "kriswallsmith/assetic": 20,
         "openid/php-openid": 20,
-        "phake/phake": 15
+        "phake/phake": 10
     },
     "prefer-stable": false,
-    "platform": [
-
-    ],
-    "platform-dev": [
-
-    ]
+    "platform": [],
+    "platform-dev": []
 }
diff --git a/docs/release_notes/4.3.0.md b/docs/release_notes/4.3.0.md
new file mode 100644
index 0000000000..80f0dcce9a
--- /dev/null
+++ b/docs/release_notes/4.3.0.md
@@ -0,0 +1,36 @@
+# OpenConext EngineBlock v4.3.0 Release Notes #
+
+Full support for SP Proxies and improvements to error handling.
+
+SP Proxies are Service Providers that:
+* Have 'coin:trusted_proxy' set/
+* Sign their AuthnRequests
+* Mention another Service Provider, also known to EB, in the AuthnRequest > Scoping > RequesterId.
+
+For these proxies EB will act like a big brother and do consent, attribute release, WAYF and attribute manipulation
+for them. Most notable implementation is the upcoming SURFconext Step Up Gateway.
+
+List of issues resolved:
+
+* EB > 4 accepts SAML Responses over HTTP Redirect #83
+* Remove Management of 3rd party OpenSocial Group Providers from Profile #81
+* WAYF screen not valid HTML #79
+* Consistently apply licensing file header #76
+* Remove Internal endpoint #74
+* Full support for SP Proxies #64
+* Show more informative error when IdP denies user access #61
+* Add specific error message for IdP cert mismatch #55
+* Improve error message for invalid IdP signing certificate #25
+
+See: https://github.com/OpenConext/OpenConext-engineblock/issues?q=milestone%3A4.3.0+is%3Aclosed
+
+Also https://github.com/OpenConext/OpenConext-engine-test-stand can be used for functional tests.
+
+And the following dependencies were updated:
+| package                     | prev version  | current version |
+|-----------------------------|---------------|-----------------|
+| kriswallsmith/assetic       | dev-master    | v1.2.0          |
+| simplesamlphp/saml2         | v0.4.2        | v0.5.0          |
+| simplesamlphp/simplesamlphp | v1.12.0       | v1.13.0         |
+| phake/phake                 | v2.0.0-alpha2 | v2.0.0-beta2    |
+| phpunit/phpunit             | v3.7.19       | v4.3.4          |
\ No newline at end of file
diff --git a/languages/en.php b/languages/en.php
index 5e03d9d93a..2be02c785c 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -36,7 +36,7 @@
     'error_header'              => 'Error',
 
     //Footer
-    'footer'                => '<a href="http://www.surfconext.nl/">SURFconext</a>&nbsp&nbsp&nbsp|&nbsp&nbsp&nbsp<a href="https://wiki.surfnetlabs.nl/display/conextsupport/Terms+of+Service+%%28EN%%29">Terms of Service</a>',
+    'footer'                => '<a href="http://www.surfconext.nl/">SURFconext</a>&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;<a href="https://wiki.surfnetlabs.nl/display/conextsupport/Terms+of+Service+%%28EN%%29">Terms of Service</a>',
 
     //Help
     'help_header'           => 'Help',
@@ -182,11 +182,9 @@
     //Error screens
     'error_404'                         => '404 Page not found',
     'error_404_desc'                    => 'This page has not been found.',
-    'error_help_desc'               => '<p>
-        If this does not solve your problem, please visit
+    'error_help_desc'               => 'If this does not solve your problem, please visit
         <a href="https://wiki.surfnetlabs.nl/display/conextsupport/">the SURFconext support page</a>
-        or contact the SURFconext helpdesk at <a href="mailto:help@surfconext.nl">help@surfconext.nl</a>.
-    </p>',
+        or contact the SURFconext helpdesk at <a href="mailto:help@surfconext.nl">help@surfconext.nl</a>.',
     'error_no_consent'              => 'Unable to continue to service',
     'error_no_consent_desc'         => 'This application can only be used when you share the mentioned information.<br /><br />
 
@@ -251,7 +249,8 @@
     'error_received_error_status_code_desc'=> '<p>
         Your Identity Provider sent an authentication response with an error status code.
     </p>',
-    'error_received_invalid_response'     => 'Error - Invalid Idp response',
+    'error_received_invalid_response'       => 'Error - Invalid Idp response',
+    'error_received_invalid_signed_response'=> 'Error - Invalid signature on Idp response',
     'error_received_status_code_desc'=> '<p>
         Your Identity Provider sent an authentication response that was invalid.
     </p>',
diff --git a/languages/nl.php b/languages/nl.php
index 89ef67c869..967d5fc5d4 100644
--- a/languages/nl.php
+++ b/languages/nl.php
@@ -35,7 +35,7 @@
     'no_results'                => 'Geen resultaten gevonden',
 
     //Footer
-    'footer'                => '<a href="http://www.surfconext.nl/">SURFconext</a>&nbsp&nbsp&nbsp|&nbsp&nbsp&nbsp<a href="https://wiki.surfnetlabs.nl/display/conextsupport/Terms+of+Service+%%28NL%%29">Gebruiksvoorwaarden</a>',
+    'footer'                => '<a href="http://www.surfconext.nl/">SURFconext</a>&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;<a href="https://wiki.surfnetlabs.nl/display/conextsupport/Terms+of+Service+%%28NL%%29">Gebruiksvoorwaarden</a>',
 
     //Help
     'help_header'           => 'Help',
@@ -252,7 +252,8 @@
     'error_received_error_status_code_desc'=> '<p>
         Uw Identity Provider stuurde een authenticatie respons met een fout code.
     </p>',
-    'error_received_invalid_response'     => 'Error - Ongeldig Idp antwoord',
+    'error_received_invalid_response'        => 'Error - Ongeldig Idp antwoord',
+    'error_received_invalid_signed_response' => 'Error - Ongeldige handtekening op Idp antwoord',
     'error_received_status_code_desc'=> '<p>
         Uw Identity Provider stuurde een ongeldig authenticatie respons terug.
     </p>',
diff --git a/library/EngineBlock/Application/Bootstrapper.php b/library/EngineBlock/Application/Bootstrapper.php
index 635eefbdb3..6ab4b6b647 100644
--- a/library/EngineBlock/Application/Bootstrapper.php
+++ b/library/EngineBlock/Application/Bootstrapper.php
@@ -3,8 +3,7 @@
 class EngineBlock_Application_Bootstrapper
 {
     const CONFIG_FILE_DEFAULT       = 'configs/application.ini';
-    // @todo correct typo
-    const CONFIG_FILE_ENVIORNMENT   = '/etc/surfconext/engineblock.ini';
+    const CONFIG_FILE_ENVIRONMENT   = '/etc/surfconext/engineblock.ini';
     const P3P_HEADER = 'CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"';
 
     /**
@@ -64,6 +63,10 @@ protected function _bootstrapDefaultDiContainer()
 
     protected function _bootstrapConfiguration()
     {
+        if ($this->_application->getConfiguration()) {
+            return;
+        }
+
         $configProxy = new EngineBlock_Config_CacheProxy(
             $this->_getAllConfigFiles(),
             $this->_application->getDiContainer()->getApplicationCache()
@@ -73,12 +76,12 @@ protected function _bootstrapConfiguration()
 
     protected function _bootstrapTestDiContainer()
     {
-        if (defined('ENGINEBLOCK_ENV') && constant('ENGINEBLOCK_ENV') === 'testing') {
+        if ($this->_application->getConfigurationValue('testing', false)) {
             $this->_application->setDiContainer(new EngineBlock_Application_TestDiContainer());
             return;
         }
 
-        if (defined('ENGINEBLOCK_ENV') && constant('ENGINEBLOCK_ENV') === 'functionalTesting') {
+        if ($this->_application->getConfigurationValue('functionalTesting', false)) {
             $this->_application->setDiContainer(new EngineBlock_Application_FunctionalTestDiContainer());
             return;
         }
@@ -110,7 +113,7 @@ protected function _getAllConfigFiles()
     {
         return array(
             ENGINEBLOCK_FOLDER_APPLICATION . self::CONFIG_FILE_DEFAULT,
-            self::CONFIG_FILE_ENVIORNMENT,
+            self::CONFIG_FILE_ENVIRONMENT,
         );
     }
 
diff --git a/library/EngineBlock/ApplicationSingleton.php b/library/EngineBlock/ApplicationSingleton.php
index 2c76ee6ed3..61ee750793 100644
--- a/library/EngineBlock/ApplicationSingleton.php
+++ b/library/EngineBlock/ApplicationSingleton.php
@@ -38,7 +38,7 @@ class EngineBlock_ApplicationSingleton
     /**
      * @var Zend_Config
      */
-    protected $_configuration;
+    protected $_configuration = null;
 
     /**
      * @var Zend_Log
diff --git a/library/EngineBlock/Cache/FileCacheProxyAbstract.php b/library/EngineBlock/Cache/FileCacheProxyAbstract.php
index a4987651d5..b31b8b0b1d 100644
--- a/library/EngineBlock/Cache/FileCacheProxyAbstract.php
+++ b/library/EngineBlock/Cache/FileCacheProxyAbstract.php
@@ -1,4 +1,5 @@
 <?php
+
 abstract class EngineBlock_Cache_FileCacheProxyAbstract
 {
     /**
diff --git a/library/EngineBlock/Corto/Adapter.php b/library/EngineBlock/Corto/Adapter.php
index a8662db199..812cfaf1a8 100644
--- a/library/EngineBlock/Corto/Adapter.php
+++ b/library/EngineBlock/Corto/Adapter.php
@@ -318,7 +318,6 @@ protected function _configureProxyServer(EngineBlock_Corto_ProxyServer $proxySer
             'debug' => $application->getConfigurationValue('debug', false),
             'trace' => $application->getConfigurationValue('debug', false),
             'ConsentStoreValues' => $this->_getConsentConfigurationValue('storeValues', true),
-            'NoSupportedIDPError' => 'user',
             'rememberIdp' => '+3 months',
             'SigningAlgorithm' => '', // @todo Look this up
             'Processing' => array(
diff --git a/library/EngineBlock/Corto/Filter/Command/Abstract.php b/library/EngineBlock/Corto/Filter/Command/Abstract.php
index 7bb2f81fb9..a9144b2a0e 100644
--- a/library/EngineBlock/Corto/Filter/Command/Abstract.php
+++ b/library/EngineBlock/Corto/Filter/Command/Abstract.php
@@ -140,6 +140,5 @@ public function invariant()
                 'Missing collabPersonId'
             );
         }
-
     }
 }
diff --git a/library/EngineBlock/Corto/Filter/Command/AddEduPersonTargettedId.php b/library/EngineBlock/Corto/Filter/Command/AddEduPersonTargettedId.php
new file mode 100644
index 0000000000..e438cfb572
--- /dev/null
+++ b/library/EngineBlock/Corto/Filter/Command/AddEduPersonTargettedId.php
@@ -0,0 +1,46 @@
+<?php
+
+class EngineBlock_Corto_Filter_Command_AddEduPersonTargettedId extends EngineBlock_Corto_Filter_Command_Abstract
+{
+    /**
+     * This command may modify the response attributes
+     *
+     * @return array
+     */
+    public function getResponseAttributes()
+    {
+        return $this->_responseAttributes;
+    }
+
+    /**
+     * Resolve the eduPersonTargetedId we should send.
+     */
+    public function execute()
+    {
+        // Note that we try to service the final destination SP, if we know them and are allowed to do so.
+        $destinationMetadata = EngineBlock_SamlHelper::getDestinationSpMetadata(
+            $this->_spMetadata,
+            $this->_request,
+            $this->_server
+        );
+
+        // Resolve what NameID we should send the destination.
+        $resolver = new EngineBlock_Saml2_NameIdResolver();
+        $nameId = $resolver->resolve(
+            $this->_request,
+            $this->_response,
+            $destinationMetadata,
+            $this->_collabPersonId
+        );
+
+        // EPTID requires us to embed the <saml:NameID> element instead of just the value, so we generate that here.
+        $document = new DOMDocument();
+        $document->loadXML('<base />');
+        SAML2_Utils::addNameId($document->documentElement, $nameId);
+
+        // Add the eduPersonTargetedId attribute.
+        $this->_responseAttributes['urn:mace:dir:attribute-def:eduPersonTargetedID'] = array(
+            $document->documentElement->childNodes
+        );
+    }
+}
diff --git a/library/EngineBlock/Corto/Filter/Command/AttributeReleasePolicy.php b/library/EngineBlock/Corto/Filter/Command/AttributeReleasePolicy.php
index abbe8b7c6f..ad944b4821 100644
--- a/library/EngineBlock/Corto/Filter/Command/AttributeReleasePolicy.php
+++ b/library/EngineBlock/Corto/Filter/Command/AttributeReleasePolicy.php
@@ -14,18 +14,29 @@ public function getResponseAttributes()
 
     public function execute()
     {
-        $spEntityId = $this->_spMetadata['EntityID'];
-
         $serviceRegistryAdapter = $this->_getServiceRegistryAdapter();
-        $arp = $serviceRegistryAdapter->getArp($spEntityId);
-        if ($arp) {
-            EngineBlock_ApplicationSingleton::getLog()->info(
-                "Applying attribute release policy {$arp['name']} for $spEntityId"
-            );
-            $enforcer = new EngineBlock_Arp_AttributeReleasePolicyEnforcer();
-            $newAttributes = $enforcer->enforceArp($arp, $this->_responseAttributes);
-            $this->_responseAttributes = $newAttributes;
+        $logger = EngineBlock_ApplicationSingleton::getLog();
+        $enforcer = new EngineBlock_Arp_AttributeReleasePolicyEnforcer();
+        $attributes = $this->_responseAttributes;
+
+        // Get the Requester chain, which starts at the oldest (farthest away from us SP) and ends with our next hop.
+        $requesterChain = EngineBlock_SamlHelper::getSpRequesterChain($this->_spMetadata, $this->_request, $this->_server);
+        // Note that though we should traverse in reverse ordering, it doesn't make a difference.
+        // A then B filter or B then A filter are equivalent.
+        foreach ($requesterChain as $spMetadata) {
+            $spEntityId = $spMetadata['EntityID'];
+
+            $arp = $serviceRegistryAdapter->getArp($spEntityId);
+
+            if (!$arp) {
+                continue;
+            }
+
+            $logger->info("Applying attribute release policy {$arp['name']} for $spEntityId");
+            $attributes = $enforcer->enforceArp($arp, $attributes);
         }
+
+        $this->_responseAttributes = $attributes;
     }
 
     protected function _getServiceRegistryAdapter()
diff --git a/library/EngineBlock/Corto/Filter/Command/RunAttributeManipulations.php b/library/EngineBlock/Corto/Filter/Command/RunAttributeManipulations.php
index 3f450051b6..e24868ec43 100644
--- a/library/EngineBlock/Corto/Filter/Command/RunAttributeManipulations.php
+++ b/library/EngineBlock/Corto/Filter/Command/RunAttributeManipulations.php
@@ -6,13 +6,16 @@
 class EngineBlock_Corto_Filter_Command_RunAttributeManipulations extends EngineBlock_Corto_Filter_Command_Abstract
 {
     const TYPE_SP  = 'sp';
+    const TYPE_REQUESTER_SP = 'requester-sp';
     const TYPE_IDP = 'idp';
 
     private $_type;
 
-    function __construct($type = '')
+    function __construct($type)
     {
-        assert('in_array($type, array(self::TYPE_SP, self::TYPE_IDP, ""))');
+        if (!in_array($type, array(self::TYPE_SP, self::TYPE_IDP, self::TYPE_REQUESTER_SP))) {
+            throw new \EngineBlock_Exception("Invalid type for Attribute Manipulation: '$type'");
+        }
         $this->_type = $type;
     }
 
@@ -35,23 +38,37 @@ public function execute()
     {
         $this->_response->setIntendedNameId($this->_collabPersonId);
 
-        $entityId = ($this->_type === self::TYPE_IDP) ?
-            $this->_response->getIssuer() :
-            $this->_request->getIssuer();
+        if ($this->_type === self::TYPE_IDP) {
+            $entityId = $this->_response->getIssuer();
+            $spMetadata = $this->_spMetadata;
+        }
+        else if ($this->_type === self::TYPE_SP) {
+            $entityId = $this->_request->getIssuer();
+            $spMetadata = $this->_spMetadata;
+        }
+        else if ($this->_type === self::TYPE_REQUESTER_SP) {
+            $spMetadata = EngineBlock_SamlHelper::getDestinationSpMetadata($this->_spMetadata, $this->_request, $this->_server);
+            if ($spMetadata['EntityID'] === $this->_spMetadata['EntityID']) {
+                return;
+            }
+
+            $entityId = $spMetadata['EntityID'];
+        }
+        else {
+            throw new EngineBlock_Exception('Attribute Manipulator encountered an unexpected type: ' . $this->_type);
+        }
 
         // Try entity specific file based manipulation from Service Registry
         $manipulator = new EngineBlock_Attributes_Manipulator_ServiceRegistry($this->_type);
-        $manipulated = $manipulator->manipulate(
+        $manipulator->manipulate(
             $entityId,
             $this->_collabPersonId,
             $this->_responseAttributes,
             $this->_response,
             $this->_idpMetadata,
-            $this->_spMetadata
+            $spMetadata
         );
 
         $this->_response->setIntendedNameId($this->_collabPersonId);
-
-        return (bool)$manipulated;
     }
 }
diff --git a/library/EngineBlock/Corto/Filter/Command/SetNameId.php b/library/EngineBlock/Corto/Filter/Command/SetNameId.php
index cfc7a75b33..f3ac1ca4be 100644
--- a/library/EngineBlock/Corto/Filter/Command/SetNameId.php
+++ b/library/EngineBlock/Corto/Filter/Command/SetNameId.php
@@ -1,299 +1,37 @@
 <?php
 
+/**
+ * SetNameId command, sets the proper NameID for the Response.
+ *
+ * Note that because SAML2 Assertion Subject NameID elements are intended for the next hop only,
+ * we don't take SP proxies into account. Whatever OUR SP wants as a NameID is what it gets.
+ * If THEIR SP is known to us and wants a different NameID they'll just have to use the eduPersonTargettedId.
+ */
 class EngineBlock_Corto_Filter_Command_SetNameId extends EngineBlock_Corto_Filter_Command_Abstract
 {
-    const PERSISTENT_NAMEID_SALT = 'COIN:';
-
     /**
-     * Note the significant ordering, from least privacy sensitive to most privacy sensitive.
-     * See also:
-     * @url https://jira.surfconext.nl/jira/browse/BACKLOG-673
+     * This command may modify the response.
      *
-     * @var array
+     * @return EngineBlock_Saml2_ResponseAnnotationDecorator
      */
-    private $SUPPORTED_NAMEID_FORMATS = array(
-        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_PERSISTENT,
-        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_TRANSIENT,
-        EngineBlock_Urn::SAML1_1_NAMEID_FORMAT_UNSPECIFIED,
-        // @todo remove this as soon as it's no longer required to be supported for backwards compatibility
-        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_UNSPECIFIED
-    );
-
     public function getResponse()
     {
         return $this->_response;
     }
 
     /**
-     * This command may modify the response attributes
-     *
-     * @return array
+     * Resolve what NameID we should send to our SP and set it in the Assertion.
      */
-    public function getResponseAttributes()
-    {
-        return $this->_responseAttributes;
-    }
-
     public function execute()
     {
-        if ($this->_response->getCustomNameId()) {
-            $nameId = $this->_response->getCustomNameId();
-        }
-        else {
-            $nameIdFormat = $this->_getNameIdFormat($this->_request, $this->_spMetadata);
-
-            $requireUnspecified =
-                (
-                    $nameIdFormat === EngineBlock_Urn::SAML1_1_NAMEID_FORMAT_UNSPECIFIED
-                    || // @todo remove this as soon as it's no longer required to be supported for backwards compatibility
-                    $nameIdFormat === EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_UNSPECIFIED
-                );
-            $requireTransient = ($nameIdFormat === EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_TRANSIENT);
-
-            if ($requireUnspecified) {
-                $nameIdValue = $this->_response->getIntendedNameId();
-
-            } else if ($requireTransient) {
-                $nameIdValue = $this->_getTransientNameId(
-                    $this->_spMetadata['EntityID'], $this->_idpMetadata['EntityID']
-                );
-            } else {
-                $nameIdValue = $this->_getPersistentNameId(
-                    $this->_collabPersonId,
-                    $this->_spMetadata['EntityID']
-                );
-
-            }
-            $nameId = array(
-                'Format' => $nameIdFormat,
-                'Value'  => $nameIdValue,
-            );
-        }
-
-        // Adjust the NameID in the NEW response, set the collab:person uid
-        $this->_response->getAssertion()->setNameId($nameId);
-
-        $document = new DOMDocument();
-        $document->loadXML('<base />');
-        SAML2_Utils::addNameId($document->documentElement, $nameId);
-
-        // Add the eduPersonTargetedId
-        $this->_responseAttributes['urn:mace:dir:attribute-def:eduPersonTargetedID'] = array(
-            $document->documentElement->childNodes
-        );
-    }
-
-    /**
-     * Load transient Name ID from session or generate a new one
-     *
-     * @param string $spId
-     * @param string $idpId
-     * @return string
-     */
-    protected function _getTransientNameId($spId, $idpId)
-    {
-        $nameIdFromSession = $this->_getTransientNameIdFromSession($spId, $idpId);
-        if ($nameIdFromSession) {
-            return $nameIdFromSession;
-        }
-
-        $nameId = $this->_generateTransientNameId();
-
-        $this->_storeTransientNameIdToSession($nameId, $spId, $idpId);
-        return $nameId;
-    }
-
-    protected function _generateTransientNameId()
-    {
-        return sha1((string)mt_rand(0, mt_getrandmax()));
-    }
-
-    protected function _getTransientNameIdFromSession($spId, $idpId)
-    {
-        return isset($_SESSION[$spId][$idpId]) ? $_SESSION[$spId][$idpId] : false;
-    }
-
-    protected function _storeTransientNameIdToSession($nameId, $spId, $idpId)
-    {
-        // store to session
-        $_SESSION[$spId][$idpId] = $nameId;
-    }
-
-    protected function _getNameIdFormat($request, $spEntityMetadata)
-    {
-        // If a NameIDFormat was explicitly set in the ServiceRegistry, use that...
-        if (isset($spEntityMetadata['NameIDFormat'])) {
-            return $spEntityMetadata['NameIDFormat'];
-        }
-
-        // If the SP requests a specific NameIDFormat in their AuthnRequest
-        /** @var SAML2_AuthnRequest $request */
-        $nameIdPolicy = $request->getNameIdPolicy();
-        if (!empty($nameIdPolicy['Format'])) {
-            $mayUseRequestedNameIdFormat = true;
-            $requestedNameIdFormat = $nameIdPolicy['Format'];
-
-            // Do we support the NameID Format that the SP requests?
-            if (!in_array($requestedNameIdFormat, $this->SUPPORTED_NAMEID_FORMATS)) {
-                EngineBlock_ApplicationSingleton::getLog()->notice(
-                    "Whoa, SP '{$spEntityMetadata['EntityID']}' requested '{$requestedNameIdFormat}' " .
-                        "however we don't support that format, opting to try something else it supports " .
-                        "instead of sending an error. SP might not be happy with this violation of the spec " .
-                        "but it's probably a lot happier with a valid Response than an Error Response"
-                );
-                $mayUseRequestedNameIdFormat = false;
-            }
-
-            // Is this SP restricted to specific NameIDFormats?
-            if (isset($spEntityMetadata['NameIDFormats'])) {
-                if (!in_array($requestedNameIdFormat, $spEntityMetadata['NameIDFormats'])) {
-                    EngineBlock_ApplicationSingleton::getLog()->notice(
-                        "Whoa, SP '{$spEntityMetadata['EntityID']}' requested '{$requestedNameIdFormat}' " .
-                            "opting to try something else it supports " .
-                            "instead of sending an error. SP might not be happy with this violation of the spec " .
-                            "but it's probably a lot happier with a valid Response than an Error Response"
-                    );
-                        
-                    $mayUseRequestedNameIdFormat = false;
-                }
-            }
-
-            if ($mayUseRequestedNameIdFormat) {
-                return $requestedNameIdFormat;
-            }
-        }
-
-        // So neither a NameIDFormat is explicitly set in the metadata OR a (valid) NameIDPolicy is set in the AuthnRequest
-        // so we check what the SP supports (or what JANUS claims that it supports) and
-        // return the least privacy sensitive one.
-        if (!empty($spEntityMetadata['NameIDFormats'])) {
-            foreach ($this->SUPPORTED_NAMEID_FORMATS as $supportedNameIdFormat) {
-                if (in_array($supportedNameIdFormat, $spEntityMetadata['NameIDFormats'])) {
-                    return $supportedNameIdFormat;
-                }
-            }
-        }
-
-        throw new EngineBlock_Exception(
-            "Whoa, SP '{$spEntityMetadata['EntityID']}' has no NameIDFormat set, did send a (valid) NameIDPolicy and has no supported NameIDFormats set... I give up..." ,
-            EngineBlock_Exception::CODE_NOTICE
-        );
-    }
-
-    protected function _getPersistentNameId($originalCollabPersonId, $spEntityId)
-    {
-        $serviceProviderUuid = $this->_getServiceProviderUuid($spEntityId);
-        $userUuid            = $this->_getUserUuid($originalCollabPersonId);
-        $persistentId = $this->_fetchPersistentId($serviceProviderUuid, $userUuid);
-
-        if (!$persistentId) {
-            $persistentId = $this->_generatePersistentId($serviceProviderUuid, $userUuid);
-            $this->_storePersistentId($persistentId, $serviceProviderUuid, $userUuid);
-        }
-        return $persistentId;
-    }
-
-    protected function _getServiceProviderUuid($spEntityId)
-    {
-        $uuid = $this->_fetchServiceProviderUuid($spEntityId);
-
-        if ($uuid) {
-            return $uuid;
-        }
-
-        $uuid = (string)Surfnet_Zend_Uuid::generate();
-        $this->_storeServiceProviderUuid($spEntityId, $uuid);
-
-        return $uuid;
-    }
-
-    protected function _fetchServiceProviderUuid($spEntityId)
-    {
-        $statement = $this->_getDb()->prepare(
-            'SELECT uuid FROM service_provider_uuid WHERE service_provider_entity_id=?'
+        $resolver = new EngineBlock_Saml2_NameIdResolver();
+        $nameId = $resolver->resolve(
+            $this->_request,
+            $this->_response,
+            $this->_spMetadata,
+            $this->_collabPersonId
         );
-        $statement->execute(array($spEntityId));
-        $result = $statement->fetchAll();
-
-        if (count($result) > 1) {
-            throw new EngineBlock_Exception('Multiple SP UUIDs found? For: SP: ' . $spEntityId);
-        }
-
-        return isset($result[0]['uuid']) ? $result[0]['uuid'] : false;
-    }
 
-    protected function _storeServiceProviderUuid($spEntityId, $uuid)
-    {
-        $this->_getDb()->prepare(
-            'INSERT INTO service_provider_uuid (uuid, service_provider_entity_id) VALUES (?,?)'
-        )->execute(
-            array(
-                $uuid,
-                $spEntityId,
-            )
-        );
-    }
-
-    protected function _fetchPersistentId($serviceProviderUuid, $userUuid)
-    {
-        $statement = $this->_getDb()->prepare(
-            "SELECT persistent_id FROM saml_persistent_id WHERE service_provider_uuid = ? AND user_uuid = ?"
-        );
-        $statement->execute(array($serviceProviderUuid, $userUuid));
-        $result = $statement->fetchAll();
-        if (count($result) > 1) {
-            throw new EngineBlock_Exception(
-                'Multiple persistent IDs found? For: SPUUID: ' . $serviceProviderUuid . ' and user UUID: ' . $userUuid
-            );
-        }
-        return isset($result[0]['persistent_id']) ? $result[0]['persistent_id'] : false;
-    }
-
-    protected function _generatePersistentId($serviceProviderUuid, $userUuid)
-    {
-        return sha1(self::PERSISTENT_NAMEID_SALT . $userUuid . $serviceProviderUuid);
-    }
-
-    protected function _storePersistentId($persistentId, $serviceProviderUuid, $userUuid)
-    {
-        $statement = $this->_getDb()->prepare(
-            "INSERT INTO saml_persistent_id (persistent_id, service_provider_uuid, user_uuid) VALUES (?,?,?)"
-        );
-        $statement->execute(array($persistentId, $serviceProviderUuid, $userUuid));
-    }
-
-    protected function _getDb()
-    {
-        static $s_db;
-        if ($s_db) {
-            return $s_db;
-        }
-
-        $factory = new EngineBlock_Database_ConnectionFactory();
-        $s_db = $factory->create(EngineBlock_Database_ConnectionFactory::MODE_WRITE);
-
-        return $s_db;
-    }
-
-    protected function _getUserUuid($collabPersonId)
-    {
-        $userDirectory = $this->_getUserDirectory();
-        $users = $userDirectory->findUsersByIdentifier($collabPersonId);
-        if (count($users) > 1) {
-            throw new EngineBlock_Exception('Multiple users found for collabPersonId: ' . $collabPersonId);
-        }
-
-        if (count($users) < 1) {
-            throw new EngineBlock_Exception('No users found for collabPersonId: ' . $collabPersonId);
-        }
-
-        return $users[0]['collabpersonuuid'];
-    }
-
-    protected function _getUserDirectory()
-    {
-        return new EngineBlock_UserDirectory(
-            EngineBlock_ApplicationSingleton::getInstance()->getConfiguration()->ldap
-        );
+        $this->_response->getAssertion()->setNameId($nameId);
     }
 }
diff --git a/library/EngineBlock/Corto/Filter/Command/ValidateSuccessfulResponse.php b/library/EngineBlock/Corto/Filter/Command/ValidateSuccessfulResponse.php
index 0185ba2bd1..0292604d4b 100644
--- a/library/EngineBlock/Corto/Filter/Command/ValidateSuccessfulResponse.php
+++ b/library/EngineBlock/Corto/Filter/Command/ValidateSuccessfulResponse.php
@@ -5,26 +5,30 @@
  */
 class EngineBlock_Corto_Filter_Command_ValidateSuccessfulResponse extends EngineBlock_Corto_Filter_Command_Abstract
 {
-    const SAML2_STATUS_CODE_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success';
-
     public function execute()
     {
         $status = $this->_response->getStatus();
-        $statusCode = $status['Code'];
-        if ($statusCode !== self::SAML2_STATUS_CODE_SUCCESS) {
-            // Idp returned an error
-            $statusMessage = !empty($status['Message']) ? $status['Message'] : '(No message provided)';
-
-            $exception = new EngineBlock_Corto_Exception_ReceivedErrorStatusCode(
-                'Response received with Status: ' .
-                    $statusCode .
-                    ' - ' .
-                    $statusMessage
-            );
-            $exception->setFeedbackStatusCode($statusCode);
-            $exception->setFeedbackStatusMessage($statusMessage);
+        if ($status['Code'] === \SAML2_Const::STATUS_SUCCESS) {
+            return;
+        }
 
-            throw $exception;
+        $statusCodeDescription = $status['Code'];
+        if (isset($status['SubCode'])) {
+            $statusCodeDescription .= '/' . $status['SubCode'];
         }
+        $statusCodeDescription = str_replace('urn:oasis:names:tc:SAML:2.0:status:', '', $statusCodeDescription);
+
+        $statusMessage = !empty($status['Message']) ? $status['Message'] : '(No message provided)';
+
+        $exception = new EngineBlock_Corto_Exception_ReceivedErrorStatusCode(
+            'Response received with Status: ' .
+                $statusCodeDescription .
+                ' - ' .
+                $statusMessage
+        );
+        $exception->setFeedbackStatusCode($statusCodeDescription);
+        $exception->setFeedbackStatusMessage($statusMessage);
+
+        throw $exception;
     }
 }
diff --git a/library/EngineBlock/Corto/Filter/Input.php b/library/EngineBlock/Corto/Filter/Input.php
index 9abf1a9da8..7a9402be9a 100644
--- a/library/EngineBlock/Corto/Filter/Input.php
+++ b/library/EngineBlock/Corto/Filter/Input.php
@@ -43,6 +43,9 @@ protected function _getCommands()
 
             // Provision the User to LDAP and figure out the collabPersonId
             new EngineBlock_Corto_Filter_Command_ProvisionUser(),
+
+            // Apply the Attribute Release Policy before we do consent.
+            new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
         );
     }
 }
\ No newline at end of file
diff --git a/library/EngineBlock/Corto/Filter/Output.php b/library/EngineBlock/Corto/Filter/Output.php
index 5cc696b2be..0d292cd395 100644
--- a/library/EngineBlock/Corto/Filter/Output.php
+++ b/library/EngineBlock/Corto/Filter/Output.php
@@ -27,17 +27,22 @@ protected function _getCommands()
             // Add collabPersonId attribute
             new EngineBlock_Corto_Filter_Command_AddCollabPersonIdAttribute(),
 
-            // Apply ARP before we add the OID variants
-            new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
-
             // Run custom attribute manipulations
             new EngineBlock_Corto_Filter_Command_RunAttributeManipulations(
                 EngineBlock_Corto_Filter_Command_RunAttributeManipulations::TYPE_SP
             ),
 
+            // Run custom attribute manipulations in case we are behind a trusted proxy.
+            new EngineBlock_Corto_Filter_Command_RunAttributeManipulations(
+                EngineBlock_Corto_Filter_Command_RunAttributeManipulations::TYPE_REQUESTER_SP
+            ),
+
             // Set the persistent Identifier for this user on this SP
             new EngineBlock_Corto_Filter_Command_SetNameId(),
 
+            // Add the appropriate NameID to the 'eduPeronTargetedID'.
+            new EngineBlock_Corto_Filter_Command_AddEduPersonTargettedId(),
+
             // Apply ARP to custom added attributes one last time for the eduPersonTargetedId
             new EngineBlock_Corto_Filter_Command_AttributeReleasePolicy(),
 
diff --git a/library/EngineBlock/Corto/Mapper/ServiceRegistry/KeyValue.php b/library/EngineBlock/Corto/Mapper/ServiceRegistry/KeyValue.php
index 95f5f76363..8119692c54 100644
--- a/library/EngineBlock/Corto/Mapper/ServiceRegistry/KeyValue.php
+++ b/library/EngineBlock/Corto/Mapper/ServiceRegistry/KeyValue.php
@@ -42,6 +42,11 @@ public function fromKeyValue(array $serviceRegistryEntity)
                 $cortoEntity['VoContext'] = $serviceRegistryEntity['coin:implicit_vo_id'];
             }
 
+            $cortoEntity['TrustedProxy'] = FALSE;
+            if (isset($serviceRegistryEntity['coin:trusted_proxy'])) {
+                $cortoEntity['TrustedProxy'] = TRUE;
+            }
+
             // show all IdP's in the WAYF
             if (isset($serviceRegistryEntity['coin:display_unconnected_idps_wayf'])) {
                 $cortoEntity['DisplayUnconnectedIdpsWayf'] = $serviceRegistryEntity['coin:display_unconnected_idps_wayf'];
diff --git a/library/EngineBlock/Corto/Model/Consent.php b/library/EngineBlock/Corto/Model/Consent.php
index 7cee1982c0..7f7385493c 100644
--- a/library/EngineBlock/Corto/Model/Consent.php
+++ b/library/EngineBlock/Corto/Model/Consent.php
@@ -21,27 +21,16 @@ class EngineBlock_Corto_Model_Consent
      */
     private $_responseAttributes;
 
-    /**
-     * @var EngineBlock_Corto_Filter_Command_Factory
-     */
-    private $_filterCommandFactory;
-
     /**
      * @var EngineBlock_Database_ConnectionFactory
      */
     private $_databaseConnectionFactory;
 
-    /**
-     * @var array
-     */
-    private $_filteredResponseAttributes;
-
     /**
      * @param string $tableName
      * @param bool $mustStoreValues
      * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
      * @param array $responseAttributes
-     * @param EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory
      * @param EngineBlock_Database_ConnectionFactory $databaseConnectionFactory
      */
     public function __construct(
@@ -49,7 +38,6 @@ public function __construct(
         $mustStoreValues,
         EngineBlock_Saml2_ResponseAnnotationDecorator $response,
         array $responseAttributes,
-        EngineBlock_Corto_Filter_Command_Factory $filterCommandFactory,
         EngineBlock_Database_ConnectionFactory $databaseConnectionFactory
     )
     {
@@ -57,48 +45,24 @@ public function __construct(
         $this->_mustStoreValues = $mustStoreValues;
         $this->_response = $response;
         $this->_responseAttributes = $responseAttributes;
-        $this->_filterCommandFactory = $filterCommandFactory;
         $this->_databaseConnectionFactory = $databaseConnectionFactory;
     }
 
-    /**
-     * @return array
-     */
-    public function getFilteredResponseAttributes()
-    {
-        return $this->_filteredResponseAttributes;
-    }
-
-    /**
-     * @param array $spMetadata
-     * @return array
-     */
-    public function applyArp(array $spMetadata)
-    {
-        $arpFilter = $this->_filterCommandFactory->create('AttributeReleasePolicy');
-        $arpFilter->setSpMetadata($spMetadata);
-        $arpFilter->setResponseAttributes($this->_responseAttributes);
-        $arpFilter->execute();
-        return $arpFilter->getResponseAttributes();
-    }
-
-    public function hasStoredConsent($serviceProviderEntityId, $spMetadata)
+    public function hasStoredConsent($spMetadata)
     {
         try {
-            $this->_filteredResponseAttributes = $this->applyArp($spMetadata);
-
             $dbh = $this->_getConsentDatabaseConnection();
             if (!$dbh) {
                 return false;
             }
 
-            $attributesHash = $this->_getAttributesHash($this->_filteredResponseAttributes);
+            $attributesHash = $this->_getAttributesHash($this->_responseAttributes);
 
             $query = "SELECT * FROM {$this->_tableName} WHERE hashed_user_id = ? AND service_id = ? AND attribute = ?";
             $hashedUserId = sha1($this->_getConsentUid());
             $parameters = array(
                 $hashedUserId,
-                $serviceProviderEntityId,
+                $spMetadata['EntityID'],
                 $attributesHash
             );
 
@@ -116,7 +80,7 @@ public function hasStoredConsent($serviceProviderEntityId, $spMetadata)
             $statement = $dbh->prepare("UPDATE LOW_PRIORITY {$this->_tableName} SET usage_date = NOW() WHERE hashed_user_id = ? AND service_id = ?");
             $statement->execute(array(
                 $hashedUserId,
-                $serviceProviderEntityId,
+                $spMetadata['EntityID'],
              ));
 
             return true;
@@ -128,10 +92,8 @@ public function hasStoredConsent($serviceProviderEntityId, $spMetadata)
         }
     }
 
-    public function storeConsent($serviceProviderEntityId, $spMetadata)
+    public function storeConsent($spMetadata)
     {
-        $this->_filteredResponseAttributes = $this->applyArp($spMetadata);
-
         $dbh = $this->_getConsentDatabaseConnection();
         if (!$dbh) {
             return false;
@@ -142,8 +104,8 @@ public function storeConsent($serviceProviderEntityId, $spMetadata)
                   ON DUPLICATE KEY UPDATE usage_date=VALUES(usage_date), attribute=VALUES(attribute)";
         $parameters = array(
             sha1($this->_getConsentUid()),
-            $serviceProviderEntityId,
-            $this->_getAttributesHash($this->_filteredResponseAttributes)
+            $spMetadata['EntityID'],
+            $this->_getAttributesHash($this->_responseAttributes)
         );
 
         $statement = $dbh->prepare($query);
diff --git a/library/EngineBlock/Corto/Model/Consent/Factory.php b/library/EngineBlock/Corto/Model/Consent/Factory.php
index e7973f332f..94969b10f7 100644
--- a/library/EngineBlock/Corto/Model/Consent/Factory.php
+++ b/library/EngineBlock/Corto/Model/Consent/Factory.php
@@ -28,7 +28,7 @@ public function __construct(
      * Creates a new Consent instance
      *
      * @param EngineBlock_Corto_ProxyServer $proxyServer
-     * @param array $response
+     * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
      * @param array $attributes
      * @return EngineBlock_Corto_Model_Consent
      */
@@ -42,7 +42,6 @@ public function create(
             $proxyServer->getConfig('ConsentStoreValues', true),
             $response,
             $attributes,
-            $this->_filterCommandFactory,
             $this->_databaseConnectionFactory
         );
     }
diff --git a/library/EngineBlock/Corto/Module/Bindings.php b/library/EngineBlock/Corto/Module/Bindings.php
index e3e6c10aab..0159b458e7 100644
--- a/library/EngineBlock/Corto/Module/Bindings.php
+++ b/library/EngineBlock/Corto/Module/Bindings.php
@@ -1,32 +1,8 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * The bindings module for Corto, which implements support for various data
  * bindings.
- * @author Boy
  */
 class EngineBlock_Corto_Module_Bindings extends EngineBlock_Corto_Module_Abstract
 {
@@ -243,20 +219,11 @@ public function receiveResponse()
         // Detect the binding being used from the global variables (GET, POST, SERVER)
         $sspBinding = SAML2_Binding::getCurrentBinding();
 
-        // We only support HTTP-Post and HTTP-Redirect bindings
-        if (!($sspBinding instanceof SAML2_HTTPPost || $sspBinding instanceof SAML2_HTTPRedirect)) {
-            throw new EngineBlock_Corto_Module_Bindings_UnsupportedBindingException(
-                'Unsupported Binding used',
-                EngineBlock_Exception::CODE_NOTICE
-            );
-        }
-        /** @var SAML2_HTTPPost|SAML2_HTTPRedirect $sspBinding */
-
         // Receive a message from the binding
         $sspResponse = $sspBinding->receive();
         if (!($sspResponse instanceof SAML2_Response)) {
             throw new EngineBlock_Corto_Module_Bindings_Exception(
-                'Unsupported Message received',
+                'Unsupported Message received: ' . get_class($sspResponse),
                 EngineBlock_Exception::CODE_NOTICE
             );
         }
@@ -284,6 +251,14 @@ public function receiveResponse()
         // Remember idp for debugging
         $_SESSION['currentIdentityProvider'] = $idpEntityId;
 
+        // We only support HTTP-POST binding for Responses
+        if (!$sspBinding instanceof SAML2_HTTPPost) {
+            throw new EngineBlock_Corto_Module_Bindings_UnsupportedBindingException(
+                'Unsupported Binding used: ' . get_class($sspBinding),
+                EngineBlock_Exception::CODE_NOTICE
+            );
+        }
+
         // Verify that we know this IdP and have metadata for it.
         $cortoIdpMetadata = $this->_verifyKnownMessageIssuer(
             $idpEntityId,
@@ -335,13 +310,24 @@ public function receiveResponse()
                 $e
             );
         }
-        // General Response whackiness (like Destinations not matching)
         catch (Exception $e) {
-            throw new EngineBlock_Corto_Module_Bindings_VerificationException(
-                $e->getMessage(),
-                EngineBlock_Exception::CODE_NOTICE,
-                $e
-            );
+            // Signature could not be verified by SSP
+            if ($e->getMessage() === "Unable to validate Signature") {
+                throw new EngineBlock_Corto_Module_Bindings_SignatureVerificationException(
+                    $e->getMessage(),
+                    EngineBlock_Exception::CODE_WARNING,
+                    $e
+                );
+            }
+            else {
+                // General Response whackiness (like Destinations not matching)
+                throw new EngineBlock_Corto_Module_Bindings_VerificationException(
+                    $e->getMessage(),
+                    EngineBlock_Exception::CODE_NOTICE,
+                    $e
+                );
+            }
+
         }
 
         return new EngineBlock_Saml2_ResponseAnnotationDecorator($sspResponse);
diff --git a/library/EngineBlock/Corto/Module/Bindings/SignatureVerificationException.php b/library/EngineBlock/Corto/Module/Bindings/SignatureVerificationException.php
new file mode 100644
index 0000000000..063780cb7d
--- /dev/null
+++ b/library/EngineBlock/Corto/Module/Bindings/SignatureVerificationException.php
@@ -0,0 +1,8 @@
+<?php
+
+/**
+ * Class for binding module signature verification exceptions.
+ */
+class EngineBlock_Corto_Module_Bindings_SignatureVerificationException extends EngineBlock_Corto_Module_Bindings_VerificationException
+{
+}
\ No newline at end of file
diff --git a/library/EngineBlock/Corto/Module/Bindings/VerificationException.php b/library/EngineBlock/Corto/Module/Bindings/VerificationException.php
index 316b68496f..53eb373cf2 100644
--- a/library/EngineBlock/Corto/Module/Bindings/VerificationException.php
+++ b/library/EngineBlock/Corto/Module/Bindings/VerificationException.php
@@ -2,7 +2,6 @@
 
 /**
  * Class for binding module verification exceptions.
- * @author Boy
  */
 class EngineBlock_Corto_Module_Bindings_VerificationException extends EngineBlock_Corto_Module_Bindings_Exception
 {
diff --git a/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php b/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php
index d0d3fcd44d..87055dcde0 100644
--- a/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php
+++ b/library/EngineBlock/Corto/Module/Service/AssertionConsumer.php
@@ -5,16 +5,14 @@ class EngineBlock_Corto_Module_Service_AssertionConsumer extends EngineBlock_Cor
     public function serve($serviceName)
     {
         $receivedResponse = $this-> _server->getBindingsModule()->receiveResponse();
-        $receivedRequest = $this->_server->getReceivedRequestFromResponse(
-            $receivedResponse->getInResponseTo()
-        );
+        $receivedRequest = $this->_server->getReceivedRequestFromResponse($receivedResponse);
 
         // Flush log if SP or IdP has additional logging enabled
         $sp = $this->_server->getRemoteEntity($receivedRequest->getIssuer());
         $idp = $this->_server->getRemoteEntity($receivedResponse->getIssuer());
         if (
             $this->_server->getConfig('debug', false) ||
-            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging($sp, $idp)
+            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array($sp, $idp))
         ) {
             EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->flushQueue();
         }
@@ -55,10 +53,6 @@ public function serve($serviceName)
             $newResponse->setDeliverByBinding($firstProcessingEntity['Binding']);
             $newResponse->setReturn($this->_server->getUrl('processedAssertionConsumerService'));
 
-            $attributes = $newResponse->getAssertion()->getAttributes();
-            $attributes['urn:org:openconext:corto:internal:sp-entity-id'] = array($receivedRequest->getIssuer());
-            $newResponse->getAssertion()->setAttributes($attributes);
-
             $this->_server->getBindingsModule()->send($newResponse, $firstProcessingEntity);
         }
         else {
diff --git a/library/EngineBlock/Corto/Module/Service/ContinueToIdp.php b/library/EngineBlock/Corto/Module/Service/ContinueToIdp.php
index 784d5b6f89..d2f4b16eb3 100644
--- a/library/EngineBlock/Corto/Module/Service/ContinueToIdp.php
+++ b/library/EngineBlock/Corto/Module/Service/ContinueToIdp.php
@@ -5,9 +5,10 @@ class EngineBlock_Corto_Module_Service_ContinueToIdp extends EngineBlock_Corto_M
     /**
      * Handle the forwarding of the user to the proper IdP0 after the WAYF screen.
      *
+     * @param string $serviceName
      * @throws EngineBlock_Corto_Module_Services_Exception
+     * @throws EngineBlock_Exception
      * @throws EngineBlock_Corto_Module_Services_SessionLostException
-     * @return void
      */
     public function serve($serviceName)
     {
@@ -20,20 +21,28 @@ public function serve($serviceName)
 
         // Retrieve the request from the session.
         $id      = $_POST['ID'];
-        if (!isset($_SESSION[$id]['SAMLRequest'])) {
+        if (!$id) {
+            throw new EngineBlock_Exception(
+                'Missing ID for AuthnRequest after WAYF',
+                EngineBlock_Exception::CODE_NOTICE
+            );
+        }
+
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($this->_server->getSessionLog());
+        $request = $authnRequestRepository->findRequestById($id);
+
+        if (!$request) {
             throw new EngineBlock_Corto_Module_Services_SessionLostException(
                 'Session lost after WAYF'
             );
         }
-        /** @var EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request */
-        $request = $_SESSION[$id]['SAMLRequest'];
 
         // Flush log if SP or IdP has additional logging enabled
         $sp = $this->_server->getRemoteEntity($request->getIssuer());
         $idp = $this->_server->getRemoteEntity($selectedIdp);
         if (
             $this->_server->getConfig('debug', false) ||
-            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging($sp, $idp)
+            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array($sp, $idp))
         ) {
             EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->flushQueue();
         }
diff --git a/library/EngineBlock/Corto/Module/Service/ProcessConsent.php b/library/EngineBlock/Corto/Module/Service/ProcessConsent.php
index 47341385bb..268a3c6796 100644
--- a/library/EngineBlock/Corto/Module/Service/ProcessConsent.php
+++ b/library/EngineBlock/Corto/Module/Service/ProcessConsent.php
@@ -5,29 +5,45 @@ class EngineBlock_Corto_Module_Service_ProcessConsent
 {
     const INTRODUCTION_EMAIL = 'introduction_email';
 
-    /** @var \EngineBlock_Corto_ProxyServer */
+    /**
+     * @var \EngineBlock_Corto_ProxyServer
+     */
     protected $_server;
 
-    /** @var EngineBlock_Corto_XmlToArray */
+    /**
+     * @var \EngineBlock_Corto_XmlToArray
+     */
     protected $_xmlConverter;
 
-    /** @var EngineBlock_Corto_Model_Consent_Factory */
+    /**
+     * @var EngineBlock_Corto_Model_Consent_Factory
+     */
     private $_consentFactory;
 
-    /** @var EngineBlock_Mail_Mailer */
+    /**
+     * @var EngineBlock_Mail_Mailer
+     */
     private $_mailer;
 
-    /** @var EngineBlock_User_PreferredNameAttributeFilter */
+    /**
+     * @var EngineBlock_User_PreferredNameAttributeFilter
+     */
     private $_preferredNameAttributeFilter;
 
+    /**
+     * @param EngineBlock_Corto_ProxyServer $server
+     * @param EngineBlock_Corto_XmlToArray $xmlConverter
+     * @param EngineBlock_Corto_Model_Consent_Factory $consentFactory
+     * @param EngineBlock_Mail_Mailer $mailer
+     * @param EngineBlock_User_PreferredNameAttributeFilter $preferredNameAttributeFilter
+     */
     public function __construct(
         EngineBlock_Corto_ProxyServer $server,
         EngineBlock_Corto_XmlToArray $xmlConverter,
         EngineBlock_Corto_Model_Consent_Factory $consentFactory,
         EngineBlock_Mail_Mailer $mailer,
         EngineBlock_User_PreferredNameAttributeFilter $preferredNameAttributeFilter
-    )
-    {
+    ) {
         $this->_server = $server;
         $this->_xmlConverter = $xmlConverter;
         $this->_consentFactory = $consentFactory;
@@ -48,16 +64,18 @@ public function serve($serviceName)
         /** @var SAML2_Response|EngineBlock_Saml2_ResponseAnnotationDecorator $response */
         $response = $_SESSION['consent'][$_POST['ID']]['response'];
 
-        $attributes = $response->getAssertion()->getAttributes();
-        $serviceProviderEntityId = $attributes['urn:org:openconext:corto:internal:sp-entity-id'][0];
-        unset($attributes['urn:org:openconext:corto:internal:sp-entity-id']);
+        $request = $this->_server->getReceivedRequestFromResponse($response);
+        $spMetadata = $this->_server->getRemoteEntity($request->getIssuer());
+
+        $destinationMetadata = EngineBlock_SamlHelper::getDestinationSpMetadata($spMetadata, $request, $this->_server);
 
         if (!isset($_POST['consent']) || $_POST['consent'] !== 'yes') {
             throw new EngineBlock_Corto_Exception_NoConsentProvided('No consent given...');
         }
 
+        $attributes = $response->getAssertion()->getAttributes();
         $consent = $this->_consentFactory->create($this->_server, $response, $attributes);
-        $consent->storeConsent($serviceProviderEntityId, $this->_server->getRemoteEntity($serviceProviderEntityId));
+        $consent->storeConsent($destinationMetadata);
         if ($consent->countTotalConsent($response, $attributes) === 1) {
             $this->_sendIntroductionMail($response, $attributes);
         }
@@ -68,7 +86,7 @@ public function serve($serviceName)
 
         $this->_server->getBindingsModule()->send(
             $response,
-            $this->_server->getRemoteEntity($serviceProviderEntityId)
+            $spMetadata
         );
     }
 
diff --git a/library/EngineBlock/Corto/Module/Service/ProcessedAssertionConsumer.php b/library/EngineBlock/Corto/Module/Service/ProcessedAssertionConsumer.php
index 15ab96e636..5b92d526d4 100644
--- a/library/EngineBlock/Corto/Module/Service/ProcessedAssertionConsumer.php
+++ b/library/EngineBlock/Corto/Module/Service/ProcessedAssertionConsumer.php
@@ -5,7 +5,7 @@ class EngineBlock_Corto_Module_Service_ProcessedAssertionConsumer extends Engine
     public function serve($serviceName)
     {
         $response = $this->_server->getBindingsModule()->receiveResponse();
-        $receivedRequest = $this->_server->getReceivedRequestFromResponse($response->getInResponseTo());
+        $receivedRequest = $this->_server->getReceivedRequestFromResponse($response);
 
         if ($receivedRequest->getKeyId()) {
             $this->_server->setKeyId($receivedRequest->getKeyId());
@@ -19,7 +19,7 @@ public function serve($serviceName)
         $idp = $this->_server->getRemoteEntity($response->getOriginalIssuer());
         if (
             $this->_server->getConfig('debug', false) ||
-            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging($sp, $idp)
+            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array($sp, $idp))
         ) {
             EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->flushQueue();
         }
@@ -45,10 +45,6 @@ public function serve($serviceName)
             $response->setDeliverByBinding($_SESSION['Processing'][$receivedRequest->getId()]['OriginalBinding']);
             $response->setOriginalIssuer($_SESSION['Processing'][$receivedRequest->getId()]['OriginalIssuer']);
 
-            $attributes = $response->getAssertion()->getAttributes();
-            unset($attributes['urn:org:openconext:corto:internal:sp-entity-id']);
-            $response->getAssertion()->setAttributes($attributes);
-
             $this->_server->unsetProcessingMode();
 
             // Cache the response
diff --git a/library/EngineBlock/Corto/Module/Service/ProvideConsent.php b/library/EngineBlock/Corto/Module/Service/ProvideConsent.php
index 96e3e137b5..e680a1a01c 100644
--- a/library/EngineBlock/Corto/Module/Service/ProvideConsent.php
+++ b/library/EngineBlock/Corto/Module/Service/ProvideConsent.php
@@ -34,25 +34,25 @@ public function serve($serviceName)
         $response = $this->_server->getBindingsModule()->receiveResponse();
         $_SESSION['consent'][$response->getId()]['response'] = $response;
 
-        $attributes = $response->getAssertion()->getAttributes();
-
-        $serviceProviderEntityId = $attributes['urn:org:openconext:corto:internal:sp-entity-id'][0];
-
-        unset($attributes['urn:org:openconext:corto:internal:sp-entity-id']);
-        $spEntityMetadata = $this->_server->getRemoteEntity($serviceProviderEntityId);
+        $request = $this->_server->getReceivedRequestFromResponse($response);
+        $spEntityMetadata = $this->_server->getRemoteEntity($request->getIssuer());
+        $spMetadataChain = EngineBlock_SamlHelper::getSpRequesterChain($spEntityMetadata, $request, $this->_server);
 
         $identityProviderEntityId = $response->getOriginalIssuer();
         $idpEntityMetadata = $this->_server->getRemoteEntity($identityProviderEntityId);
 
         // Flush log if SP or IdP has additional logging enabled
+        $requireAdditionalLogging = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(
+            array_merge($spMetadataChain, array($idpEntityMetadata))
+        );
         if (
             $this->_server->getConfig('debug', false) ||
-            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging($spEntityMetadata, $idpEntityMetadata)
+            $requireAdditionalLogging
         ) {
             EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->flushQueue();
         }
 
-        if ($this->isConsentDisabled($spEntityMetadata, $idpEntityMetadata, $serviceProviderEntityId))   {
+        if ($this->isConsentDisabled($spMetadataChain, $idpEntityMetadata))   {
             $response->setConsent(SAML2_Const::CONSENT_INAPPLICABLE);
 
             $response->setDestination($response->getReturn());
@@ -65,8 +65,11 @@ public function serve($serviceName)
             return;
         }
 
+        $consentDestinationEntityMetadata = $spMetadataChain[0];
+
+        $attributes = $response->getAssertion()->getAttributes();
         $consent = $this->_consentFactory->create($this->_server, $response, $attributes);
-        $priorConsent = $consent->hasStoredConsent($serviceProviderEntityId, $spEntityMetadata);
+        $priorConsent = $consent->hasStoredConsent($consentDestinationEntityMetadata);
         if ($priorConsent) {
             $response->setConsent(SAML2_Const::CONSENT_PRIOR);
 
@@ -85,24 +88,28 @@ public function serve($serviceName)
             array(
                 'action'    => $this->_server->getUrl('processConsentService'),
                 'ID'        => $response->getId(),
-                'attributes'=> $consent->getFilteredResponseAttributes(),
-                'sp'        => $spEntityMetadata,
+                'attributes'=> $attributes,
+                'sp'        => $consentDestinationEntityMetadata,
                 'idp'       => $idpEntityMetadata,
             ));
         $this->_server->sendOutput($html);
     }
 
     /**
-     * @param array $spEntityMetadata
+     * @param array[] $spEntities
      * @param array $idpEntityMetadata
-     * @param $serviceProviderEntityId
      * @return bool
      */
-    private function isConsentDisabled(array $spEntityMetadata, array $idpEntityMetadata, $serviceProviderEntityId)
+    private function isConsentDisabled(array $spEntities, array $idpEntityMetadata)
     {
-        if ($this->isConsentGloballyDisabled($spEntityMetadata)
-            || $this->isConsentDisabledByIdpForCurrentSp($idpEntityMetadata, $serviceProviderEntityId) ) {
-            return true;
+        foreach ($spEntities as $spEntityMetadata) {
+            if ($this->isConsentGloballyDisabled($spEntityMetadata)) {
+                return true;
+            }
+
+            if ($this->isConsentDisabledByIdpForCurrentSp($idpEntityMetadata, $spEntityMetadata['EntityID'])) {
+                return true;
+            }
         }
 
         return false;
diff --git a/library/EngineBlock/Corto/Module/Service/SingleSignOn.php b/library/EngineBlock/Corto/Module/Service/SingleSignOn.php
index 1eb170c9b3..408881f811 100644
--- a/library/EngineBlock/Corto/Module/Service/SingleSignOn.php
+++ b/library/EngineBlock/Corto/Module/Service/SingleSignOn.php
@@ -9,59 +9,28 @@ class EngineBlock_Corto_Module_Service_SingleSignOn extends EngineBlock_Corto_Mo
 
     public function serve($serviceName)
     {
-        $isUnsolicited = ($serviceName === 'unsolicitedSingleSignOnService');
-
-        if ($isUnsolicited) {
-            // create unsolicited request object
-            $request = $this->_createUnsolicitedRequest();
+        $response = $this->_displayDebugResponse($serviceName);
+        if ($response) {
+            return;
         }
-        else if ($serviceName === 'debugSingleSignOnService') {
-            if (isset($_SESSION['debugIdpResponse']) && !isset($_POST['clear'])) {
-                /** @var SAML2_Response|EngineBlock_Saml2_ResponseAnnotationDecorator $response */
-                $response = $_SESSION['debugIdpResponse'];
-
-                if (isset($_POST['mail'])) {
-                    $this->_sendDebugMail($response);
-                }
-
-                $attributes = $response->getAssertion()->getAttributes();
-
-                $this->_server->sendOutput($this->_server->renderTemplate(
-                    'debugidpresponse',
-                    array(
-                        'idp'       => $this->_server->getRemoteEntity($response->getIssuer()),
-                        'response'  => $response,
-                        'attributes'=> $attributes
-                    )
-                ));
-                return;
-            }
-            else {
-                unset($_SESSION['debugIdpResponse']);
-                $request = $this->_createDebugRequest();
-            }
-        } else {
-            // parse SAML request
-            $request = $this->_server->getBindingsModule()->receiveRequest();
 
-            // set transparent proxy mode
-            if ($this->_server->getConfig('TransparentProxy', false)) {
-                $request->setTransparent();
-            }
-        }
+        $request = $this->_getRequest($serviceName);
 
         // Flush log if SP or IdP has additional logging enabled
         $sp = $this->_server->getRemoteEntity($request->getIssuer());
-        if (
-            $this->_server->getConfig('debug', false) ||
-            EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging($sp)
-        ) {
+
+        $isDebugModeEnabled = $this->_server->getConfig('debug', false);
+        $isAdditionalLoggingRequired = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(
+            EngineBlock_SamlHelper::getSpRequesterChain($sp, $request, $this->_server)
+        );
+
+        if ($isDebugModeEnabled || $isAdditionalLoggingRequired) {
             EngineBlock_ApplicationSingleton::getInstance()->getLogInstance()->flushQueue();
         }
 
         // validate custom acs-location (only for unsolicited, normal logins
         //  fall back to default ACS location instead of showing error page)
-        if ($isUnsolicited && !$this->_verifyAcsLocation($request, $sp)) {
+        if ($serviceName === 'unsolicitedSingleSignOnService' && !$this->_verifyAcsLocation($request, $sp)) {
             throw new EngineBlock_Corto_Exception_InvalidAcsLocation(
                 'Unknown or invalid ACS location requested'
             );
@@ -104,45 +73,58 @@ public function serve($serviceName)
 
         $log->attach(array_values($candidateIDPs), 'Candidate IDPs (after scoping)');
 
-        // No IdPs found! Send an error response back.
+        // 0 IdPs found! Throw an exception.
         if (count($candidateIDPs) === 0) {
-            $log->info("SSO: No Supported Idps!");
-            if ($this->_server->getConfig('NoSupportedIDPError')!=='user') {
-                $response = $this->_server->createErrorResponse($request, 'NoSupportedIDP');
-                $this->_server->sendResponseToRequestIssuer($request, $response);
-                return;
-            }
-            else {
-                throw new EngineBlock_Corto_Module_Service_SingleSignOn_NoIdpsException('No Idps found');
-            }
+            throw new EngineBlock_Corto_Module_Service_SingleSignOn_NoIdpsException('No Idps found');
         }
-        // Exactly 1 candidate found, send authentication request to the first one
-        else if (count($candidateIDPs) === 1) {
+
+        // Exactly 1 candidate found, send authentication request to the first one.
+        if (count($candidateIDPs) === 1) {
             $idp = array_shift($candidateIDPs);
             $log->info("SSO: Only 1 candidate IdP: $idp");
             $this->_server->sendAuthenticationRequest($request, $idp);
             return;
         }
+
         // Multiple IdPs found...
-        else {
-            // > 1 IdPs found, but isPassive attribute given, unable to show WAYF
-            if ($request->getIsPassive()) {
-                $log->info("SSO: IsPassive with multiple IdPs!");
-                $response = $this->_server->createErrorResponse($request, 'NoPassive');
-                $this->_server->sendResponseToRequestIssuer($request, $response);
-                return;
-            }
-            else {
-                // Store the request in the session
-                $id = $request->getId();
-                $_SESSION[$id]['SAMLRequest'] = $request;
-
-                // Show WAYF
-                $this->_server->getSessionLog()->info("SSO: Showing WAYF");
-                $this->_showWayf($request, $candidateIDPs);
-                return;
-            }
+
+        // > 1 IdPs found, but isPassive attribute given, unable to show WAYF.
+        if ($request->getIsPassive()) {
+            $log->info("SSO: IsPassive with multiple IdPs!");
+            $response = $this->_server->createErrorResponse($request, 'NoPassive');
+            $this->_server->sendResponseToRequestIssuer($request, $response);
+            return;
         }
+
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($this->_server->getSessionLog());
+        $authnRequestRepository->store($request);
+
+        // Show WAYF
+        $this->_server->getSessionLog()->info("SSO: Showing WAYF");
+        $this->_showWayf($request, $candidateIDPs);
+    }
+
+    protected function _getRequest($serviceName)
+    {
+        if ($serviceName === 'unsolicitedSingleSignOnService') {
+            // create unsolicited request object
+            return $this->_createUnsolicitedRequest();
+        }
+
+        if ($serviceName === 'debugSingleSignOnService') {
+            unset($_SESSION['debugIdpResponse']);
+            return $this->_createDebugRequest();
+        }
+
+        // parse SAML request
+        $request = $this->_server->getBindingsModule()->receiveRequest();
+
+        // set transparent proxy mode
+        if ($this->_server->getConfig('TransparentProxy', false)) {
+            $request->setTransparent();
+        }
+
+        return $request;
     }
 
     /**
@@ -184,7 +166,7 @@ protected function _verifyAcsLocation(
      */
     protected function _createUnsolicitedRequest()
     {
-        // Entity ID as requeted in GET parameters
+        // Entity ID as requested in GET parameters
         $entityId    = !empty($_GET['sp-entity-id']) ? $_GET['sp-entity-id']: null;
 
         // Request optional  acs-* parameters
@@ -474,4 +456,43 @@ protected function _sendDebugMail(EngineBlock_Saml2_ResponseAnnotationDecorator
 
         $layout->setLayout($oldLayout);
     }
+
+    /**
+     * @param $serviceName
+     * @return bool
+     */
+    private function _displayDebugResponse($serviceName)
+    {
+        if ($serviceName === 'debugSingleSignOnService') {
+            return false;
+        }
+
+        if (isset($_POST['clear'])) {
+            unset($_SESSION['debugIdpResponse']);
+            return false;
+        }
+
+        if (!isset($_SESSION['debugIdpResponse']) || !$_SESSION['debugIdpResponse']) {
+            return false;
+        }
+
+        /** @var SAML2_Response|EngineBlock_Saml2_ResponseAnnotationDecorator $response */
+        $response = $_SESSION['debugIdpResponse'];
+
+        if (isset($_POST['mail'])) {
+            $this->_sendDebugMail($response);
+        }
+
+        $attributes = $response->getAssertion()->getAttributes();
+
+        $this->_server->sendOutput($this->_server->renderTemplate(
+            'debugidpresponse',
+            array(
+                'idp' => $this->_server->getRemoteEntity($response->getIssuer()),
+                'response' => $response,
+                'attributes' => $attributes
+            )
+        ));
+        return true;
+    }
 }
diff --git a/library/EngineBlock/Corto/ProxyServer.php b/library/EngineBlock/Corto/ProxyServer.php
index dd52520b32..c008c04f5f 100644
--- a/library/EngineBlock/Corto/ProxyServer.php
+++ b/library/EngineBlock/Corto/ProxyServer.php
@@ -18,11 +18,6 @@ class EngineBlock_Corto_ProxyServer
     const VO_CONTEXT_PFX          = 'voContext';
     const VO_CONTEXT_IMPLICIT     = 'VoContextImplicit';
 
-    /**
-     * @todo remove once https://github.com/simplesamlphp/saml2/pull/7 has been merged.
-     */
-    const NAMEFORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri';
-
     protected $_serviceToControllerMapping = array(
         'singleSignOnService'               => '/authentication/idp/single-sign-on',
         'debugSingleSignOnService'          => '/authentication/sp/debug',
@@ -295,6 +290,11 @@ public function hasRemoteEntity($entityId)
         return isset($this->_entities['remote'][$entityId]);
     }
 
+    /**
+     * @param string $entityId
+     * @return array
+     * @throws EngineBlock_Corto_ProxyServer_UnknownRemoteEntityException
+     */
     public function getRemoteEntity($entityId)
     {
         if (!isset($this->_entities['remote'][$entityId])) {
@@ -419,7 +419,7 @@ public function setRemoteIdpMd5($remoteIdPMd5)
 ////////  REQUEST HANDLING /////////
 
     public function sendAuthenticationRequest(
-        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request,
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $spRequest,
         $idpEntityId
     ) {
         $cookieExpiresStamp = null;
@@ -428,21 +428,18 @@ public function sendAuthenticationRequest(
         }
         $this->setCookie('selectedIdp', $idpEntityId, $cookieExpiresStamp);
 
-        $originalId = $request->getId();
+        $originalId = $spRequest->getId();
 
         $idpMetadata = $this->getRemoteEntity($idpEntityId);
-        $newRequest = EngineBlock_Saml2_AuthnRequestFactory::createFromRequest($request, $idpMetadata, $this);
-        $newId = $newRequest->getId();
+        $ebRequest = EngineBlock_Saml2_AuthnRequestFactory::createFromRequest($spRequest, $idpMetadata, $this);
+        $newId = $ebRequest->getId();
 
         // Store the original Request
-        $_SESSION[$originalId]['SAMLRequest'] = $request;
-
-        // Store the mapping from the new request ID to the original request ID
-        $_SESSION[$newId] = array();
-        $_SESSION[$newId]['SAMLRequest'] = $request;
-        $_SESSION[$newId]['_InResponseTo'] = $originalId;
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($this->_sessionLog);
+        $authnRequestRepository->store($spRequest);
+        $authnRequestRepository->link($ebRequest, $spRequest);
 
-        $this->getBindingsModule()->send($newRequest, $this->getRemoteEntity($idpEntityId));
+        $this->getBindingsModule()->send($ebRequest, $this->getRemoteEntity($idpEntityId));
     }
 
 //////// RESPONSE HANDLING ////////
@@ -504,7 +501,7 @@ public function createEnhancedResponse(
         }
 
         // Copy over the NameID for now...
-        // (further on in this filters we'll have more info and set this to something better)
+        // (further on in the filters we'll have more info and set this to something better)
         $sourceNameId = $sourceAssertion->getNameId();
         if (!empty($sourceNameId) && !empty($sourceNameId['Value']) && !empty($sourceNameId['Format'])) {
             $newAssertion->setNameId(
@@ -572,7 +569,7 @@ public function createEnhancedResponse(
 
         // Copy over the attributes
         $newAssertion->setAttributes($sourceAssertion->getAttributes());
-        $newAssertion->setAttributeNameFormat(static::NAMEFORMAT_URI);
+        $newAssertion->setAttributeNameFormat(SAML2_Const::NAMEFORMAT_URI);
 
         return $newResponse;
     }
@@ -773,42 +770,43 @@ public function sendResponseToRequestIssuer(
     }
 
     /**
-     * @param $id
+     * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
      * @return EngineBlock_Saml2_AuthnRequestAnnotationDecorator
      * @throws EngineBlock_Corto_ProxyServer_Exception
+     * @throws EngineBlock_Exception
      * @throws EngineBlock_Corto_Module_Services_SessionLostException
      */
-    public function getReceivedRequestFromResponse($id)
+    public function getReceivedRequestFromResponse(EngineBlock_Saml2_ResponseAnnotationDecorator $response)
     {
-        // Check the session for a AuthnRequest with the given ID
-        // Expect to get back an AuthnRequest issued by EngineBlock and destined for the IdP
-        if (!$id || !isset($_SESSION[$id])) {
-            throw new EngineBlock_Corto_Module_Services_SessionLostException(
-                "Trying to find a AuthnRequest (we made and sent) with id '$id' but it is not known in this session? ".
-                "This could be an unsolicited Response (which we do not support) but more likely the user lost their session",
-                EngineBlock_Corto_ProxyServer_Exception::CODE_NOTICE
+        /** @var SAML2_Response $response */
+        $requestId = $response->getInResponseTo();
+        if (!$requestId) {
+            throw new EngineBlock_Corto_ProxyServer_Exception(
+                'Response without InResponseTo, e.g. unsollicited. We don\'t support this.',
+                EngineBlock_Exception::CODE_NOTICE
             );
         }
 
-        // Get the ID of the original request (from the SP)
-        if (!isset($_SESSION[$id]['_InResponseTo'])) {
-            $log = $this->_server->getSessionLog();
-            $log->attach($_SESSION, 'SESSION');
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($this->getSessionLog());
 
-            throw new EngineBlock_Corto_ProxyServer_Exception(
-                "ID `$id` does not have a _InResponseTo?!?",
+        $spRequestId = $authnRequestRepository->findLinkedRequestId($requestId);
+        if (!$spRequestId) {
+            throw new EngineBlock_Corto_Module_Services_SessionLostException(
+                "Trying to find a AuthnRequest (we made and sent) with id '$requestId' but it is not known in this session? ".
+                "This could be an unsolicited Response (which we do not support) but more likely the user lost their session",
                 EngineBlock_Corto_ProxyServer_Exception::CODE_NOTICE
             );
         }
-        $originalRequestId = $_SESSION[$id]['_InResponseTo'];
 
-        if (!isset($_SESSION[$originalRequestId]['SAMLRequest'])) {
+        $spRequest = $authnRequestRepository->findRequestById($spRequestId);
+        if (!$spRequest) {
             throw new EngineBlock_Corto_ProxyServer_Exception(
                 'Response has no known Request',
                 EngineBlock_Corto_ProxyServer_Exception::CODE_NOTICE
             );
         }
-        return $_SESSION[$originalRequestId]['SAMLRequest'];
+
+        return $spRequest;
     }
 
 ////////  ATTRIBUTE FILTERING /////////
diff --git a/library/EngineBlock/Group/Acl/GroupProviderAcl.php b/library/EngineBlock/Group/Acl/GroupProviderAcl.php
deleted file mode 100644
index 60beb00dea..0000000000
--- a/library/EngineBlock/Group/Acl/GroupProviderAcl.php
+++ /dev/null
@@ -1,39 +0,0 @@
-<?php
-
-class EngineBlock_Group_Acl_GroupProviderAcl
-{
-    /**
-     * @var EngineBlock_Database_ConnectionFactory
-     */
-    protected $_factory = NULL;
-
-    /**
-     * Get all ServiceProviderGroupAcls (array where the key is the identifier
-     * with as value an array of permissions
-     *
-     * @param $spEntityId the identifier of the Service Provider
-     * @return array with the identifier being the group provider
-     */
-    public function getSpGroupAcls($spEntityId) {
-        $db = $this->_getReadDatabase();
-        $statement = $db->prepare('SELECT gp.identifier, spga.allow_groups, spga.allow_members FROM service_provider_group_acl spga, group_provider gp WHERE spga.group_provider_id = gp.id and spga.spentityid = ?');
-        $statement->execute(array($spEntityId));
-        $rows = $statement->fetchAll();
-        $spGroupAcls = array();
-        foreach ($rows as $row) {
-            $spGroupAcls[$row['identifier']] = array(
-                        'allow_groups'        => $row['allow_groups'],
-                        'allow_members'       => $row['allow_members'],
-            );
-        }
-        return $spGroupAcls;
-    }
-
-    protected function _getReadDatabase()
-    {
-        if ($this->_factory == NULL) {
-            $this->_factory = new EngineBlock_Database_ConnectionFactory();
-        }
-        return $this->_factory->create(EngineBlock_Database_ConnectionFactory::MODE_READ);
-    }
-}
diff --git a/library/EngineBlock/Group/Model/Group.php b/library/EngineBlock/Group/Model/Group.php
deleted file mode 100644
index b7985bb899..0000000000
--- a/library/EngineBlock/Group/Model/Group.php
+++ /dev/null
@@ -1,11 +0,0 @@
-<?php
-
-class EngineBlock_Group_Model_Group implements EngineBlock_Group_Model_Interface
-{
-    public $id;
-    public $title;
-    public $description;
-
-    public $forUserId;
-    public $userRole;
-}
diff --git a/library/EngineBlock/Group/Model/GroupMember.php b/library/EngineBlock/Group/Model/GroupMember.php
deleted file mode 100644
index 521490fd19..0000000000
--- a/library/EngineBlock/Group/Model/GroupMember.php
+++ /dev/null
@@ -1,11 +0,0 @@
-<?php
-
-class EngineBlock_Group_Model_GroupMember implements EngineBlock_Group_Model_Interface
-{
-    public $id;
-    public $displayName;
-
-    public $forGroup;
-    public $forUser;
-    public $userRole;
-}
diff --git a/library/EngineBlock/Group/Model/Interface.php b/library/EngineBlock/Group/Model/Interface.php
deleted file mode 100644
index 389b8d519b..0000000000
--- a/library/EngineBlock/Group/Model/Interface.php
+++ /dev/null
@@ -1,5 +0,0 @@
-<?php
-
-interface EngineBlock_Group_Model_Interface
-{
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Abstract.php b/library/EngineBlock/Group/Provider/Abstract.php
deleted file mode 100644
index d67b452116..0000000000
--- a/library/EngineBlock/Group/Provider/Abstract.php
+++ /dev/null
@@ -1,245 +0,0 @@
-<?php
-
-/**
- * Base class with default functionality for Group Providers.
- */
-abstract class EngineBlock_Group_Provider_Abstract implements EngineBlock_Group_Provider_Interface
-{
-    protected $_id;
-    protected $_name;
-    protected $_userId;
-    protected $_stem = NULL;
-
-    protected $_preconditions = array();
-    protected $_memberFilters = array();
-    protected $_groupFilters  = array();
-
-    public function getId()
-    {
-        return $this->_id;
-    }
-
-    public function getDisplayName()
-    {
-        return $this->_name;
-    }
-
-    public function getUserId()
-    {
-        return $this->_userId;
-    }
-
-    public function setUserId($userId)
-    {
-        $this->_userId = $userId;
-        return $this;
-    }
-
-    protected function _requireUserId()
-    {
-        if (!isset($this->_userId) || empty($this->_userId)) {
-            throw new EngineBlock_Exception("No userid set for this provider, please set a userId with ->setUserId");
-        }
-    }
-
-    /**
-     * Some group provider implementations are able to host more than one set
-     * of groups. In many implementations this is called a 'stem', and by
-     * setting the stem we can choose which set of groups to use. While we use
-     * the term 'stem' here, other implementations are free to implement the
-     * filtering as they see fit. Implementations that don't support multiple
-     * sets of groups, they can simply ignore this call
-     * @param String $stemIdentifier
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setGroupStem($stemIdentifier)
-    {
-        $this->_stem = $stemIdentifier;
-        return $this;
-    }
-
-    /**
-     * Return the stem for this group provider. See setGroupStem for a more
-     * elaborate explanation of stems.
-     * @return String Stem Identifier
-     */
-    public function getGroupStem()
-    {
-        return $this->_stem;
-    }
-
-    protected function _getStemmedGroupId($groupIdentifier)
-    {
-        if (isset($this->_stem) && !empty($this->_stem)) {
-            return $this->_stem . ':' . $groupIdentifier;
-        }
-        return $groupIdentifier;
-    }
-
-    public function addPrecondition($className, $options = null)
-    {
-        $this->_preconditions[] = array(
-            'className' => $className,
-            'options'   => $options
-        );
-        
-        return $this;
-    }
-
-    public function removePreconditionByClassName($className)
-    {
-        foreach ($this->_preconditions as $key => $precondition) {
-            if ($precondition['className'] === $className) {
-                unset($this->_preconditions[$key]);
-            }
-        }
-
-        return $this;
-    }
-
-    public function configurePreconditions(Zend_Config $config)
-    {
-        if (isset($config->preconditions)) {
-            foreach ($config->preconditions as $precondition) {
-                $this->addPrecondition($precondition->className, $precondition);
-            }
-        }
-        
-        return $this;
-    }
-
-    public function getPreconditions()
-    {
-        return $this->_preconditions;
-    }
-
-    public function validatePreconditions()
-    {
-        $valid = true;
-        foreach ($this->_preconditions as $precondition) {
-            $className = $precondition['className'];
-            if (!class_exists($className, true)) {
-                EngineBlock_ApplicationSingleton::getLog()->warn(
-                    "Classname '$className' not found for precondition! Skipping precondition!"
-                );
-                continue;
-            }
-            $precondition = new $className($this, $precondition['options']);
-            $preconditionValid = $precondition->validate();
-            $valid = ($preconditionValid AND $valid);
-        }
-        return $valid;
-    }
-
-    /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @abstract
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser()
-    {
-        return $this->validatePreconditions();
-    }
-
-
-    public function configureGroupFilters(Zend_Config $config)
-    {
-        if (isset($config->groupFilters)) {
-            foreach ($config->groupFilters as $groupFilterConfig) {
-                $groupFilterClass = $groupFilterConfig->className;
-                if (!class_exists($groupFilterClass, true)) {
-                    EngineBlock_ApplicationSingleton::getLog()->warn(
-                        "Classname '$groupFilterClass' not found for group filter! Skipping group filter!"
-                    );
-                    continue;
-                }
-                $filter = new $groupFilterClass($groupFilterConfig);
-                $this->addGroupFilter($filter);
-            }
-        }
-        return $this;
-    }
-
-    public function addGroupFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        $this->_groupFilters[] = $filter;
-        return $this;
-    }
-
-    public function getGroupFilters()
-    {
-        return $this->_groupFilters;
-    }
-
-    public function configureGroupMemberFilters(Zend_Config $config)
-    {
-        if (isset($config->groupMemberFilters)) {
-            foreach ($config->groupMemberFilters as $groupMemberFilterConfig) {
-                $groupMemberFilterClass = $groupMemberFilterConfig->className;
-                if (!class_exists($groupMemberFilterClass, true)) {
-                    EngineBlock_ApplicationSingleton::getLog()->warn(
-                        "Classname '$groupMemberFilterClass' not found for group member filter! Skipping group member filter!"
-                    );
-                    continue;
-                }
-                $filter = new $groupMemberFilterClass($groupMemberFilterConfig);
-                $this->addMemberFilter($filter);
-            }
-        }
-        return $this;
-    }
-
-    public function addMemberFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        $this->_memberFilters[] = $filter;
-        return $this;
-    }
-
-    public function getMemberFilters()
-    {
-        return $this->_memberFilters;
-    }
-
-    /**
-     * Check if there are any decorators specified in the configuration,
-     * if so, apply them and return the decorated provider.
-     *
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function configureDecoratorChain(Zend_Config $config)
-    {
-        if (!isset($config->decorators) || empty($config->decorators)) {
-            return $this;
-        }
-
-        $decoratedProvider = $this;
-        foreach ($config->decorators as $decoratorConfig) {
-            /** @var $decoratorClassName EngineBlock_Group_Provider_Decorator_Abstract */
-            $decoratorClassName = $decoratorConfig->className;
-            if (!class_exists($decoratorClassName, true)) {
-                EngineBlock_ApplicationSingleton::getLog()->warn(
-                    "Classname '$decoratorClassName' not found for decorator! Skipping decorator!"
-                );
-                continue;
-            }
-
-            $decoratedProvider = $decoratorClassName::createFromConfigsWithProvider(
-                $decoratedProvider,
-                $decoratorConfig
-            );
-        }
-        return $decoratedProvider;
-    }
-
-    /**
-     * Verify if the given $groupId is from an external group
-     *
-     * @static
-     * @param string $groupId Group identifier
-     * @return bool true id the group is external
-     */
-    public static function isExternalGroup($groupId) {
-       return preg_match('/^urn:collab:group:\w*\.?surfteams\.nl:/', $groupId) === 0;
-    }
-
-}
diff --git a/library/EngineBlock/Group/Provider/Aggregator.php b/library/EngineBlock/Group/Provider/Aggregator.php
deleted file mode 100644
index 3fdefbb546..0000000000
--- a/library/EngineBlock/Group/Provider/Aggregator.php
+++ /dev/null
@@ -1,295 +0,0 @@
-<?php
-
-/**
- * Aggregate groups from multiple providers
- */
-class EngineBlock_Group_Provider_Aggregator extends EngineBlock_Group_Provider_Abstract
-{
-    /**
-     * All known and usable group providers
-     *
-     * @var array
-     */
-    protected $_providers = array();
-
-    /**
-     * Known but unusable group providers (based on preconditions)
-     *
-     * @var array
-     */
-    protected $_invalidProviders = array();
-
-    /**
-     * Create an aggregate of Group Providers from database configuration
-     *
-     * @static
-     * @param $userId
-     * @return void
-     */
-    public static function createFromDatabaseFor($userId)
-    {
-        $configReader = new EngineBlock_Group_Provider_ProviderConfig();
-        $config = $configReader->createFromDatabaseFor();
-        return self::createFromConfigs($config, $userId);
-    }
-
-    /**
-     * Create an aggregate of group providers from the application configuration
-     *
-     * @static
-     * @param $userId
-     * @return EngineBlock_Group_Provider_Aggregator
-     */
-    public static function createFromConfigFor($userId)
-    {
-        $config = EngineBlock_ApplicationSingleton::getInstance()->getConfiguration();
-        $providers = $config->groupProviders;
-        $providerConfigs = array();
-        foreach ($providers as $providerConfigKey) {
-            if (!isset($config->$providerConfigKey)) {
-                EngineBlock_ApplicationSingleton::getLog()->err(
-                    "Group Provider '$providerConfigKey' mentioned, but no config found."
-                );
-                continue;
-            }
-
-            $providerConfig = $config->$providerConfigKey->toArray();
-            $providerConfig['id'] = $providerConfigKey;
-            $providerConfigs[] = $providerConfig;
-        }
-        $providerConfigs = new Zend_Config($providerConfigs);
-        return static::createFromConfigs($providerConfigs, $userId);
-    }
-
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        $providers = array();
-        $invalidProviders = array();
-        foreach ($config as $providerConfig) {
-            try {
-                $className = $providerConfig->className;
-
-                if (!$className) {
-                    throw new EngineBlock_Exception("No classname specified in provider config");
-                }
-                if (!class_exists($className, true)) {
-                    throw new EngineBlock_Exception("Classname from Provider config '$className' does not exist or cannot be autoloaded!");
-                }
-                $provider = $className::createFromConfigs($providerConfig, $userId);
-
-                if (!$provider->validatePreconditions()) {
-                    $invalidProviders[] = $provider;
-                    continue;
-                }
-
-                $providers[] = $provider;
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($providerConfig->id, $e);
-            }
-        }
-        $aggregator = new static($providers);
-        $aggregator->_invalidProviders = $invalidProviders;
-        return $aggregator;
-    }
-
-    public function __construct(array $providers)
-    {
-        $this->_providers = $providers;
-    }
-
-    public function getDisplayName()
-    {
-        $names = array();
-        foreach ($this->_providers as $provider) {
-            $names[] = $provider->getDisplayName();
-        }
-        return 'Multiple (' . implode(', ', $names) . ')';
-    }
-
-    public function getProviders()
-    {
-        return $this->_providers;
-    }
-
-    public function getInvalidProviders()
-    {
-        return $this->_invalidProviders;
-    }
-
-    public function setGroupStem($stemIdentifier)
-    {
-        parent::setGroupStem($stemIdentifier);
-
-        // Propagate the groupStem onto all providers
-        foreach ($this->_providers as $provider) {
-            $provider->setGroupStem($stemIdentifier);
-        }
-
-        return $this;
-    }
-
-    public function getGroups($serviceProviderGroupAcls)
-    {
-        $groups = array();
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                $acl = $serviceProviderGroupAcls[$provider->getId()];
-                if ($acl && $acl['allow_groups']) {
-                    $providerGroups = $provider->getGroups($serviceProviderGroupAcls);
-                    $groups = array_merge($groups, $providerGroups);
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        return $groups;
-    }
-
-    public function getGroupsByStem($stem, $serviceProviderGroupAcls)
-    {
-        $groups = array();
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                $acl = $serviceProviderGroupAcls[$provider->getId()];
-                if ($acl && $acl['allow_groups']) {
-                    $providerGroups = $provider->getGroupsByStem($stem, $serviceProviderGroupAcls);
-                    $groups = array_merge($groups, $providerGroups);
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        return $groups;
-    }
-
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcls)
-    {
-        $members = array();
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                $acl = $serviceProviderGroupAcls[$provider->getId()];
-                if ($acl && $acl['allow_members']) {
-                    $providerMembers = $provider->getMembers($groupIdentifier, $serviceProviderGroupAcls);
-                    $members = array_merge($members, $providerMembers);
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        return $members;
-    }
-
-    public function isMember($groupIdentifier)
-    {
-        // Loop through all providers
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                // And when we find a provider that knows the groupIdentifier and has the current user
-                // as a member of this group, we return true
-                if ($provider->isMember($groupIdentifier)) {
-                    return true;
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        // If none of the known providers knows the groupIdentifier or has the current user as a member
-        // then he's not a member of this group.
-        return false;
-    }
-
-    public function isMemberInStem()
-    {
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                if ($provider->isMemberInStem()) {
-                    return true;
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Get the details of a groupMember
-     * @param $userId the unique groupMember identifier
-     * @return the Person
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        // Loop through all providers
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                // And when we find a provider that is able to retrieve the groupDetails
-                // we use this one
-                if ($provider->isGroupProviderForUser()) {
-                    return $provider->getGroupMemberDetails($subjectId);
-                }
-            }
-            catch (Exception $e) {
-                self::_logErrorMessage($provider->getId(), $e);
-            }
-        }
-        // If none of the known providers can handle this userId we return null
-        return NULL;
-    }
-
-     /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @abstract
-     * @param $userId the unique Person identifier
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser() {
-        foreach ($this->_providers as $provider) {
-            /**
-             * @var EngineBlock_Group_Provider_Interface $provider
-             */
-            try {
-                if ($provider->isGroupProviderForUser()) {
-                    return true;
-                }
-            }
-            catch (Exception $e) {
-                $this->_logErrorMessage($provider, $e);
-            }
-        }
-        return false;
-    }
-
-    protected static function _logErrorMessage($providerId, Exception $e)
-    {
-        $additionalInfo = EngineBlock_Log_Message_AdditionalInfo::create()->setDetails($e->getTraceAsString());
-        EngineBlock_ApplicationSingleton::getLog()->err(
-            "Unable to use provider $providerId, received Exception: " . $e->getMessage(),
-            $additionalInfo
-        );
-        EngineBlock_ApplicationSingleton::getLog()->info($e->getTraceAsString());
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/Aggregator/MemoryCacheProxy.php b/library/EngineBlock/Group/Provider/Aggregator/MemoryCacheProxy.php
deleted file mode 100644
index e71a3c2697..0000000000
--- a/library/EngineBlock/Group/Provider/Aggregator/MemoryCacheProxy.php
+++ /dev/null
@@ -1,278 +0,0 @@
-<?php
-
-/**
- * Non-persistent request based in memory cache so we aren't requesting a users groups
- * over and over during a single request to EngineBlock.
- */
-class EngineBlock_Group_Provider_Aggregator_MemoryCacheProxy implements EngineBlock_Group_Provider_Interface
-{
-    /**
-     * @var EngineBlock_Group_Provider_Aggregator
-     */
-    protected $_provider;
-
-    protected $_groupCache = array();
-
-    protected $_memberCache = array();
-
-    protected $_isMemberCache = array();
-
-    protected $_isMemberInStemCache;
-
-    public static function createFromDatabaseFor($userId)
-    {
-        return new self(EngineBlock_Group_Provider_Aggregator::createFromDatabaseFor($userId));
-    }
-
-    public static function createFromConfigFor($userId)
-    {
-        return new self(EngineBlock_Group_Provider_Aggregator::createFromConfigFor($userId));
-    }
-
-    /**
-     * Factory method to create and configure a group provider from it's given configuration
-     *
-     * @static
-     * @abstract
-     * @param Zend_Config $config Configuration for this provider in it's specific format
-     * @param string      $userId UserId to provide group information for (required)
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        return new self(EngineBlock_Group_Provider_Aggregator::createFromConfigs($config, $userId));
-    }
-
-    public function __construct(EngineBlock_Group_Provider_Interface $provider)
-    {
-        $this->_provider = $provider;
-    }
-
-    public function getId()
-    {
-        return $this->_provider->getId();
-    }
-
-    public function getDisplayName()
-    {
-        return $this->_provider->getDisplayName();
-    }
-
-    public function getProviders()
-    {
-        return $this->_provider->getProviders();
-    }
-
-    public function getInvalidProviders()
-    {
-        return $this->_provider->getInvalidProviders();
-    }
-
-    /**
-     * Set the ID of the User to provide group information for
-     *
-     * @abstract
-     * @param string $userId
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setUserId($userId)
-    {
-        $this->_clearCache();
-
-        $this->_provider->setUserId($userId);
-        return $this;
-    }
-
-    /**
-     * Get the ID of the User that group information will be provided for
-     *
-     * @abstract
-     * @return string
-     */
-    public function getUserId()
-    {
-        return $this->_provider->getUserId();
-    }
-
-    /**
-     * @param string $className
-     * @param Zend_Config|null $options
-     * @return EngineBlock_Group_Provider_Aggregator_MemoryCacheProxy
-     */
-    public function addPrecondition($className, $options = null)
-    {
-        $this->_clearCache();
-
-        $this->_provider->addPrecondition($className, $options);
-        return $this;
-    }
-
-    public function getPreconditions()
-    {
-        return $this->_provider->getPreconditions();
-    }
-
-    /**
-     * Validate that this providers meets the preconditions, if this returns false, then you SHOULD not
-     * use this provider.
-     *
-     * Mainly used for checking that a Provider is applicable for a given userid.
-     *
-     * @abstract
-     * @return bool
-     */
-    public function validatePreconditions()
-    {
-        return $this->_provider->validatePreconditions();
-    }
-
-    public function removePreconditionByClassName($className)
-    {
-        return $this->_provider->removePreconditionByClassName($className);
-    }
-
-    /**
-     * @param EngineBlock_Group_Provider_Filter_Interface $filter
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function addGroupFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        $this->_clearCache();
-
-        $this->_provider->addGroupFilter($filter);
-        return $this;
-    }
-
-    public function getGroupFilters()
-    {
-        return $this->_provider->getGroupFilters();
-    }
-
-    public function addMemberFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        $this->_clearCache();
-
-        $this->_provider->addMemberFilter($filter);
-        return $this;
-    }
-
-    public function getMemberFilters()
-    {
-        return $this->_provider->getMemberFilters();
-    }
-
-    public function getGroupStem()
-    {
-        return $this->_provider->getGroupStem();
-    }
-
-    public function setGroupStem($stemIdentifier)
-    {
-        $this->_clearCache();
-
-        $this->_provider->setGroupStem($stemIdentifier);
-        return $this;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @return array A list of groups
-     */
-    public function getGroups($serviceProviderGroupAcl)
-    {
-        if (!empty($this->_groupCache)) {
-            return $this->_groupCache;
-        }
-
-        $this->_groupCache = $this->_provider->getGroups($serviceProviderGroupAcl);
-        return $this->_groupCache;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @param $stem The name of the stem where the groups belong to
-     * @return array A list of groups
-     */
-    public function getGroupsByStem($stem, $serviceProviderGroupAcl)
-    {
-        if (!empty($this->_groupCache)) {
-            return $this->_groupCache;
-        }
-
-        $this->_groupCache = $this->_provider->getGroupsByStem($stem, $serviceProviderGroupAcl);
-        return $this->_groupCache;
-    }
-
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcl)
-    {
-        if (isset($this->_memberCache[$groupIdentifier]) && !empty($this->_memberCache[$groupIdentifier])) {
-            return $this->_memberCache[$groupIdentifier];
-        }
-        $this->_memberCache[$groupIdentifier] = $this->_provider->getMembers($groupIdentifier, $serviceProviderGroupAcl);
-        return $this->_memberCache[$groupIdentifier];
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        if (isset($this->_isMemberCache[$groupIdentifier])) {
-            return $this->_isMemberCache[$groupIdentifier];
-        }
-
-        $this->_isMemberCache[$groupIdentifier] = $this->_provider->isMember($groupIdentifier);
-        return $this->_isMemberCache[$groupIdentifier];
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMemberInStem()
-    {
-        if (isset($this->_isMemberInStemCache) && $this->_isMemberInStemCache !== NULL) {
-            return $this->_isMemberInStemCache;
-        }
-
-        $this->_isMemberInStemCache = $this->_provider->isMemberInStem();
-        return $this->_isMemberInStemCache;
-    }
-
-    protected function _clearCache()
-    {
-        $this->_groupCache = array();
-        $this->_memberCache = array();
-        $this->_isMemberCache = array();
-        unset($this->_isMemberInStemCache);
-        return $this;
-    }
-
-
-    /**
-     * Get the details of a groupMember
-     * @return the Person
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        return $this->_provider->getGroupMemberDetails($subjectId);
-    }
-
-    /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @abstract
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser()
-    {
-        return $this->_provider->isGroupProviderForUser();
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/Decorator/Abstract.php b/library/EngineBlock/Group/Provider/Decorator/Abstract.php
deleted file mode 100644
index 1e315838df..0000000000
--- a/library/EngineBlock/Group/Provider/Decorator/Abstract.php
+++ /dev/null
@@ -1,231 +0,0 @@
-<?php
-
-abstract class EngineBlock_Group_Provider_Decorator_Abstract
-    implements EngineBlock_Group_Provider_Decorator_Interface, EngineBlock_Group_Provider_Interface
-{
-    /**
-     * @var EngineBlock_Group_Provider_Interface
-     */
-    protected $_provider;
-
-    /**
-     * Factory method to create and configure a group provider from it's given configuration
-     *
-     * @static
-     * @abstract
-     * @param Zend_Config $config Configuration for this provider in it's specific format
-     * @param string      $userId UserId to provide group information for (required)
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        throw new EngineBlock_Exception("createFromConfigs not possible for decorator, need access to provider");
-    }
-
-    /**
-     * Set the ID of the User to provide group information for
-     *
-     * @abstract
-     * @param string $userId
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setUserId($userId)
-    {
-        return $this->_provider->setUserId($userId);
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @return array A list of groups
-     */
-    public function getGroups($serviceProviderGroupAcls)
-    {
-        return $this->_provider->getGroups($serviceProviderGroupAcls);
-    }
-
-    /**
-     * Get the details of a groupMember
-     * @abstract
-     * @return the Person
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        return $this->_provider->getGroupMemberDetails($subjectId);
-    }
-
-    /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @abstract
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser()
-    {
-        return $this->_provider->isGroupProviderForUser();
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @return array A list of groups
-     */
-    public function getGroupsByStem($stem, $serviceProviderGroupAcls)
-    {
-        return $this->_provider->getGroupsByStem($stem, $serviceProviderGroupAcls);
-    }
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcls)
-    {
-        return $this->_provider->getMembers($groupIdentifier, $serviceProviderGroupAcls);
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        return $this->_provider->isMember($groupIdentifier);
-    }
-
-    public function isMemberInStem()
-    {
-        return $this->_provider->isMemberInStem();
-    }
-
-    /**
-     * Get the ID of this provider (plain alphanumeric string for use in configs, URLs and such)
-     *
-     * @abstract
-     * @return string
-     */
-    public function getId()
-    {
-        return $this->_provider->getId();
-    }
-
-    /**
-     * Get the display name for this group provider
-     *
-     * @abstract
-     * @return string
-     */
-    public function getDisplayName()
-    {
-        return $this->_provider->getDisplayName();
-    }
-
-    /**
-     * Get the ID of the User that group information will be provided for
-     *
-     * @abstract
-     * @return string
-     */
-    public function getUserId()
-    {
-        return $this->_provider->getUserId();
-    }
-
-    /**
-     * Add a precondition for use of this provider.
-     *
-     * @abstract
-     * @param string $className
-     * @param array $options
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function addPrecondition($className, $options = null)
-    {
-        return $this->_provider->addPrecondition($className, $options);
-    }
-
-    /**
-     * Get the preconditions for use of this provider.
-     *
-     * @abstract
-     * @return array
-     */
-    public function getPreconditions()
-    {
-        return $this->_provider->getPreconditions();
-    }
-
-    /**
-     * Validate that this providers meets the preconditions, if this returns false, then you SHOULD not
-     * use this provider.
-     *
-     * Mainly used for checking that a Provider is applicable for a given userid.
-     *
-     * @abstract
-     * @return bool
-     */
-    public function validatePreconditions()
-    {
-        return $this->_provider->validatePreconditions();
-    }
-
-    public function removePreconditionByClassName($className)
-    {
-        $this->_provider->removePreconditionByClassName($className);
-    }
-
-    public function addGroupFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        return $this->_provider->addGroupFilter($filter);
-    }
-
-    public function getGroupFilters()
-    {
-        return $this->_provider->getGroupFilters();
-    }
-
-    public function addMemberFilter(EngineBlock_Group_Provider_Filter_Interface $filter)
-    {
-        return $this->_provider->addMemberFilter($filter);
-    }
-
-    public function getMemberFilters()
-    {
-        return $this->_provider->getMemberFilters();
-    }
-
-    /**
-     * @abstract
-     * @return string
-     */
-    public function getGroupStem()
-    {
-        return $this->_provider->getGroupStem();
-    }
-
-    /**
-     * Some group provider implementations are able to host more than one set
-     * of groups. In many implementations this is called a 'stem', and by
-     * setting the stem we can choose which set of groups to use. While we use
-     * the term 'stem' here, other implementations are free to implement the
-     * filtering as they see fit. Implementations that don't support multiple
-     * sets of groups, they can simply ignore this call
-     * @param String $stemIdentifier
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setGroupStem($stemIdentifier)
-    {
-        return $this->_provider->setGroupStem($stemIdentifier);
-    }
-
-    /**
-     * Proxy calls that are not in the interface (like the OAuth / OpenSocial specific stuff)
-     * to the provider;
-     *
-     * @param string $name
-     * @param array $arguments
-     * @return mixed
-     */
-    public function __call($name, $arguments)
-    {
-        return call_user_func_array(array($this->_provider, $name), $arguments);
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/Decorator/GroupIdReplace.php b/library/EngineBlock/Group/Provider/Decorator/GroupIdReplace.php
deleted file mode 100644
index a858636cd5..0000000000
--- a/library/EngineBlock/Group/Provider/Decorator/GroupIdReplace.php
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Decorator_GroupIdReplace
-    extends EngineBlock_Group_Provider_Decorator_Abstract
-{
-    /**
-     * @var string
-     */
-    protected $_search;
-
-    /**
-     * @var string
-     */
-    protected $_replace;
-
-    public static function createFromConfigsWithProvider(EngineBlock_Group_Provider_Interface $provider, Zend_Config $config)
-    {
-        if (!isset($config->search) || !isset($config->replace)) {
-            throw new EngineBlock_Group_Provider_Exception(
-                "Missing configuration for groupIdReplace decorator, please make sure .search and .replace are set"
-            );
-        }
-        return new self($provider, $config->search, $config->replace);
-    }
-
-    public function __construct($provider, $search, $replace)
-    {
-        $this->_provider = $provider;
-        $this->_search   = $search;
-        $this->_replace  = $replace;
-    }
-
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier,$serviceProviderGroupAcls )
-    {
-        // If the group is not a decorated group, don't even bother looking up the members, can't be ours
-        if ($this->_search && !preg_match($this->_search, $groupIdentifier)) {
-            return array();
-        }
-
-        $groupIdentifier = preg_replace($this->_search, $this->_replace, $groupIdentifier);
-
-        return parent::getMembers($groupIdentifier, $serviceProviderGroupAcls);
-    }
-
-    /**
-     * Check whether the given group is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        // If the group is not a decorated group, don't even bother looking up the members, can't be ours
-        // except the members group for stem VOs
-        if ($groupIdentifier !== 'members' && $this->_search && !preg_match($this->_search, $groupIdentifier)) {
-            return false;
-        }
-
-        $groupIdentifier = preg_replace($this->_search, $this->_replace, $groupIdentifier);
-
-        return parent::isMember($groupIdentifier);
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/Decorator/Interface.php b/library/EngineBlock/Group/Provider/Decorator/Interface.php
deleted file mode 100644
index 72de024674..0000000000
--- a/library/EngineBlock/Group/Provider/Decorator/Interface.php
+++ /dev/null
@@ -1,6 +0,0 @@
-<?php
-
-interface EngineBlock_Group_Provider_Decorator_Interface
-{
-    public static function createFromConfigsWithProvider(EngineBlock_Group_Provider_Interface $provider, Zend_Config $config);
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Decorator/UserIdReplace.php b/library/EngineBlock/Group/Provider/Decorator/UserIdReplace.php
deleted file mode 100644
index fbbd1cd020..0000000000
--- a/library/EngineBlock/Group/Provider/Decorator/UserIdReplace.php
+++ /dev/null
@@ -1,167 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Decorator_UserIdReplace
-    extends EngineBlock_Group_Provider_Decorator_Abstract
-{
-    /**
-     * @var string
-     */
-    protected $_search;
-
-    /**
-     * @var string
-     */
-    protected $_replace;
-
-    /**
-     * @var string
-     */
-    protected $_userId;
-
-    /**
-     * @var string
-     */
-    protected $_userIdReplaced;
-
-    public static function createFromConfigsWithProvider(EngineBlock_Group_Provider_Interface $provider, Zend_Config $config)
-    {
-        if (!isset($config->search) || !isset($config->replace)) {
-            throw new EngineBlock_Group_Provider_Exception(
-                "Missing configuration for UserIdReplace decorator, please make sure .search and .replace are set"
-            );
-        }
-        return new self($provider, $config->search, $config->replace);
-    }
-
-    public function __construct($provider, $search, $replace)
-    {
-        $this->_provider = $provider;
-        $this->_search   = $search;
-        $this->_replace  = $replace;
-
-        $this->_loadReplacedUserId();
-    }
-
-    protected function _loadReplacedUserId()
-    {
-        $this->_userId = $this->_provider->getUserId();
-        $this->_userIdReplaced = preg_replace($this->_search, $this->_replace, $this->_userId);
-    }
-
-    /**
-     * Set the ID of the User to provide group information for
-     *
-     * @abstract
-     * @param string $userId
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setUserId($userId)
-    {
-        $this->_provider->setUserId($userId);
-        $this->_loadReplacedUserId();
-        return $this;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @return array A list of groups
-     */
-    public function getGroups($serviceProviderGroupAcls)
-    {
-        // If the conversion didn't do anything, it's probably not a user for this group provider
-        // so just return an empty array
-        if ($this->_search && $this->_userId === $this->_userIdReplaced) {
-            return array();
-        }
-
-        $this->_provider->setUserId($this->_userIdReplaced);
-        $results = $this->_provider->getGroups($serviceProviderGroupAcls);
-        $this->_provider->setUserId($this->_userId);
-
-        return $results;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @param string $stem
-     * @return array A list of groups
-     */
-    public function getGroupsByStem($stem, $serviceProviderGroupAcls)
-    {
-        // If the conversion didn't do anything, it's probably not a user for this group provider
-        // so just return an empty array
-        if ($this->_search && $this->_userId === $this->_userIdReplaced) {
-            return array();
-        }
-
-        $this->_provider->setUserId($this->_userIdReplaced);
-        $results = $this->_provider->getGroupsByStem($stem, $serviceProviderGroupAcls);
-        $this->_provider->setUserId($this->_userId);
-
-        return $results;
-    }
-
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcls)
-    {
-        // If the conversion didn't do anything, it's probably not a user for this group provider
-        // so just return an empty array
-        if ($this->_search && $this->_userId === $this->_userIdReplaced) {
-            return array();
-        }
-
-        $this->_provider->setUserId($this->_userIdReplaced);
-        $results = $this->_provider->getMembers($groupIdentifier, $serviceProviderGroupAcls);
-        $this->_provider->setUserId($this->_userId);
-
-        return $results;
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        // If the conversion didn't do anything, it's probably not a user for this group provider
-        // so just return an empty array
-        if ($this->_search && $this->_userId === $this->_userIdReplaced) {
-            return false;
-        }
-
-        $this->_provider->setUserId($this->_userIdReplaced);
-        $results = $this->_provider->isMember($groupIdentifier);
-        $this->_provider->setUserId($this->_userId);
-
-        return $results;
-    }
-
-    /**
-     * Get the details of a groupMember
-     * @param string $subjectId User to get the data for
-     * @return array Group member data
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        // If the conversion didn't do anything, it's probably not a user for this group provider
-        // so just return an empty array
-        if ($this->_search && $this->_userId === $this->_userIdReplaced) {
-            return array();
-        }
-
-        $this->_provider->setUserId($this->_userIdReplaced);
-        $subjectIdReplaced = null;
-        if ($subjectId) {
-            $subjectIdReplaced = preg_replace($this->_search, $this->_replace, $subjectId);
-        }
-        $results = $this->_provider->getGroupMemberDetails($subjectIdReplaced);
-        $this->_provider->setUserId($this->_userId);
-
-        return $results;
-    }
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Exception.php b/library/EngineBlock/Group/Provider/Exception.php
deleted file mode 100644
index ed42193855..0000000000
--- a/library/EngineBlock/Group/Provider/Exception.php
+++ /dev/null
@@ -1,5 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Exception extends EngineBlock_Exception
-{
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Exception/Unauthorized.php b/library/EngineBlock/Group/Provider/Exception/Unauthorized.php
deleted file mode 100644
index eaa10facf4..0000000000
--- a/library/EngineBlock/Group/Provider/Exception/Unauthorized.php
+++ /dev/null
@@ -1,5 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Exception_Unauthorized extends EngineBlock_Group_Provider_Exception
-{
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Filter/Interface.php b/library/EngineBlock/Group/Provider/Filter/Interface.php
deleted file mode 100644
index 7bc63691c9..0000000000
--- a/library/EngineBlock/Group/Provider/Filter/Interface.php
+++ /dev/null
@@ -1,8 +0,0 @@
-<?php
-
-interface EngineBlock_Group_Provider_Filter_Interface
-{
-    public function __construct(Zend_Config $options);
-    
-    public function filter($data);
-}
diff --git a/library/EngineBlock/Group/Provider/Filter/ModelProperty/PregReplace.php b/library/EngineBlock/Group/Provider/Filter/ModelProperty/PregReplace.php
deleted file mode 100644
index 4645a224c0..0000000000
--- a/library/EngineBlock/Group/Provider/Filter/ModelProperty/PregReplace.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Filter_ModelProperty_PregReplace implements EngineBlock_Group_Provider_Filter_Interface
-{
-    protected $_options;
-
-    public function __construct(Zend_Config $options)
-    {
-        $this->_options = $options;
-    }
-
-    public function filter($data)
-    {
-        $modelProperties = array_keys(get_object_vars($data));
-        foreach ($modelProperties as $modelProperty) {
-            if (isset($this->_options->property) && $modelProperty !== $this->_options->property) {
-                continue;
-            }
-
-            $data->$modelProperty = preg_replace($this->_options->search, $this->_options->replace, $data->$modelProperty);
-        }
-        return $data;
-    }
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Grouper.php b/library/EngineBlock/Group/Provider/Grouper.php
deleted file mode 100644
index 7a29d5945a..0000000000
--- a/library/EngineBlock/Group/Provider/Grouper.php
+++ /dev/null
@@ -1,182 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Grouper extends EngineBlock_Group_Provider_Abstract
-{
-    protected $_name;
-
-    /**
-     * @var Grouper_Client_Rest
-     */
-    protected $_grouperClient;
-
-    /**
-     * Factory method to create and configure a group provider from it's given configuration
-     *
-     * @static
-     * @abstract
-     * @param Zend_Config $config
-     * @param string $userId
-     * @return EngineBlock_Group_Provider_Grouper
-     */
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        $grouperClient = Grouper_Client_Rest::createFromConfig($config);
-        $provider = new self($config->id, $config->name, $grouperClient);
-
-        $provider->setUserId($userId);
-
-        $provider->configurePreconditions($config);
-        $provider->configureGroupFilters($config);
-        $provider->configureGroupMemberFilters($config);
-        $decoratedProvider = $provider->configureDecoratorChain($config);
-
-        return $decoratedProvider;
-    }
-
-    public function __construct($id, $name, Grouper_Client_Interface $grouperClient)
-    {
-        $this->_id   = $id;
-        $this->_name = $name;
-        $this->_grouperClient = $grouperClient;
-    }
-
-    public function setUserId($userId)
-    {
-        parent::setUserId($userId);
-
-        $this->_grouperClient->setSubjectId($userId);
-        return $this;
-    }
-
-    public function getGroups($serviceProviderGroupAcls)
-    {
-        try {
-            $grouperGroups = $this->_grouperClient->getGroupsWithPrivileges();
-        }
-        catch (Grouper_Client_Exception_SubjectNotFound $e) {
-            // Ignore Subject not found exceptions
-            EngineBlock_ApplicationSingleton::getLog()->warn("User '{$this->_userId}' does not exist in Grouper Group Provider '{$this->_id}'");
-            return array();
-        }
-
-        $groups = array();
-        foreach ($grouperGroups as $group) {
-            $groups[] = $this->_mapGrouperGroupToEngineBlockGroup($group);
-        }
-        return $groups;
-    }
-
-    public function getGroupsByStem($stem, $serviceProviderGroupAcls)
-    {
-        try {
-            $grouperGroups = $this->_grouperClient->getGroupsWithPrivileges($stem);
-        }
-        catch (Grouper_Client_Exception_SubjectNotFound $e) {
-            // Ignore Subject not found exceptions
-            EngineBlock_ApplicationSingleton::getLog()->warn("User '{$this->_userId}' does not exist in Grouper Group Provider '{$this->_id}'");
-            return array();
-        }
-
-        $groups = array();
-        foreach ($grouperGroups as $group) {
-            $groups[] = $this->_mapGrouperGroupToEngineBlockGroup($group);
-        }
-        return $groups;
-    }
-
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcls)
-    {
-        $members = array();
-        $stemmedGroupIdentifier = $this->_getStemmedGroupId($groupIdentifier);
-        $subjects = $this->_grouperClient->getMembersWithPrivileges($stemmedGroupIdentifier);
-        foreach ($subjects as $subject) {
-                $members[] = $this->_mapGrouperSubjectToEngineBlockGroupMember($subject, $stemmedGroupIdentifier);
-        }
-        return $members;
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        return $this->_grouperClient->hasMember($this->_getStemmedGroupId($groupIdentifier));
-    }
-
-    public function isMemberInStem()
-    {
-        $groups = $this->_grouperClient->getGroups($this->_stem);
-        return !empty($groups);
-    }
-
-    protected function _mapGrouperGroupToEngineBlockGroup(Grouper_Model_Group $grouperGroup)
-    {
-        $engineBlockGroup = new EngineBlock_Group_Model_Group();
-        $engineBlockGroup->id           = $grouperGroup->name;
-        $engineBlockGroup->title        = $grouperGroup->displayExtension;
-        $engineBlockGroup->description  = $grouperGroup->description;
-        $engineBlockGroup->forUserId    = $this->_userId;
-        $engineBlockGroup->userRole     = $this->_determineVootMembershipRoleByPrivileges($grouperGroup->privileges);
-
-        foreach ($this->_groupFilters as $groupFilter) {
-            $engineBlockGroup = $groupFilter->filter($engineBlockGroup);
-        }
-
-        return $engineBlockGroup;
-    }
-
-    protected function _mapGrouperSubjectToEngineBlockGroupMember(Grouper_Model_Subject $grouperSubject, $groupId)
-    {
-        $engineBlockMember = new EngineBlock_Group_Model_GroupMember();
-        $engineBlockMember->id          = $grouperSubject->id;
-        $engineBlockMember->displayName = $grouperSubject->name;
-        $engineBlockMember->forGroup    = $groupId;
-        $engineBlockMember->forUser     = $this->_userId;
-        $engineBlockMember->userRole    = $this->_determineVootMembershipRoleByPrivileges($grouperSubject->privileges);
-
-        foreach ($this->_memberFilters as $memberFilter) {
-            $engineBlockMember = $memberFilter->filter($engineBlockMember);
-        }
-
-        return $engineBlockMember;
-    }
-
-    protected function _determineVootMembershipRoleByPrivileges(array $privileges)
-    {
-        if (in_array('admin', $privileges)) {
-            return 'admin';
-        }
-        if (in_array('update', $privileges)) {
-            return 'manager';
-        }
-        if (in_array('read', $privileges)) {
-            return 'member';
-        }
-
-        throw new EngineBlock_Group_Provider_Exception("Unable to determine member role in group by looking at the privileges");
-    }
-
-    /**
-     * Get the details of a groupMember
-     * @param $userId the unique groupMember identifier
-     * @return the Person
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        //this can never happen as we retrieve groups from Grouper and therefore MemberDetails are
-        //provided by the userDirectory (e.g. we always return false from isGroupProviderFor)
-        throw new EngineBlock_Exception("Grouper does not provide GroupMemberDetails");
-    }
-
-    /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @param $userId the unique Person identifier
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser()
-    {
-        return false;
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/Interface.php b/library/EngineBlock/Group/Provider/Interface.php
deleted file mode 100644
index 07608c2426..0000000000
--- a/library/EngineBlock/Group/Provider/Interface.php
+++ /dev/null
@@ -1,164 +0,0 @@
-<?php
-
-interface EngineBlock_Group_Provider_Interface
-{
-    /**
-     * Factory method to create and configure a group provider from it's given configuration
-     *
-     * @static
-     * @abstract
-     * @param Zend_Config $config Configuration for this provider in it's specific format
-     * @param string      $userId UserId to provide group information for (required)
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public static function createFromConfigs(Zend_Config $config, $userId);
-
-    /**
-     * Get the ID of this provider (plain alphanumeric string for use in configs, URLs and such)
-     *
-     * @abstract
-     * @return string
-     */
-    public function getId();
-
-    /**
-     * Set the ID of the User to provide group information for
-     *
-     * @abstract
-     * @param string $userId
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setUserId($userId);
-
-    /**
-     * Get the display name for this group provider
-     *
-     * @abstract
-     * @return string
-     */
-    public function getDisplayName();
-
-    /**
-     * Get the ID of the User that group information will be provided for
-     *
-     * @abstract
-     * @return string
-     */
-    public function getUserId();
-
-    /**
-     * Add a precondition for use of this provider.
-     *
-     * @abstract
-     * @param string $className
-     * @param Zend_Config|null $options
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function addPrecondition($className, $options = null);
-
-    /**
-     * Get the preconditions for use of this provider.
-     *
-     * @abstract
-     * @return array
-     */
-    public function getPreconditions();
-
-    /**
-     * Validate that this providers meets the preconditions, if this returns false, then you SHOULD not
-     * use this provider.
-     *
-     * Mainly used for checking that a Provider is applicable for a given userid.
-     *
-     * @abstract
-     * @return bool
-     */
-    public function validatePreconditions();
-
-    public function removePreconditionByClassName($className);
-
-    public function addGroupFilter(EngineBlock_Group_Provider_Filter_Interface $filter);
-
-    public function getGroupFilters();
-
-    public function addMemberFilter(EngineBlock_Group_Provider_Filter_Interface $filter);
-
-    public function getMemberFilters();
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @param $serviceProviderGroupAcls the permissions of the ServiceProvider that initiated this call
-     * @return array A list of groups
-     */
-    public function getGroups($serviceProviderGroupAcl);
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @param $stem The name of the stem where the groups belong to
-     * @param $serviceProviderGroupAcls the permissions of the ServiceProvider that initiated this call
-     * @return array A list of groups
-     */
-    public function getGroupsByStem($stem, $serviceProviderGroupAcl);
-
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @param $serviceProviderGroupAcls the permissions of the ServiceProvider that initiated this call
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcls);
-
-    /**
-     * Get the details of a groupMember
-     * @abstract
-     * @return the Person
-     */
-    public function getGroupMemberDetails($subjectId = null);
-
-    /**
-     * Is this GroupProvider able to return details for the given userId based on the configured memberFilter
-     * @abstract
-     * @param $userId the unique Person identifier
-     * @return boolean true is the userId is a partial matched with this GroupProviders urn
-     */
-    public function isGroupProviderForUser();
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier);
-
-    /**
-     * Check whether the current user is in a group in the current stem.
-     *
-     * @example: User urn:collab:person:example.edu:john.doe is in
-     * the groups: urn:collab:group:internet2.edu:grouper,
-     * urn:collab:group:surfnet.nl:grouper
-     * Given a stem of urn:collab:group:internet2.edu this method will return true.
-     * Given a stem of urn:collab:group:janet.edu this method will return false.
-     *
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMemberInStem();
-
-    /**
-     * @abstract
-     * @return string
-     */
-    public function getGroupStem();
-
-    /**
-     * Some group provider implementations are able to host more than one set
-     * of groups. In many implementations this is called a 'stem', and by
-     * setting the stem we can choose which set of groups to use. While we use
-     * the term 'stem' here, other implementations are free to implement the
-     * filtering as they see fit. Implementations that don't support multiple
-     * sets of groups, they can simply ignore this call
-     * @param String $stemIdentifier
-     * @return EngineBlock_Group_Provider_Interface
-     */
-    public function setGroupStem($stemIdentifier);
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/OpenSocial/Abstract.php b/library/EngineBlock/Group/Provider/OpenSocial/Abstract.php
deleted file mode 100644
index fcd2c3ca32..0000000000
--- a/library/EngineBlock/Group/Provider/OpenSocial/Abstract.php
+++ /dev/null
@@ -1,164 +0,0 @@
-<?php
-
-abstract class EngineBlock_Group_Provider_OpenSocial_Abstract
-    extends EngineBlock_Group_Provider_Abstract
-{
-    /**
-     * @var OpenSocial_Rest_Client
-     */
-    protected $_openSocialRestClient;
-
-    public function __construct($id, $name, $openSocialRestClient)
-    {
-        $this->_id = $id;
-        $this->_name = $name;
-        $this->_openSocialRestClient = $openSocialRestClient;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @return array A list of groups
-     */
-    public function getGroups($serviceProviderGroupAcl)
-    {
-        $openSocialGroups = $this->_openSocialRestClient->get(
-            '/groups/{uid}',
-            array(
-                'uid' => $this->_userId,
-            )
-        );
-        return $this->_mapOpenSocialGroupsToEngineBlockGroups($openSocialGroups);
-    }
-
-    /**
-     * Get the details of a groupMember
-     * @abstract
-     * @return array Group member data
-     */
-    public function getGroupMemberDetails($subjectId = null)
-    {
-        if ($subjectId) {
-            $parameters =  array('uid' => $subjectId);
-        }
-        else {
-            $parameters =  array('uid' => $this->_userId);
-        }
-        $memberDetails = $this->_openSocialRestClient->get(
-            '/people/{uid}', $parameters
-        );
-        return $memberDetails;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     * @param $stem The name of the stem where the groups belong to
-     * @return array A list of groups
-     */
-    public function getGroupsByStem($stem, $serviceProviderGroupAcl)
-    {
-        $openSocialGroups = $this->_openSocialRestClient->get(
-            '/groups/{uid}?vo=' + $stem,
-            array(
-                'uid' => $this->_userId,
-            )
-        );
-        return $this->_mapOpenSocialGroupsToEngineBlockGroups($openSocialGroups);
-    }
-
-    protected function _mapOpenSocialGroupsToEngineBlockGroups(array $openSocialGroups)
-    {
-        $groups = array();
-        foreach ($openSocialGroups as $openSocialGroup) {
-            /**
-             * @var OpenSocial_Model_Group $openSocialGroup
-             */
-
-            $group = new EngineBlock_Group_Model_Group();
-            $group->id = $openSocialGroup->id;
-            $group->title = $openSocialGroup->title;
-            
-            foreach ($this->_groupFilters as $groupFilter) {
-                $group = $groupFilter->filter($group);
-            }
-            
-            $groups[] = $group;
-        }
-        return $groups;
-    }
-
-    /**
-     * Get the members of a given group
-     * @param String $groupIdentifier The name of the group to retrieve members of
-     * @return array A list of members
-     */
-    public function getMembers($groupIdentifier, $serviceProviderGroupAcl)
-    {
-        $openSocialPeople = $this->_openSocialRestClient->get(
-            '/people/{uid}/{gid}',
-            array(
-                'uid' => $this->_userId,
-                'gid' => $groupIdentifier,
-            )
-        );
-        return $this->_mapOpenSocialPeopleToEngineBlockGroupMembers($openSocialPeople);
-    }
-
-    protected function _mapOpenSocialPeopleToEngineBlockGroupMembers(array $openSocialPeople)
-    {
-        $members = array();
-        foreach ($openSocialPeople as $openSocialPerson) {
-            /**
-             * @var OpenSocial_Model_Person $openSocialPerson
-             */
-
-            $member = new EngineBlock_Group_Model_GroupMember();
-            $member->id = $openSocialPerson->id;
-            $member->displayName = $openSocialPerson->displayName;
-            
-            foreach ($this->_memberFilters as $memberFilter) {
-                $member = $memberFilter->filter($member);
-            }
-            
-            $members[] = $member;
-        }
-        return $members;
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param String $groupIdentifier The group to check
-     * @return boolean
-     */
-    public function isMember($groupIdentifier)
-    {
-        $members = $this->getMembers($groupIdentifier, null);
-
-        foreach ($members as $member) {
-            if ($member->id === $this->_userId) {
-                return true;
-            }
-        }
-        
-        return false;
-    }
-
-    public function isMemberInStem()
-    {
-        $openSocialGroups = $this->_openSocialRestClient->get(
-            '/groups/{uid}',
-            array(
-                'uid' => $this->_userId,
-            )
-        );
-
-        foreach ($openSocialGroups as $openSocialGroup) {
-            /**
-             * @var OpenSocial_Model_Group $openSocialGroup
-             */
-            if (strpos($openSocialGroup->id, $this->_stem) === 0) {
-                return true;
-            }
-        }
-        return false;
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/OpenSocial/HttpBasic.php b/library/EngineBlock/Group/Provider/OpenSocial/HttpBasic.php
deleted file mode 100644
index ac626fc7c4..0000000000
--- a/library/EngineBlock/Group/Provider/OpenSocial/HttpBasic.php
+++ /dev/null
@@ -1,27 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_OpenSocial_HttpBasic 
-    extends EngineBlock_Group_Provider_OpenSocial_Abstract
-{
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        // @todo get client from factory via DI container instead of instantiating it here, this would make testing and logging easier
-        $httpClient = new Zend_Http_Client($config->url);
-        $httpClient->setAuth(
-            $config->user,
-            $config->password
-        );
-
-        $openSocialRestClient = new OpenSocial_Rest_Client($httpClient);
-        $provider = new self($config->id, $config->name, $openSocialRestClient);
-
-        $provider->setUserId($userId);
-        $provider->configurePreconditions($config);
-        $provider->configureGroupFilters($config);
-        $provider->configureGroupMemberFilters($config);
-
-        $decoratedProvider = $provider->configureDecoratorChain($config);
-
-        return $decoratedProvider;
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/OpenSocial/Oauth/Helper/AccessToken.php b/library/EngineBlock/Group/Provider/OpenSocial/Oauth/Helper/AccessToken.php
deleted file mode 100644
index 3fc9d729cd..0000000000
--- a/library/EngineBlock/Group/Provider/OpenSocial/Oauth/Helper/AccessToken.php
+++ /dev/null
@@ -1,48 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_OpenSocial_Oauth_Helper_AccessToken
-{
-    protected $_providerId;
-    protected $_connection;
-    protected $_userId;
-
-    public function __construct($providerId, PDO $databaseConnection, $userId)
-    {
-        $this->_providerId = $providerId;
-        $this->_connection = $databaseConnection;
-        $this->_userId     = $userId;
-    }
-
-    public function loadAccessToken()
-    {
-        $query = "SELECT * FROM group_provider_user_oauth WHERE provider_id=? AND user_id=?";
-        $params = array(
-            $this->_providerId,
-            $this->_userId
-        );
-        $statement = $this->_connection->prepare($query);
-        $statement->execute($params);
-        $row = $statement->fetch(PDO::FETCH_ASSOC);
-
-        $accessToken = new Zend_Oauth_Token_Access();
-        $accessToken->setToken($row['oauth_token']);
-        $accessToken->setTokenSecret($row['oauth_secret']);
-        return $accessToken;
-    }
-
-    public function storeAccessToken(Zend_Oauth_Token_Access $accessToken)
-    {
-        $query = "INSERT INTO group_provider_user_oauth (provider_id, user_id, oauth_token, oauth_secret)
-        VALUES(?, ?, ?, ?)
-        ON DUPLICATE KEY UPDATE oauth_token=VALUES(oauth_token), oauth_secret=VALUES(oauth_secret)";
-        $params = array(
-            $this->_providerId,
-            $this->_userId,
-            $accessToken->getToken(),
-            $accessToken->getTokenSecret()
-        );
-        $statement = $this->_connection->prepare($query);
-        $statement->execute($params);
-        return true;
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/OpenSocial/Oauth/ThreeLegged.php b/library/EngineBlock/Group/Provider/OpenSocial/Oauth/ThreeLegged.php
deleted file mode 100644
index 9c3e5d88be..0000000000
--- a/library/EngineBlock/Group/Provider/OpenSocial/Oauth/ThreeLegged.php
+++ /dev/null
@@ -1,91 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_OpenSocial_Oauth_ThreeLegged extends EngineBlock_Group_Provider_OpenSocial_Abstract
-{
-    /**
-     * @var EngineBlock_Group_Provider_OpenSocial_Oauth_Helper_AccessToken
-     */
-    protected $_accessTokenHelper;
-
-    public static function createFromConfigs(Zend_Config $config, $userId)
-    {
-        $databaseFactory = new EngineBlock_Database_ConnectionFactory();
-        $databaseAdapter = $databaseFactory->create(
-            EngineBlock_Database_ConnectionFactory::MODE_READ
-        );
-
-        $accessTokenHelper = new EngineBlock_Group_Provider_OpenSocial_Oauth_Helper_AccessToken(
-            $config->id,
-            $databaseAdapter,
-            $userId
-        );
-
-        $authConfig = $config->auth->toArray();
-        if (isset($authConfig['rsaPrivateKey'])) {
-            if (empty($authConfig['rsaPrivateKey'])) {
-                unset($authConfig['rsaPrivateKey']);
-            }
-            else {
-                $authConfig['rsaPrivateKey'] = new Zend_Crypt_Rsa_Key_Private($authConfig['rsaPrivateKey']);
-            }
-        }
-        
-        if (isset($authConfig['rsaPublicKey'])) {
-            if (empty($authConfig['rsaPublicKey'])) {
-                unset($authConfig['rsaPublicKey']);
-            }
-            else {
-                $authConfig['rsaPublicKey'] = new Zend_Crypt_Rsa_Key_Public($authConfig['rsaPublicKey']);
-            }
-        }
-
-        $httpClient = new Zend_Oauth_Client($authConfig, $config->url, $config);
-
-        $accessToken = $accessTokenHelper->loadAccessToken();
-        if ($accessToken) {
-            $httpClient->setToken($accessToken);
-        }
-
-        $openSocialRestClient = new OpenSocial_Rest_Client($httpClient);
-
-        $provider = new self(
-            $config->id,
-            $config->name,
-            $openSocialRestClient
-        );
-
-        $provider->setUserId($userId);
-        $provider->setAccessTokenHelper($accessTokenHelper);
-        $provider->addPrecondition('EngineBlock_Group_Provider_Precondition_OpenSocial_Oauth_AccessTokenExists');
-
-        $provider->configurePreconditions($config);
-        $provider->configureGroupFilters($config);
-        $provider->configureGroupMemberFilters($config);
-
-        $decoratedProvider = $provider->configureDecoratorChain($config);
-
-        return $decoratedProvider;
-    }
-
-    public function setAccessTokenHelper($helper)
-    {
-        $this->_accessTokenHelper = $helper;
-        return $this;
-    }
-
-    public function setAccessToken($accessToken)
-    {
-        $this->_accessTokenHelper->storeAccessToken($accessToken);
-        $this->_openSocialRestClient->getHttpClient()->setToken($accessToken);
-    }
-
-    /**
-     * @return osapiAuth
-     */
-    public function getOpenSocialRestClient()
-    {
-        return $this->_openSocialRestClient;
-    }
-
-
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Precondition/False.php b/library/EngineBlock/Group/Provider/Precondition/False.php
deleted file mode 100644
index 6dfb3b2911..0000000000
--- a/library/EngineBlock/Group/Provider/Precondition/False.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Precondition_False implements EngineBlock_Group_Provider_Precondition_Interface
-{
-    public function __construct(EngineBlock_Group_Provider_Interface $provider, Zend_Config $options)
-    {
-    }
-
-    public function validate()
-    {
-        return false;
-    }
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Precondition/Interface.php b/library/EngineBlock/Group/Provider/Precondition/Interface.php
deleted file mode 100644
index 35eba8835d..0000000000
--- a/library/EngineBlock/Group/Provider/Precondition/Interface.php
+++ /dev/null
@@ -1,7 +0,0 @@
-<?php
-
-interface EngineBlock_Group_Provider_Precondition_Interface
-{
-    public function __construct(EngineBlock_Group_Provider_Interface $provider, Zend_Config $options);
-    public function validate();
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Precondition/OpenSocial/Oauth/AccessTokenExists.php b/library/EngineBlock/Group/Provider/Precondition/OpenSocial/Oauth/AccessTokenExists.php
deleted file mode 100644
index 2d8172c1e3..0000000000
--- a/library/EngineBlock/Group/Provider/Precondition/OpenSocial/Oauth/AccessTokenExists.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Precondition_OpenSocial_Oauth_AccessTokenExists implements EngineBlock_Group_Provider_Precondition_Interface
-{
-    /**
-     * @var \EngineBlock_Group_Provider_OpenSocial_Oauth_ThreeLegged
-     */
-    protected $_provider;
-
-    public function __construct(EngineBlock_Group_Provider_Interface $provider, Zend_Config $options = null)
-    {
-        $this->_provider = $provider;
-    }
-
-    public function validate()
-    {
-        return (bool)$this->_provider->getOpenSocialRestClient()->getHttpClient()->getToken()->getToken();
-    }
-}
\ No newline at end of file
diff --git a/library/EngineBlock/Group/Provider/Precondition/UserId/PregMatch.php b/library/EngineBlock/Group/Provider/Precondition/UserId/PregMatch.php
deleted file mode 100644
index d9c6815242..0000000000
--- a/library/EngineBlock/Group/Provider/Precondition/UserId/PregMatch.php
+++ /dev/null
@@ -1,18 +0,0 @@
-<?php
-
-class EngineBlock_Group_Provider_Precondition_UserId_PregMatch implements EngineBlock_Group_Provider_Precondition_Interface
-{
-    protected $_provider;
-    protected $_search;
-
-    public function __construct(EngineBlock_Group_Provider_Interface $provider, Zend_Config $options)
-    {
-        $this->_provider = $provider;
-        $this->_search = $options->search;
-    }
-
-    public function validate()
-    {
-        return @preg_match($this->_search, $this->_provider->getUserId());
-    }
-}
diff --git a/library/EngineBlock/Group/Provider/ProviderConfig.php b/library/EngineBlock/Group/Provider/ProviderConfig.php
deleted file mode 100644
index 6084b0c7e7..0000000000
--- a/library/EngineBlock/Group/Provider/ProviderConfig.php
+++ /dev/null
@@ -1,137 +0,0 @@
-<?php
-
-/**
- * Read the configuration out of the database
- */
-class EngineBlock_Group_Provider_ProviderConfig {
-
-    /**
-     * Create an Zend_Config of Group Provider(s) from database configuration
-     *
-     * @param $providerId the unique identifier of the Provider (optional)
-     * @return Zend_Config
-     */
-    public function createFromDatabaseFor($providerId = null)
-    {
-        $factory = new EngineBlock_Database_ConnectionFactory();
-        $db = $factory->create(EngineBlock_Database_ConnectionFactory::MODE_READ);
-        $sql = 'SELECT *
-            FROM group_provider';
-        $parameters = array();
-        if ($providerId) {
-            $sql .= " WHERE identifier = ?";
-            $parameters[] = $providerId;
-        }
-        $statement = $db->prepare($sql);
-        $statement->execute($parameters);
-        $groupProviderRows = $statement->fetchAll(PDO::FETCH_ASSOC);
-
-        $groupProviders = array();
-        foreach ($groupProviderRows as $groupProviderRow) {
-            $groupProvider = array(
-                'id'        => $groupProviderRow['identifier'],
-                'name'      => $groupProviderRow['name'],
-                'className' => $groupProviderRow['classname'],
-            );
-
-            // Retrieve options
-            $optionRows = $db->query(
-                "SELECT `name`, `value`
-                FROM group_provider_option
-                WHERE group_provider_id = {$groupProviderRow['id']}"
-            )->fetchAll(PDO::FETCH_ASSOC);
-            foreach ($optionRows as $optionRow) {
-                if (!isset($optionRow['value']) || empty($optionRow['value'])) {
-                    continue;
-                }
-                
-                $groupProviderOptionPointer = &$groupProvider;
-                $optionNameParts = explode('.', $optionRow['name']);
-                $lastOptionNamePart = null;
-                while ($optionNamePart = array_shift($optionNameParts)) {
-                    if (!isset($groupProviderOptionPointer[$optionNamePart]) && !empty($optionNameParts)) {
-                        $groupProviderOptionPointer[$optionNamePart] = array();
-                    }
-                    $groupProviderOptionPointer = &$groupProviderOptionPointer[$optionNamePart];
-                }
-                $groupProviderOptionPointer = $optionRow['value'];
-            }
-
-            // decorators
-            $decoratorAndOptionsRows = $db->query(
-                "SELECT gpd.id        AS id,
-                        gpd.classname AS className,
-                        gpdo.name     AS option_name,
-                        gpdo.value    AS option_value
-                FROM group_provider_decorator gpd
-                LEFT JOIN group_provider_decorator_option gpdo ON gpd.id = gpdo.group_provider_decorator_id
-                WHERE gpd.group_provider_id = {$groupProviderRow['id']}"
-            );
-            if (!empty($decoratorAndOptionsRows)) {
-                $groupProvider['decorators'] = array();
-                foreach ($decoratorAndOptionsRows as $decoratorOptionsRow) {
-                    if (!isset($groupProvider['decorators'][$decoratorOptionsRow['id']])) {
-                        $groupProvider['decorators'][$decoratorOptionsRow['id']] = array();
-                    }
-                    $groupProvider['decorators'][$decoratorOptionsRow['id']]['className'] = $decoratorOptionsRow['className'];
-                    if (isset($decoratorOptionsRow['option_name']) && $decoratorOptionsRow['option_name']) {
-                        $groupProvider['decorators'][$decoratorOptionsRow['id']][$decoratorOptionsRow['option_name']] = $decoratorOptionsRow['option_value'];
-                    }
-                }
-            }
-
-            // filters
-            $filterAndOptionsRows = $db->query(
-                "SELECT gpf.id        AS id,
-                        gpf.type      AS type,
-                        gpf.classname AS className,
-                        gpfo.name     AS option_name,
-                        gpfo.value    AS option_value
-                FROM group_provider_filter gpf
-                LEFT JOIN group_provider_filter_option gpfo ON gpf.id = gpfo.group_provider_filter_id
-                WHERE gpf.group_provider_id = {$groupProviderRow['id']}"
-            );
-            foreach ($filterAndOptionsRows as $filterOptionsRow) {
-                if (!isset($groupProvider[$filterOptionsRow['type'] . 'Filters'])) {
-                    $groupProvider[$filterOptionsRow['type'] . 'Filters'] = array();
-                }
-                $filters = &$groupProvider[$filterOptionsRow['type'] . 'Filters'];
-                if (!isset($filters[$filterOptionsRow['id']])) {
-                    $filters[$filterOptionsRow['id']] = array();
-                }
-                $filters[$filterOptionsRow['id']]['className'] = $filterOptionsRow['className'];
-                if (isset($filterOptionsRow['option_name']) && $filterOptionsRow['option_name']) {
-                    $filters[$filterOptionsRow['id']][$filterOptionsRow['option_name']] = $filterOptionsRow['option_value'];
-                }
-            }
-
-            // preconditions
-            $preconditionAndOptionsRows = $db->query(
-                "SELECT gpp.id        AS id,
-                        gpp.classname AS className,
-                        gppo.name     AS option_name,
-                        gppo.value    AS option_value
-                FROM group_provider_precondition gpp
-                LEFT JOIN group_provider_precondition_option gppo ON gpp.id = gppo.group_provider_precondition_id
-                WHERE gpp.group_provider_id = {$groupProviderRow['id']}"
-            );
-            if (!empty($preconditionAndOptionsRows)) {
-                $groupProvider['preconditions'] = array();
-                foreach ($preconditionAndOptionsRows as $preconditionOptionsRow) {
-                    if (!isset($groupProvider['preconditions'][$preconditionOptionsRow['id']])) {
-                        $groupProvider['preconditions'][$preconditionOptionsRow['id']] = array();
-                    }
-                    $groupProvider['preconditions'][$preconditionOptionsRow['id']]['className'] = $preconditionOptionsRow['className'];
-                    if (isset($preconditionOptionsRow['option_name']) && $preconditionOptionsRow['option_name']) {
-                        $groupProvider['preconditions'][$preconditionOptionsRow['id']][$preconditionOptionsRow['option_name']] = $preconditionOptionsRow['option_value'];
-                    }
-                }
-            }
-
-            $groupProviders[] = $groupProvider;
-        }
-        return new Zend_Config($groupProviders);
-    }
-
-
-}
diff --git a/library/EngineBlock/Log/Message/AdditionalInfo.php b/library/EngineBlock/Log/Message/AdditionalInfo.php
index 8c00d48340..3f46f7332b 100644
--- a/library/EngineBlock/Log/Message/AdditionalInfo.php
+++ b/library/EngineBlock/Log/Message/AdditionalInfo.php
@@ -12,6 +12,7 @@ class EngineBlock_Log_Message_AdditionalInfo
 
     public static function createFromException(EngineBlock_Exception $e)
     {
+        /** @var EngineBlock_Log_Message_AdditionalInfo $info */
         $info = new static();
         $info->_userId  = $e->userId;
         $info->_idp     = $e->idpEntityId;
diff --git a/library/EngineBlock/Memcache/ConnectionFactory.php b/library/EngineBlock/Memcache/ConnectionFactory.php
index 412df4d288..de8309d8e7 100644
--- a/library/EngineBlock/Memcache/ConnectionFactory.php
+++ b/library/EngineBlock/Memcache/ConnectionFactory.php
@@ -1,14 +1,7 @@
 <?php
 
-class EngineBlock_Memcache_SettingsException extends EngineBlock_Exception
+class EngineBlock_Memcache_ConnectionFactory
 {
-    public function __construct($message, $severity = self::CODE_ALERT, Exception $previous = null)
-    {
-        parent::__construct($message, $severity, $previous);
-    }
-}
-
-class EngineBlock_Memcache_ConnectionFactory {
     const DEFAULT_PORT                      = 11211;
     const DEFAULT_PERSISTENCE               = true;
     const DEFAULT_WEIGHT                    = 1;
diff --git a/library/EngineBlock/Memcache/SettingsException.php b/library/EngineBlock/Memcache/SettingsException.php
new file mode 100644
index 0000000000..a77febe65a
--- /dev/null
+++ b/library/EngineBlock/Memcache/SettingsException.php
@@ -0,0 +1,9 @@
+<?php
+
+class EngineBlock_Memcache_SettingsException extends EngineBlock_Exception
+{
+    public function __construct($message, $severity = self::CODE_ALERT, Exception $previous = null)
+    {
+        parent::__construct($message, $severity, $previous);
+    }
+}
\ No newline at end of file
diff --git a/library/EngineBlock/Rest/Client.php b/library/EngineBlock/Rest/Client.php
index 9aea2c947e..bf417a0d20 100644
--- a/library/EngineBlock/Rest/Client.php
+++ b/library/EngineBlock/Rest/Client.php
@@ -24,7 +24,9 @@
 class EngineBlock_Rest_Client extends Zend_Rest_Client
 {
     /**
-     * @return array|Zend_Rest_Client_Result
+     * @param array $args
+     * @return mixed|Zend_Rest_Client_Result
+     * @throws EngineBlock_Exception
      */
     public function get($args = array())
     {
diff --git a/library/EngineBlock/Saml2/AuthnRequestAnnotationDecorator.php b/library/EngineBlock/Saml2/AuthnRequestAnnotationDecorator.php
index 210a4e6aec..6aabbe1b25 100644
--- a/library/EngineBlock/Saml2/AuthnRequestAnnotationDecorator.php
+++ b/library/EngineBlock/Saml2/AuthnRequestAnnotationDecorator.php
@@ -5,7 +5,7 @@ class EngineBlock_Saml2_AuthnRequestAnnotationDecorator extends EngineBlock_Saml
     /**
      * @var SAML2_AuthnRequest
      */
-    protected $sspRequest;
+    protected $sspMessage;
 
     /**
      * @var string
@@ -51,11 +51,11 @@ public function __construct(SAML2_AuthnRequest $request)
     }
 
     /**
-     * @return \SAML2_AuthnRequest
+     * @return string[] EntityIds in Scoping > RequesterID element.
      */
-    public function getSspRequest()
+    public function getRequesterIds()
     {
-        return $this->sspRequest;
+        return $this->sspMessage->getRequesterID();
     }
 
     public function setDebugRequest()
diff --git a/library/EngineBlock/Saml2/AuthnRequestSessionRepository.php b/library/EngineBlock/Saml2/AuthnRequestSessionRepository.php
new file mode 100644
index 0000000000..c5116d26aa
--- /dev/null
+++ b/library/EngineBlock/Saml2/AuthnRequestSessionRepository.php
@@ -0,0 +1,94 @@
+<?php
+
+/**
+ * Session storage for Authentication Requests. Store AuthnRequests and link requests together.
+ */
+class EngineBlock_Saml2_AuthnRequestSessionRepository
+{
+    /**
+     * @var EngineBlock_Log
+     */
+    private $sessionLog;
+
+    /**
+     * @var
+     */
+    private $requestStorage;
+
+    /**
+     * @var array
+     */
+    private $linkStorage;
+
+    /**
+     * @param EngineBlock_Log $sessionLog
+     */
+    public function __construct(EngineBlock_Log $sessionLog)
+    {
+        if (!isset($_SESSION['SAMLRequest'])) {
+            $_SESSION['SAMLRequest'] = array();
+        }
+        $this->requestStorage = &$_SESSION['SAMLRequest'];
+
+        if (!isset($_SESSION['SAMLRequestLinks'])) {
+            $_SESSION['SAMLRequestLinks'] = array();
+        }
+        $this->linkStorage    = &$_SESSION['SAMLRequestLinks'];
+
+        $this->sessionLog = $sessionLog;
+    }
+
+    /**
+     * @param string $requestId
+     * @return EngineBlock_Saml2_AuthnRequestAnnotationDecorator
+     */
+    public function findRequestById($requestId)
+    {
+        if (!isset($this->requestStorage[$requestId])) {
+            return null;
+        }
+
+        return $this->requestStorage[$requestId];
+    }
+
+    /**
+     * @param $requestId
+     * @return string|null
+     */
+    public function findLinkedRequestId($requestId)
+    {
+        // Check the session for a AuthnRequest with the given ID
+        // Expect to get back an AuthnRequest issued by EngineBlock and destined for the IdP
+        if (!$requestId || !isset($this->linkStorage[$requestId])) {
+            return null;
+        }
+
+        return $this->linkStorage[$requestId];
+    }
+
+    /**
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $spRequest
+     * @return $this
+     */
+    public function store(
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $spRequest
+    ) {
+        // Store the original Request
+        $this->requestStorage[$spRequest->getId()] = $spRequest;
+        return $this;
+    }
+
+    /**
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $fromRequest
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $toRequest
+     * @return $this
+     */
+    public function link(
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $fromRequest,
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $toRequest
+    ) {
+        // Store the mapping from the new request ID to the original request ID
+        $this->linkStorage[$fromRequest->getId()] = $toRequest->getId();
+        return $this;
+    }
+}
\ No newline at end of file
diff --git a/library/EngineBlock/Saml2/NameIdResolver.php b/library/EngineBlock/Saml2/NameIdResolver.php
new file mode 100644
index 0000000000..a8663eca0d
--- /dev/null
+++ b/library/EngineBlock/Saml2/NameIdResolver.php
@@ -0,0 +1,282 @@
+<?php
+
+class EngineBlock_Saml2_NameIdResolver
+{
+    const PERSISTENT_NAMEID_SALT = 'COIN:';
+
+    /**
+     * Note the significant ordering, from least privacy sensitive to most privacy sensitive.
+     * See also:
+     * @url https://jira.surfconext.nl/jira/browse/BACKLOG-673
+     *
+     * @var array
+     */
+    private $SUPPORTED_NAMEID_FORMATS = array(
+        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_PERSISTENT,
+        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_TRANSIENT,
+        EngineBlock_Urn::SAML1_1_NAMEID_FORMAT_UNSPECIFIED,
+        // @todo remove this as soon as it's no longer required to be supported for backwards compatibility
+        EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_UNSPECIFIED
+    );
+
+    /**
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request
+     * @param EngineBlock_Saml2_ResponseAnnotationDecorator $response
+     * @param array $destinationMetadata
+     * @param $collabPersonId
+     * @return array
+     */
+    public function resolve(
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request,
+        EngineBlock_Saml2_ResponseAnnotationDecorator $response,
+        array $destinationMetadata,
+        $collabPersonId
+    ) {
+        $customNameId = $response->getCustomNameId();
+        if ($customNameId) {
+            return $customNameId;
+        }
+
+        $nameIdFormat = $this->_getNameIdFormat($request, $destinationMetadata);
+
+        $requireUnspecified = ($nameIdFormat === EngineBlock_Urn::SAML1_1_NAMEID_FORMAT_UNSPECIFIED);
+        // @todo remove this as soon as it's no longer required to be supported for backwards compatibility
+        $requireUnspecified |= $nameIdFormat === EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_UNSPECIFIED;
+        if ($requireUnspecified) {
+            return array(
+                'Format' => $nameIdFormat,
+                'Value' => $response->getIntendedNameId(),
+            );
+        }
+
+        $requireTransient = ($nameIdFormat === EngineBlock_Urn::SAML2_0_NAMEID_FORMAT_TRANSIENT);
+        if ($requireTransient) {
+            return array(
+                'Format' => $nameIdFormat,
+                'Value' => $this->_getTransientNameId(
+                        $destinationMetadata['EntityID'], $response->getOriginalIssuer()
+                 ),
+            );
+        }
+
+        return array(
+            'Format' => $nameIdFormat,
+            'Value' => $this->_getPersistentNameId(
+                $collabPersonId,
+                $destinationMetadata['EntityID']
+            ),
+        );
+    }
+
+    /**
+     * Load transient Name ID from session or generate a new one
+     *
+     * @param string $spId
+     * @param string $idpId
+     * @return string
+     */
+    protected function _getTransientNameId($spId, $idpId)
+    {
+        $nameIdFromSession = $this->_getTransientNameIdFromSession($spId, $idpId);
+        if ($nameIdFromSession) {
+            return $nameIdFromSession;
+        }
+
+        $nameId = $this->_generateTransientNameId();
+
+        $this->_storeTransientNameIdToSession($nameId, $spId, $idpId);
+        return $nameId;
+    }
+
+    protected function _generateTransientNameId()
+    {
+        return sha1((string)mt_rand(0, mt_getrandmax()));
+    }
+
+    protected function _getTransientNameIdFromSession($spId, $idpId)
+    {
+        return isset($_SESSION[$spId][$idpId]) ? $_SESSION[$spId][$idpId] : false;
+    }
+
+    protected function _storeTransientNameIdToSession($nameId, $spId, $idpId)
+    {
+        // store to session
+        $_SESSION[$spId][$idpId] = $nameId;
+    }
+
+    protected function _getNameIdFormat($request, $spEntityMetadata)
+    {
+        // If a NameIDFormat was explicitly set in the ServiceRegistry, use that...
+        if (isset($spEntityMetadata['NameIDFormat'])) {
+            return $spEntityMetadata['NameIDFormat'];
+        }
+
+        // If the SP requests a specific NameIDFormat in their AuthnRequest
+        /** @var SAML2_AuthnRequest $request */
+        $nameIdPolicy = $request->getNameIdPolicy();
+        if (!empty($nameIdPolicy['Format'])) {
+            $mayUseRequestedNameIdFormat = true;
+            $requestedNameIdFormat = $nameIdPolicy['Format'];
+
+            // Do we support the NameID Format that the SP requests?
+            if (!in_array($requestedNameIdFormat, $this->SUPPORTED_NAMEID_FORMATS)) {
+                EngineBlock_ApplicationSingleton::getLog()->notice(
+                    "Whoa, SP '{$spEntityMetadata['EntityID']}' requested '{$requestedNameIdFormat}' " .
+                    "however we don't support that format, opting to try something else it supports " .
+                    "instead of sending an error. SP might not be happy with this violation of the spec " .
+                    "but it's probably a lot happier with a valid Response than an Error Response"
+                );
+                $mayUseRequestedNameIdFormat = false;
+            }
+
+            // Is this SP restricted to specific NameIDFormats?
+            if (isset($spEntityMetadata['NameIDFormats'])) {
+                if (!in_array($requestedNameIdFormat, $spEntityMetadata['NameIDFormats'])) {
+                    EngineBlock_ApplicationSingleton::getLog()->notice(
+                        "Whoa, SP '{$spEntityMetadata['EntityID']}' requested '{$requestedNameIdFormat}' " .
+                        "opting to try something else it supports " .
+                        "instead of sending an error. SP might not be happy with this violation of the spec " .
+                        "but it's probably a lot happier with a valid Response than an Error Response"
+                    );
+
+                    $mayUseRequestedNameIdFormat = false;
+                }
+            }
+
+            if ($mayUseRequestedNameIdFormat) {
+                return $requestedNameIdFormat;
+            }
+        }
+
+        // So neither a NameIDFormat is explicitly set in the metadata OR a (valid) NameIDPolicy is set in the AuthnRequest
+        // so we check what the SP supports (or what JANUS claims that it supports) and
+        // return the least privacy sensitive one.
+        if (!empty($spEntityMetadata['NameIDFormats'])) {
+            foreach ($this->SUPPORTED_NAMEID_FORMATS as $supportedNameIdFormat) {
+                if (in_array($supportedNameIdFormat, $spEntityMetadata['NameIDFormats'])) {
+                    return $supportedNameIdFormat;
+                }
+            }
+        }
+
+        throw new EngineBlock_Exception(
+            "Whoa, SP '{$spEntityMetadata['EntityID']}' has no NameIDFormat set, did send a (valid) NameIDPolicy and has no supported NameIDFormats set... I give up..." ,
+            EngineBlock_Exception::CODE_NOTICE
+        );
+    }
+
+    protected function _getPersistentNameId($originalCollabPersonId, $spEntityId)
+    {
+        $serviceProviderUuid = $this->_getServiceProviderUuid($spEntityId);
+        $userUuid            = $this->_getUserUuid($originalCollabPersonId);
+        $persistentId = $this->_fetchPersistentId($serviceProviderUuid, $userUuid);
+
+        if (!$persistentId) {
+            $persistentId = $this->_generatePersistentId($serviceProviderUuid, $userUuid);
+            $this->_storePersistentId($persistentId, $serviceProviderUuid, $userUuid);
+        }
+        return $persistentId;
+    }
+
+    protected function _getServiceProviderUuid($spEntityId)
+    {
+        $uuid = $this->_fetchServiceProviderUuid($spEntityId);
+
+        if ($uuid) {
+            return $uuid;
+        }
+
+        $uuid = (string)Surfnet_Zend_Uuid::generate();
+        $this->_storeServiceProviderUuid($spEntityId, $uuid);
+
+        return $uuid;
+    }
+
+    protected function _fetchServiceProviderUuid($spEntityId)
+    {
+        $statement = $this->_getDb()->prepare(
+            'SELECT uuid FROM service_provider_uuid WHERE service_provider_entity_id=?'
+        );
+        $statement->execute(array($spEntityId));
+        $result = $statement->fetchAll();
+
+        if (count($result) > 1) {
+            throw new EngineBlock_Exception('Multiple SP UUIDs found? For: SP: ' . $spEntityId);
+        }
+
+        return isset($result[0]['uuid']) ? $result[0]['uuid'] : false;
+    }
+
+    protected function _storeServiceProviderUuid($spEntityId, $uuid)
+    {
+        $this->_getDb()->prepare(
+            'INSERT INTO service_provider_uuid (uuid, service_provider_entity_id) VALUES (?,?)'
+        )->execute(
+            array($uuid, $spEntityId)
+        );
+    }
+
+    protected function _fetchPersistentId($serviceProviderUuid, $userUuid)
+    {
+        $statement = $this->_getDb()->prepare(
+            "SELECT persistent_id FROM saml_persistent_id WHERE service_provider_uuid = ? AND user_uuid = ?"
+        );
+        $statement->execute(array($serviceProviderUuid, $userUuid));
+        $result = $statement->fetchAll();
+        if (count($result) > 1) {
+            throw new EngineBlock_Exception(
+                'Multiple persistent IDs found? For: SPUUID: ' . $serviceProviderUuid . ' and user UUID: ' . $userUuid
+            );
+        }
+        return isset($result[0]['persistent_id']) ? $result[0]['persistent_id'] : false;
+    }
+
+    protected function _generatePersistentId($serviceProviderUuid, $userUuid)
+    {
+        return sha1(self::PERSISTENT_NAMEID_SALT . $userUuid . $serviceProviderUuid);
+    }
+
+    protected function _storePersistentId($persistentId, $serviceProviderUuid, $userUuid)
+    {
+        $this->_getDb()->prepare(
+            "INSERT INTO saml_persistent_id (persistent_id, service_provider_uuid, user_uuid) VALUES (?,?,?)"
+        )->execute(
+            array($persistentId, $serviceProviderUuid, $userUuid)
+        );
+    }
+
+    protected function _getDb()
+    {
+        static $s_db;
+        if ($s_db) {
+            return $s_db;
+        }
+
+        $factory = new EngineBlock_Database_ConnectionFactory();
+        $s_db = $factory->create(EngineBlock_Database_ConnectionFactory::MODE_WRITE);
+
+        return $s_db;
+    }
+
+    protected function _getUserUuid($collabPersonId)
+    {
+        $userDirectory = $this->_getUserDirectory();
+        $users = $userDirectory->findUsersByIdentifier($collabPersonId);
+        if (count($users) > 1) {
+            throw new EngineBlock_Exception('Multiple users found for collabPersonId: ' . $collabPersonId);
+        }
+
+        if (count($users) < 1) {
+            throw new EngineBlock_Exception('No users found for collabPersonId: ' . $collabPersonId);
+        }
+
+        return $users[0]['collabpersonuuid'];
+    }
+
+    protected function _getUserDirectory()
+    {
+        return new EngineBlock_UserDirectory(
+            EngineBlock_ApplicationSingleton::getInstance()->getConfiguration()->ldap
+        );
+    }
+}
\ No newline at end of file
diff --git a/library/EngineBlock/Saml2/ResponseAnnotationDecorator.php b/library/EngineBlock/Saml2/ResponseAnnotationDecorator.php
index 71cd66e680..56c42e2614 100644
--- a/library/EngineBlock/Saml2/ResponseAnnotationDecorator.php
+++ b/library/EngineBlock/Saml2/ResponseAnnotationDecorator.php
@@ -166,17 +166,17 @@ public function getOriginalNameId()
     }
 
     /**
-     * @param string $customNameId
+     * @param array $customNameId
      * @return $this
      */
-    public function setCustomNameId($customNameId)
+    public function setCustomNameId(array $customNameId)
     {
         $this->customNameId = $customNameId;
         return $this;
     }
 
     /**
-     * @return string
+     * @return array
      */
     public function getCustomNameId()
     {
diff --git a/library/EngineBlock/Saml2/ResponseFactory.php b/library/EngineBlock/Saml2/ResponseFactory.php
index 1350e463a3..03bedf7fe3 100644
--- a/library/EngineBlock/Saml2/ResponseFactory.php
+++ b/library/EngineBlock/Saml2/ResponseFactory.php
@@ -7,10 +7,10 @@
 class EngineBlock_Saml2_ResponseFactory
 {
     /**
-     * @todo make this generic
-     *
      * @param SAML2_AuthnRequest $authnRequest
      * @param SimpleSAML_Configuration $idpConfig
+     * @param $nameId
+     * @param $issuer
      * @param array $attributes
      * @return SAML2_Response
      */
@@ -63,16 +63,24 @@ public function create(
      */
     private function addSigns(SAML2_Response $response, SimpleSAML_Configuration $idpConfig)
     {
-        // @todo find out why multiple assertions can exist
         $assertions = $response->getAssertions();
         $className = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getMessageUtilClassName();
+
+        // Special case the 'normal' message verification class name so we have IDE support.
+        if ($className === 'sspmod_saml_Message') {
+            sspmod_saml_Message::addSign(
+                $idpConfig,
+                SimpleSAML_Configuration::loadFromArray(array()),
+                $assertions[0]
+            );
+            return;
+        }
+
         $className::addSign(
             $idpConfig,
             SimpleSAML_Configuration::loadFromArray(array()),
             $assertions[0]
         );
-        // Signing of message is not required so disabled for now
-        // sspmod_saml_Message::addSign($idpConfig, null, $response);
     }
 
     /**
diff --git a/library/EngineBlock/SamlHelper.php b/library/EngineBlock/SamlHelper.php
index 6fe348aeda..dc3bb6d8e7 100644
--- a/library/EngineBlock/SamlHelper.php
+++ b/library/EngineBlock/SamlHelper.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Temporary workaround
  *
@@ -7,11 +8,73 @@
 class EngineBlock_SamlHelper
 {
     /**
-     * @param array $sp
-     * @param array $idp
+     * Do we need to enable additional logging for any of the specified entities (SP or IdP).
+     *
+     * @param array $entities
      * @return bool
      */
-    public static function doRemoteEntitiesRequireAdditionalLogging(array $sp, array $idp = null) {
-        return (!empty($sp['AdditionalLogging']) || !empty($idp['AdditionalLogging']));
+    public static function doRemoteEntitiesRequireAdditionalLogging(array $entities) {
+        foreach ($entities as $entity) {
+            if (!empty($entity['AdditionalLogging'])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Get the 'chain' of SP requesters, if available. Furthest removed SP first.
+     *
+     * @param array $spEntityMetadata
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request
+     * @param EngineBlock_Corto_ProxyServer $server
+     * @return array
+     */
+    public static function getSpRequesterChain(
+        array $spEntityMetadata,
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request,
+        EngineBlock_Corto_ProxyServer $server
+    ) {
+        $chain = array($spEntityMetadata);
+
+        $destinationSpMetadata = self::getDestinationSpMetadata($spEntityMetadata, $request, $server);
+        if ($destinationSpMetadata !== $spEntityMetadata) {
+            array_unshift($chain, $destinationSpMetadata);
+        }
+
+        return $chain;
+    }
+
+    /**
+     * Get the 'Destination' SP metadata. Depending on the SP configuration, may be the SP metadata or it's requester.
+     *
+     * @param array $spEntityMetadata
+     * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request
+     * @param EngineBlock_Corto_ProxyServer $server
+     * @return array
+     */
+    public static function getDestinationSpMetadata(
+        array $spEntityMetadata,
+        EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request,
+        EngineBlock_Corto_ProxyServer $server
+    ) {
+        if (!isset($spEntityMetadata['TrustedProxy']) || !$spEntityMetadata['TrustedProxy']) {
+            return $spEntityMetadata;
+        }
+
+        if (!$request->wasSigned()) {
+            return $spEntityMetadata;
+        }
+
+        // Requester IDs are appended to as they pass through a proxy, so we always want the last RequesterID
+        // Note that this is not specified in the spec, but this is what we do and what SSP does.
+        $requesterIds = $request->getRequesterIds();
+        $lastRequesterEntityId = end($requesterIds);
+
+        if ($lastRequesterEntityId && !$server->hasRemoteEntity($lastRequesterEntityId)) {
+            return $spEntityMetadata;
+        }
+
+        return $server->getRemoteEntity($lastRequesterEntityId);
     }
 }
diff --git a/library/EngineBlock/Urn.php b/library/EngineBlock/Urn.php
index 03567a1db0..0a27364571 100644
--- a/library/EngineBlock/Urn.php
+++ b/library/EngineBlock/Urn.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Collection of urn constants to prevent having them like brittle 'magic strings' in code
  */
diff --git a/library/EngineBlock/UserDirectory.php b/library/EngineBlock/UserDirectory.php
index a95e527a33..3b0ee26ee0 100644
--- a/library/EngineBlock/UserDirectory.php
+++ b/library/EngineBlock/UserDirectory.php
@@ -30,49 +30,39 @@ class EngineBlock_UserDirectory
         'top',
     );
 
+    /**
+     * @var Zend_Ldap
+     */
     protected $_ldapClient = NULL;
 
+    /**
+     * @var Zend_Config
+     */
     protected $_ldapConfig = NULL;
 
-    public function __construct($ldapConfig)
+    /**
+     * @param Zend_Config $ldapConfig
+     */
+    public function __construct(Zend_Config $ldapConfig)
     {
         $this->_ldapConfig = $ldapConfig;
     }
 
-    public function findUsersByIdentifier($identifier, $ldapAttributes = array())
+    /**
+     * Find a person by it's (collabPerson)Id
+     *
+     * @param $identifier
+     * @return array[]
+     */
+    public function findUsersByIdentifier($identifier)
     {
         $filter = '(&(objectclass=' . self::LDAP_CLASS_COLLAB_PERSON . ')';
         $filter .= '(' . self::LDAP_ATTR_COLLAB_PERSON_ID . '=' . $identifier . '))';
-        return $this->_fetchResultsForFilter($filter);
-    }
-
-    public function findUserByCollabPersonId($collabPersonId)
-    {
-        $filter = '(&(objectclass=' . self::LDAP_CLASS_COLLAB_PERSON . ')';
-        $filter .= '(' . self::LDAP_ATTR_COLLAB_PERSON_ID . '=' . $collabPersonId . '))';
-        return $this->_fetchResultsForFilter($filter);
-    }
-
-    public function findUserByCollabPersonUuid($collabPersonUuid)
-    {
-        $filter = '(&(objectclass=' . self::LDAP_CLASS_COLLAB_PERSON . ')';
-        $filter .= '(' . self::LDAP_ATTR_COLLAB_PERSON_UUID . '=' . $collabPersonUuid . '))';
-        return $this->_fetchResultsForFilter($filter);
-    }
 
-    public function fetchAll()
-    {
-        $filter = '(&(objectclass=' . self::LDAP_CLASS_COLLAB_PERSON . ')';
-        return $this->_fetchResultsForFilter($filter);
-    }
-
-    protected function _fetchResultsForFilter($filter, $fields = array())
-    {
         $collection = $this->_getLdapClient()->search(
             $filter,
             null,
-            Zend_Ldap::SEARCH_SCOPE_SUB,
-            $fields
+            Zend_Ldap::SEARCH_SCOPE_SUB
         );
 
         // Convert the result from a Zend_Ldap object to a plain multi-dimensional array
@@ -90,6 +80,12 @@ protected function _fetchResultsForFilter($filter, $fields = array())
         return $result;
     }
 
+    /**
+     * @param array $saml2attributes
+     * @param array $idpEntityMetadata
+     * @return string[]
+     * @throws EngineBlock_Exception
+     */
     public function registerUser(array $saml2attributes, array $idpEntityMetadata)
     {
         $ldapAttributes = $this->_getSaml2AttributesFieldMapper()->saml2AttributesToLdapAttributes($saml2attributes);
@@ -127,10 +123,11 @@ public function registerUser(array $saml2attributes, array $idpEntityMetadata)
     }
 
     /**
-     * Set the first warning sent user attribute
+     * Register that this user has a first warning (for automatic account deprovisioning) sent.
      *
-     * @param string $uid
-     * @return string
+     * @param $uid
+     * @return mixed
+     * @throws EngineBlock_Exception
      */
     public function setUserFirstWarningSent($uid)
     {
@@ -146,13 +143,13 @@ public function setUserFirstWarningSent($uid)
         $newAttributes = array();
         $newAttributes[self::LDAP_ATTR_COLLAB_PERSON_FIRST_WARNING] = 'TRUE';
 
-        $user = $this->_updateUser($users[0], $newAttributes, array(), array());
+        $user = $this->_updateUser($users[0], $newAttributes);
 
         return $user[self::LDAP_ATTR_COLLAB_PERSON_ID];
     }
 
     /**
-     * 
+     * Register that this user has a second warning (for automatic account deprovisioning) sent.
      *
      * @throws EngineBlock_Exception
      * @param string $uid
@@ -172,7 +169,7 @@ public function setUserSecondWarningSent($uid)
         $newAttributes = array();
         $newAttributes[self::LDAP_ATTR_COLLAB_PERSON_SECOND_WARNING] = 'TRUE';
 
-        $user = $this->_updateUser($users[0], $newAttributes, array(), array());
+        $user = $this->_updateUser($users[0], $newAttributes);
 
         return $user[self::LDAP_ATTR_COLLAB_PERSON_ID];
     }
@@ -192,12 +189,13 @@ public function deleteUser($uid)
     /**
      * Build the user dn based on the UID
      *
-     * @param  $uid
-     * @return null|string
+     * @param $uid
+     * @return string
+     * @throws EngineBlock_Exception
      */
     protected function _buildUserDn($uid)
     {
-        $users = $this->findUserByCollabPersonId($uid);
+        $users = $this->findUsersByIdentifier($uid);
         if (count($users) !== 1) {
             $e = new EngineBlock_Exception("Multiple or no users found for uid $uid?");
             $e->userId = $uid;
@@ -207,7 +205,7 @@ protected function _buildUserDn($uid)
         return 'uid='. $user['uid'] .',o='. $user['o'] .','. $this->_ldapConfig->baseDn;
     }
 
-    protected function _enrichLdapAttributes($ldapAttributes, $saml2attributes, $idpEntityMetadata)
+    protected function _enrichLdapAttributes($ldapAttributes, $saml2attributes)
     {
         if (!isset($ldapAttributes['cn'])) {
             $ldapAttributes['cn'] = $this->_getCommonNameFromAttributes($ldapAttributes);
@@ -219,12 +217,12 @@ protected function _enrichLdapAttributes($ldapAttributes, $saml2attributes, $idp
             $ldapAttributes['sn'] = $ldapAttributes['cn'];
         }
         $ldapAttributes[self::LDAP_ATTR_COLLAB_PERSON_IS_GUEST]      = ($this->_getCollabPersonIsGuest(
-            $ldapAttributes, $saml2attributes, $idpEntityMetadata
+            $saml2attributes
         )? 'TRUE' : 'FALSE');
         return $ldapAttributes;
     }
 
-    protected function _addUser($newAttributes, $saml2attributes, $idpEntityMetadata)
+    protected function _addUser($newAttributes)
     {
         $newAttributes[self::LDAP_ATTR_COLLAB_PERSON_HASH]          = $this->_getCollabPersonHash($newAttributes);
 
@@ -271,7 +269,7 @@ protected function _addOrganization($organization)
         return $result;
     }
 
-    protected function _updateUser($user, $newAttributes, $saml2attributes, $idpEntityMetadata)
+    protected function _updateUser($user, $newAttributes)
     {
         // Hackish, apparently LDAP gives us arrays even for single values?
         // So for now we assume arrays with only one value are single valued
@@ -330,12 +328,10 @@ protected function _getCollabPersonString($attributes)
     /**
      * Figure out of a person with given attributes is a guest user.
      *
-     * @param array $attributes
      * @param array $saml2attributes
-     * @param array $idpEntityMetadata
      * @return bool
      */
-    protected function _getCollabPersonIsGuest(array $attributes, array $saml2attributes, array $idpEntityMetadata)
+    protected function _getCollabPersonIsGuest(array $saml2attributes)
     {
         $guestQualifier = EngineBlock_ApplicationSingleton::getInstance()->getConfiguration()->addgueststatus->guestqualifier;
         return !isset($saml2attributes[self::URN_IS_MEMBER_OF]) || !in_array($guestQualifier, $saml2attributes[self::URN_IS_MEMBER_OF]);
@@ -379,7 +375,7 @@ protected function _getCommonNameFromAttributes($attributes)
      * @param  $client
      * @return EngineBlock_UserDirectory
      */
-    public function setLdapClient($client)
+    public function setLdapClient(Zend_Ldap $client)
     {
         $this->_ldapClient = $client;
         return $this;
diff --git a/library/EngineBlock/View.php b/library/EngineBlock/View.php
index 03783d322a..baa3838cd9 100644
--- a/library/EngineBlock/View.php
+++ b/library/EngineBlock/View.php
@@ -185,12 +185,12 @@ public static function setLanguage($lang)
         return $query;
     }
 
-    public function htmlSpecialCharsText($content)
+    public static function htmlSpecialCharsText($content)
     {
         return htmlspecialchars($content, ENT_NOQUOTES, 'UTF-8');
     }
 
-    public function htmlSpecialCharsAttributeValue($content)
+    public static function htmlSpecialCharsAttributeValue($content)
     {
         return htmlspecialchars($content, ENT_COMPAT, 'UTF-8');
     }
diff --git a/library/EngineBlock/VirtualOrganization/GroupValidator.php b/library/EngineBlock/VirtualOrganization/GroupValidator.php
index 1fb33c7e7d..db10dddae2 100644
--- a/library/EngineBlock/VirtualOrganization/GroupValidator.php
+++ b/library/EngineBlock/VirtualOrganization/GroupValidator.php
@@ -2,7 +2,6 @@
 
 class EngineBlock_VirtualOrganization_GroupValidator
 {
-
     const ACCESS_TOKEN_KEY = "EngineBlock_VirtualOrganization_GroupValidator_Access_Token_Key";
 
     public function isMember($subjectId, array $groups)
diff --git a/library/EngineBlock/VirtualOrganization/Validator.php b/library/EngineBlock/VirtualOrganization/Validator.php
index 33e45bb391..13c0ee8aee 100644
--- a/library/EngineBlock/VirtualOrganization/Validator.php
+++ b/library/EngineBlock/VirtualOrganization/Validator.php
@@ -2,7 +2,6 @@
 
 class EngineBlock_VirtualOrganization_Validator
 {
-
     public function isMember($voId, $subjectId, $idp)
     {
         $virtualOrganization = new EngineBlock_VirtualOrganization($voId);
diff --git a/library/Grouper/Client/Exception.php b/library/Grouper/Client/Exception.php
deleted file mode 100644
index 388a92521f..0000000000
--- a/library/Grouper/Client/Exception.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Grouper_Client_Exception extends EngineBlock_Exception
-{
-    public function __construct($message, $severity = self::CODE_ERROR, Exception $previous = null)
-    {
-        parent::__construct($message, $severity, $previous);
-    }
-}
\ No newline at end of file
diff --git a/library/Grouper/Client/Exception/SubjectNotFound.php b/library/Grouper/Client/Exception/SubjectNotFound.php
deleted file mode 100644
index c4e5f2a8f7..0000000000
--- a/library/Grouper/Client/Exception/SubjectNotFound.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Grouper_Client_Exception_SubjectNotFound extends Grouper_Client_Exception
-{
-    public function __construct($message, $severity = self::CODE_NOTICE, Exception $previous = null)
-    {
-        parent::__construct($message, $severity, $previous);
-    }
-}
\ No newline at end of file
diff --git a/library/Grouper/Client/Exception/UnexpectedResultCode.php b/library/Grouper/Client/Exception/UnexpectedResultCode.php
deleted file mode 100644
index e00be0439c..0000000000
--- a/library/Grouper/Client/Exception/UnexpectedResultCode.php
+++ /dev/null
@@ -1,28 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Grouper_Client_Exception_UnexpectedResultCode extends Grouper_Client_Exception
-{
-}
diff --git a/library/Grouper/Client/Interface.php b/library/Grouper/Client/Interface.php
deleted file mode 100644
index 4e2cb516da..0000000000
--- a/library/Grouper/Client/Interface.php
+++ /dev/null
@@ -1,90 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- * This implementation only supports basic functionality, for more see:
- * @url https://spaces.internet2.edu/display/Grouper/Grouper+Web+Services#GrouperWebServices-Operations
- */
-interface Grouper_Client_Interface
-{
-    /**
-     * Set the subjectId on behalf of which and for which all requests are done.
-     *
-     * @abstract
-     * @param  $subjectId
-     * @return Grouper_Client_Interface
-     */
-    public function setSubjectId($subjectId);
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     *
-     * @abstract
-     * @return array
-     */
-    public function getGroups($stem = null);
-
-    /**
-     * @abstract
-     * @param string $groupName
-     * @return void
-     */
-    public function getMembers($groupName);
-
-    /**
-     * Fetch the groupmembers including the privileges
-     *
-     * @abstract
-     * @param $groupName
-     * @return void
-     */
-    public function getMembersWithPrivileges($groupName);
-    /**
-     * Retrieve the member privileges for a specified subjectId and a specified group
-     *
-     * @abstract
-     * @param $subjectId
-     * @param $groupName
-     * @return array
-     */
-    public function getMemberPrivileges($subjectId, $groupName);
-
-    /**
-     * @abstract
-     * @param string $groupName
-     * @return bool
-     */
-    public function hasMember($groupName);
-
-    /**
-     * Delete a group membership for a subject
-     *
-     * @abstract
-     * @param $subjectId
-     * @param $groupName
-     * @return bool
-     */
-    public function deleteMembership($subjectId, $groupName);
-}
diff --git a/library/Grouper/Client/Rest.php b/library/Grouper/Client/Rest.php
deleted file mode 100644
index 9e83513ef0..0000000000
--- a/library/Grouper/Client/Rest.php
+++ /dev/null
@@ -1,494 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- *
- * Note that what Grouper calls REST isn't really REST but XML-RPC (tunneling XML over HTTP POST).
- */
-class Grouper_Client_Rest implements Grouper_Client_Interface
-{
-    /**
-     * Result in metadata when a member
-     *
-     * @var String
-     */
-    const IS_MEMBER = 'IS_MEMBER';
-
-    /**
-     * Result in metadata when not a member
-     *
-     * @var String
-     */
-    const IS_NOT_MEMBER = 'IS_NOT_MEMBER';
-
-    /**
-     * The admin user to retrieve membership information for private teams
-     */
-    const GROUPER_ADMIN = 'GrouperSystem';
-
-    /**
-     * @var string
-     */
-    protected $_endpointUrl;
-
-    /**
-     * @var array
-     */
-    protected $_options;
-
-    /**
-     * @var string
-     */
-    protected $_subjectId;
-
-    public static function createFromConfig(Zend_Config $config)
-    {
-        if (!isset($config->host) || $config->host == '') {
-            throw new EngineBlock_Exception(
-                'No Grouper Host specified! Please set "grouper.host" in your application configuration.',
-                EngineBlock_Exception::CODE_ALERT
-            );
-        }
-
-        $url = $config->protocol .
-               '://' .
-               $config->user .
-               ':' .
-               $config->password .
-               '@' .
-               $config->host .
-               (isset($config->port) ? ':' . $config->port : '') .
-               $config->path .
-               '/' .
-               $config->version . '/';
-
-        $grouper = new self($url, $config->toArray());
-        return $grouper;
-    }
-
-    /**
-     * @param string $endpointUrl
-     */
-    public function __construct($endpointUrl, array $options = array())
-    {
-        $this->_endpointUrl = $endpointUrl;
-        $this->_options = $options;
-    }
-
-    /**
-     * Retrieve the list of groups that the specified subject is a member of.
-     */
-    public function getGroups($stem = null)
-    {
-        $this->_requireSubjectId();
-
-        $subjectIdEncoded = htmlentities($this->_subjectId);
-        $request = <<<XML
-<WsRestGetGroupsRequest>
-    <subjectLookups>
-        <WsSubjectLookup>
-            <subjectId>$subjectIdEncoded</subjectId>
-        </WsSubjectLookup>
-    </subjectLookups>
-XML;
-        if ($stem) {
-            $stemEncoded = htmlentities($stem);
-            $request .= <<<XML
-    <wsStemLookup>
-        <stemName>$stemEncoded</stemName>
-    </wsStemLookup>
-    <stemScope>ALL_IN_SUBTREE</stemScope>
-XML;
-        }
-
-        $request .= <<<XML
-    <actAsSubjectLookup>
-        <subjectId>$subjectIdEncoded</subjectId>
-    </actAsSubjectLookup>
-</WsRestGetGroupsRequest>
-XML;
-        try {
-            $result = $this->_doRest('subjects', $request);
-        }
-        catch (Exception $e) {
-            if (strpos($e->getMessage(), "Problem with actAsSubject, SUBJECT_NOT_FOUND") !== false) {
-                throw new Grouper_Client_Exception_SubjectNotFound($e->getMessage());
-            }
-            throw $e;
-        }
-
-        $groups = array();
-        if (isset($result) and ($result !== FALSE) and (!empty($result->results->WsGetGroupsResult->wsGroups))) {
-            foreach ($result->results->WsGetGroupsResult->wsGroups->WsGroup as $group) {
-                $groups[] = $this->_mapXmlToGroupModel($group);
-            }
-        }
-        return $groups;
-    }
-
-    public function getGroupsWithPrivileges($stem = null)
-    {
-        $groups = $this->getGroups($stem);
-        /** @var $group Grouper_Model_Group */
-        foreach ($groups as &$group) {
-            $group->privileges = $this->getMemberPrivileges($this->_subjectId, $group->name);
-        }
-        return $groups;
-    }
-
-    public function getMembers($groupName)
-    {
-        $this->_requireSubjectId();
-
-        $subjectIdEncoded = htmlentities($this->_subjectId);
-        $groupNameEncoded = htmlentities($groupName);
-        $request = <<<XML
-<WsRestGetMembersRequest>
-  <includeSubjectDetail>T</includeSubjectDetail>
-  <wsGroupLookups>
-    <WsGroupLookup>
-      <groupName>$groupNameEncoded</groupName>
-    </WsGroupLookup>
-  </wsGroupLookups>
-  <actAsSubjectLookup>
-    <subjectId>$subjectIdEncoded</subjectId>
-  </actAsSubjectLookup>
-</WsRestGetMembersRequest>
-XML;
-
-        try {
-            $result = $this->_doRest('groups', $request);
-        }
-        catch (Exception $e) {
-            if (strpos($e->getMessage(), "Problem with actAsSubject, SUBJECT_NOT_FOUND") !== false) {
-                throw new Grouper_Client_Exception_SubjectNotFound($e->getMessage());
-            }
-            throw $e;
-        }
-
-        $members = array();
-        if (isset($result) and ($result !== FALSE) and (isset($result->results->WsGetMembersResult->wsSubjects->WsSubject))) {
-            foreach ($result->results->WsGetMembersResult->wsSubjects->WsSubject as $member) {
-                $memberObject = $this->_mapXmlToSubjectModel($member);
-                $members[$memberObject->id] = $memberObject;
-            }
-        }
-        else {
-            throw new Grouper_Client_Exception(__METHOD__ . ' Bad result: <pre>' . var_export($result, true));
-        }
-        return $members;
-    }
-
-    public function getMembersWithPrivileges($groupName)
-    {
-        $members = $this->getMembers($groupName);
-        $membersWithPrivileges = array();
-        foreach ($members as $member) {
-            try {
-                $member->privileges = $this->getMemberPrivileges($member->id, $groupName);
-                $membersWithPrivileges[] = $member;
-            }
-            catch (Exception $e) {
-                $additionalInfo = EngineBlock_Log_Message_AdditionalInfo::create()
-                    ->setUserId($member->id)
-                    ->setDetails($e->getTraceAsString());
-                EngineBlock_ApplicationSingleton::getLog()->warn(
-                    "Something wrong with user: " . var_export($member, true) .
-                    'Received Exception: ' . var_export($e, true),
-                    $additionalInfo
-                );
-            }
-        }
-        return $membersWithPrivileges;
-    }
-
-    public function getMemberPrivileges($subjectId, $groupName)
-    {
-        $subjectIdEncoded = htmlentities($subjectId);
-        $groupNameEncoded = htmlentities($groupName);
-        $superUser = self::GROUPER_ADMIN;
-        $request = <<<XML
-<WsRestGetGrouperPrivilegesLiteRequest>
-  <includeSubjectDetail>F</includeSubjectDetail>
-  <subjectId>$subjectIdEncoded</subjectId>
-  <groupName>$groupNameEncoded</groupName>
-  <actAsSubjectId>$superUser</actAsSubjectId>
-</WsRestGetGrouperPrivilegesLiteRequest>
-XML;
-
-        $result = $this->_doRest('grouperPrivileges', $request);
-
-        $privileges = array();
-        if (isset($result) and ($result !== FALSE) and (isset($result->privilegeResults->WsGrouperPrivilegeResult))) {
-            foreach ($result->privilegeResults->WsGrouperPrivilegeResult as $privilege) {
-                $privileges[] = (string)$privilege->privilegeName;
-            }
-        }
-        else {
-            throw new Grouper_Client_Exception(__METHOD__ . ' Bad result: <pre>' . var_export($result, true));
-        }
-
-        return $privileges;
-    }
-
-    /**
-     * Check whether the given user is a member of the given group.
-     * @param $actAsSubjectId The user id to check
-     * @param $groupName The group to check
-     * @return boolean
-     */
-    public function hasMember($groupName)
-    {
-        $this->_requireSubjectId();
-
-        $subjectIdEncoded = htmlentities($this->_subjectId);
-
-        $requestXml = <<<XML
-<WsRestHasMemberRequest>
-  <subjectLookups>
-    <WsSubjectLookup>
-      <subjectId>$subjectIdEncoded</subjectId>
-    </WsSubjectLookup>
-  </subjectLookups>
-  <actAsSubjectLookup>
-    <subjectId>$subjectIdEncoded</subjectId>
-  </actAsSubjectLookup>
-</WsRestHasMemberRequest>
-XML;
-
-        $filter = urlencode($groupName);
-        try {
-            $result = $this->_doRest("groups/$filter/members", $requestXml);
-            if ((String)$result->results->WsHasMemberResult->resultMetadata->resultCode == self::IS_MEMBER) {
-                return true;
-            }
-        }
-        catch (Exception $e) {
-
-            // If there's an exception, either something went wrong, OR we're not a member (in which case we get an exception
-            // instead of a clean error; since if we're not a member, we're not allowd to make this call.
-            // This means we've got to use a crude way to distinguish between actual exceptions (grouper down/unreachable) and the situation
-            // where we're not a member.
-            $msg = $e->getMessage();
-            if (strpos($msg, "GROUP_NOT_FOUND") !== false) {
-                // Most likely we're not a member.
-                return false;
-            } else {
-                // Most likely a system failure. Rethrow.
-                throw $e;
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Delete a group membership for a subject
-     *
-     * @abstract
-     * @param $subjectId
-     * @param $groupName
-     * @return bool
-     */
-    public function deleteMembership($subjectId, $groupName)
-    {
-        $subjectIdEncoded = htmlentities($subjectId);
-        $request = <<<XML
-<WsRestDeleteMemberRequest>
-  <includeSubjectDetail>F</includeSubjectDetail>
-  <subjectLookups>
-    <WsSubjectLookup>
-      <subjectId>$subjectIdEncoded</subjectId>
-    </WsSubjectLookup>
-  </subjectLookups>
-  <actAsSubjectLookup>
-    <subjectId>$subjectIdEncoded</subjectId>
-  </actAsSubjectLookup>
-</WsRestDeleteMemberRequest>
-XML;
-
-        $filter = urlencode($groupName);
-        try {
-            $result = $this->_doRest("groups/$filter/members", $request);
-            if (isset($result) and ($result !== FALSE) and ($result->results->WsDeleteMemberResult->wsSubject->resultCode == 'SUCCESS')) {
-                return true;
-            }
-        }
-        catch (Exception $e) {
-            throw new Grouper_Client_Exception('Problem retrieving group members', Grouper_Client_Exception::CODE_ERROR, $e);
-        }
-        // Something went wrong
-        return false;
-    }
-
-
-    public function deleteAllPrivileges($subjectId, $groupName) {
-        foreach (array('optout', 'read', 'update', 'admin') as $privilege) {
-            $this->deletePrivilege($subjectId, $groupName, $privilege);
-        }
-    }
-
-    protected function deletePrivilege($subjectId, $groupName, $privilege)
-    {
-        $subjectIdEncoded = htmlentities($subjectId);
-        $superUser = self::GROUPER_ADMIN;
-        $request = <<<XML
-<WsRestAssignGrouperPrivilegesLiteRequest>
-  <allowed>F</allowed>
-  <subjectId>$subjectIdEncoded</subjectId>
-  <groupName>$groupName</groupName>
-  <privilegeType>access</privilegeType>
-  <privilegeName>$privilege</privilegeName>
-  <actAsSubjectId>$superUser</actAsSubjectId>
-</WsRestAssignGrouperPrivilegesLiteRequest>
-XML;
-
-        $expected = array('SUCCESS',
-                          'SUCCESS_NOT_ALLOWED',
-                          'SUCCESS_NOT_ALLOWED_DIDNT_EXIST',
-                          'SUCCESS_NOT_ALLOWED_EXISTS_EFFECTIVE');
-        $result = $this->_doRest('grouperPrivileges', $request, $expected);
-        if (isset($result) and ($result !== FALSE)) {
-            return true;
-        }
-        // Something went wrong
-        return false;
-    }
-
-    /**
-     * Implements REST calls to the Grouper Web Services API
-     *
-     * @copyright 2009 SURFnet BV
-     * @version $Id$
-     * @return SimpleXMLElement
-     */
-    protected function _doRest($operation, $request, $expect = array('SUCCESS'))
-    {
-        $url = $this->_endpointUrl . $operation;
-        $config = array(
-            'adapter' => 'Curl'
-        );
-        foreach ($this->_options as $key => $value) {
-            $constantName = 'CURLOPT_' . strtoupper($key);
-            if (defined($constantName)) {
-                $config['curloptions'][constant($constantName)] = $value;
-            }
-        }
-
-        $client = new Zend_Http_Client($url);
-        $client->setHeaders('User-Agent', 'EngineBlock Grouper Client');
-        $client->setHeaders('Content-Type', 'text/xml; charset=UTF-8');
-        $client->setRawData($request);
-        $response = $client->request();
-
-        $this->_getLog()->debug('[GROUPER] Request: ' . $client->getLastRequest());
-        $this->_getLog()->debug('[GROUPER] Response: ' .
-            $response->getHeadersAsString() .
-                PHP_EOL . PHP_EOL .
-                $response->getBody()
-        );
-
-        // @todo do not use isSuccessful it is not very safe
-        if (!$response->isSuccessful()) {
-            $e = new Grouper_Client_Exception(
-                'Could not execute grouper REST request]',
-                Grouper_Client_Exception::CODE_ALERT
-            );
-            $e->description = implode(PHP_EOL, array(
-                'URL: ' . $url,
-                'Response: ' . $response->getHeadersAsString() . PHP_EOL . PHP_EOL . $response->getBody(),
-            ));
-            throw $e;
-        }
-
-        $result = simplexml_load_string($response->getBody());
-        if ($result === FALSE) {
-            throw new Grouper_Client_Exception(
-                "Unable to parse response '$response' as XML",
-                Grouper_Client_Exception::CODE_ALERT
-            );
-        }
-        if (!in_array($result->resultMetadata->resultCode, $expect)) {
-            throw new Grouper_Client_Exception_UnexpectedResultCode(
-                "Unexpected result code: '{$result->resultMetadata->resultCode}'" .
-                " expecting one of: " . implode(', ', $expect),
-                Grouper_Client_Exception::CODE_ALERT
-            );
-        }
-        return $result;
-    }
-
-    protected function _mapXmlToGroupModel(SimpleXMLElement $xml)
-    {
-        $group = new Grouper_Model_Group();
-
-        $propertyNames = array_keys(get_object_vars($group));
-        foreach ($propertyNames as $propertyName) {
-            if (!empty($xml->$propertyName)) {
-                $group->$propertyName = (string)$xml->$propertyName;
-            }
-        }
-        return $group;
-    }
-
-    protected function _mapXmlToSubjectModel(SimpleXMLElement $xml)
-    {
-        $subject = new Grouper_Model_Subject();
-        $propertyNames = array_keys(get_object_vars($subject));
-        foreach ($propertyNames as $propertyName) {
-            if (!empty($xml->$propertyName)) {
-                $subject->$propertyName = (string)$xml->$propertyName;
-            }
-        }
-        return $subject;
-    }
-
-    /**
-     * @param string $subjectId
-     * @return Grouper_Client_Rest
-     */
-    public function setSubjectId($subjectId)
-    {
-        $this->_subjectId = $subjectId;
-        return $this;
-    }
-
-    protected function _requireSubjectId()
-    {
-        if (!isset($this->_subjectId)) {
-            throw new Grouper_Client_Exception(
-                "No subjectId set! Please use ->setSubjectId to set a subject on which behalf to make requests"
-            );
-        }
-    }
-
-    /**
-     * @return EngineBlock_Log
-     */
-    protected function _getLog()
-    {
-        return EngineBlock_ApplicationSingleton::getLog();
-    }
-}
diff --git a/library/Grouper/Model/Group.php b/library/Grouper/Model/Group.php
deleted file mode 100644
index 6627e39f38..0000000000
--- a/library/Grouper/Model/Group.php
+++ /dev/null
@@ -1,35 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Grouper_Model_Group
-{
-    public $uuid;
-    public $name;
-    public $displayName;
-    public $description;
-    public $extension;
-    public $displayExtension;
-    public $privileges;
-}
\ No newline at end of file
diff --git a/library/Grouper/Model/Subject.php b/library/Grouper/Model/Subject.php
deleted file mode 100644
index d12965e7c3..0000000000
--- a/library/Grouper/Model/Subject.php
+++ /dev/null
@@ -1,31 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Grouper_Model_Subject
-{
-    public $id;
-    public $name;
-    public $privileges;
-}
\ No newline at end of file
diff --git a/library/Grouper/README.md b/library/Grouper/README.md
deleted file mode 100644
index d693cb7183..0000000000
--- a/library/Grouper/README.md
+++ /dev/null
@@ -1,256 +0,0 @@
-# PHP Internet2 Grouper Client #
-
-Client to access Internet2 Grouper, converted from code given by Hans Zandbelt of SURFnet.
-
-## Unconverted methods ##
-
-
-    /*
-     * ALL METHODS BELOW HERE ARE FROM SAMPLE PROVIDED BY HANS. UNTESTED AND SHOULD BE CONVERTED TO
-     * METHODS AS NEEDED (e.g. grouper_get_group should be named ->getGroup)
-     *
-     *
-function grouper_get_group($id, $act_as = NULL) {
-    $request = '<WsRestGroupSaveLiteRequest>';
-    $request .= '<groupName>' . $id . '</groupName>';
-    if (isset($act_as)) {
-        $request .= '<actAsSubjectId>' . $act_as . '</actAsSubjectId>';
-    }
-    $request .= '</WsRestGroupSaveLiteRequest>';
-
-    $result = $this->_doRest('groups/' . urlencode($id) , $request, array('SUCCESS_UPDATED', 'SUCCESS_NO_CHANGES_NEEDED'));
-
-    $group = NULL;
-    if (isset($result) and ($result !== FALSE) and (!empty($result->wsGroup))) {
-        $group = array(
-            'description' => (string)$result->wsGroup->description,
-            'name' => (string)$result->wsGroup->name,
-        );
-    }
-    return $group;
-}
-*/
-    /**
-     * Add a member to a number of groups on behalf of the specified origin
-     */
- /*   function grouper_add_member_to_groups($invitee, $origin, $groups)
-    {
-        $request = '<WsRestAddMemberRequest>
-  <subjectLookups>
-    <WsSubjectLookup>
-      <subjectId>' . $invitee . '</subjectId>
-    </WsSubjectLookup>
-  </subjectLookups>
-  <replaceAllExisting>F</replaceAllExisting>
-  <actAsSubjectLookup>
-    <subjectId>' . $origin . '</subjectId>
-  </actAsSubjectLookup>
-</WsRestAddMemberRequest>';
-        foreach ($groups as $group) {
-            $this->_doRest('groups/' . $group . '/members', $request);
-        }
-    }
-*/
-    /**
-     * Delete a member from a number of groups on behalf of the specified origin
-     */
-  /*  function grouper_delete_member_from_groups($subject, $origin, $groups)
-    {
-        $request = '<WsRestDeleteMemberRequest>
-  <subjectLookups>
-    <WsSubjectLookup>
-      <subjectId>' . $subject . '</subjectId>
-    </WsSubjectLookup>
-  </subjectLookups>
-  <actAsSubjectLookup>
-    <subjectId>' . $origin . '</subjectId>
-  </actAsSubjectLookup>
-</WsRestDeleteMemberRequest>';
-        foreach ($groups as $group) {
-            $this->_doRest('groups/' . $group . '/members', $request);
-        }
-    }
-
-    function grouper_create_groups($groups, $origin = NULL)
-    {
-        #   print_r($groups);
-        $request = '<WsRestGroupSaveRequest><wsGroupToSaves>';
-        foreach ($groups as $group) {
-            $request .= '<WsGroupToSave><wsGroupLookup><groupName>';
-            $request .= htmlentities($group['name']);
-            $request .= '</groupName></wsGroupLookup><wsGroup><extension>';
-            $request .= array_key_exists('extension', $group) ? htmlentities($group['extension']) : htmlentities($group['name']);
-            $request .= '</extension><displayExtension>';
-            $request .= array_key_exists('displayExtension', $group) ? htmlentities($group['displayExtension']) : htmlentities($group['name']);
-            $request .= '</displayExtension><description>';
-            $request .= array_key_exists('description', $group) ? htmlentities($group['description']) : htmlentities($group['name']);
-            $request .= '</description><name>';
-            $request .= htmlentities($group['name']);
-            $request .= '</name></wsGroup></WsGroupToSave>';
-        }
-        $request .= '</wsGroupToSaves>';
-        if (isset($origin)) {
-            $request .= '<actAsSubjectLookup><subjectId>' . $origin . '</subjectId></actAsSubjectLookup>';
-        }
-        $request .= '</WsRestGroupSaveRequest>';
-        return $this->_doRest('groups', $request);
-    }
-
-    function grouper_create_stems($stems)
-    {
-        $request = '<WsRestStemSaveRequest><wsStemToSaves>';
-        foreach ($stems as $stem) {
-            $request .= '<WsStemToSave><wsStemLookup><stemName>';
-            $request .= $stem;
-            $request .= '</stemName></wsStemLookup><wsStem><extension>';
-            $request .= $stem;
-            $request .= '</extension><displayExtension>';
-            $request .= (strrchr($stem, ':') ? substr(strrchr($stem, ':'), 1) : $stem);
-            $request .= '</displayExtension><description>';
-            $request .= $stem;
-            $request .= '</description><name>';
-            $request .= $stem;
-            $request .= '</name></wsStem></WsStemToSave>';
-        }
-        $request .= '</wsStemToSaves></WsRestStemSaveRequest>';
-        return $this->_doRest('stems', $request);
-    }
-
-    function grouper_delete_stems($stems)
-    {
-        $request = '<WsRestStemDeleteRequest><wsStemLookups>';
-        foreach ($stems as $stem) {
-            $request .= '<WsStemLookup><stemName>';
-            $request .= $stem;
-            $request .= '</stemName></WsStemLookup>';
-        }
-        $request .= '</wsStemLookups></WsRestStemDeleteRequest>';
-        return $this->_doRest('stems', $request);
-    }
-
-    function grouper_delete_groups($stem, $groups)
-    {
-        $request = '<WsRestGroupDeleteRequest><wsGroupLookups>';
-        foreach ($groups as $group) {
-            $request .= '<WsGroupLookup><groupName>';
-            $request .= $stem . ':' . $group;
-            $request .= '</groupName></WsGroupLookup>';
-        }
-        $request .= '</wsGroupLookups></WsRestGroupDeleteRequest>';
-        return $this->_doRest('groups', $request);
-    }
-
-    function grouper_find_groups_impl($request)
-    {
-        $result = $this->_doRest('groups', $request);
-        #print_r($result);
-        $groups = array();
-        if (isset($result) and ($result !== FALSE) and (! empty($result->groupResults))) {
-            foreach ($result->groupResults->WsGroup as $group) {
-                $groups[] = $this->_x2pGroup($group);
-            }
-        }
-        return $groups;
-    }
-
-    function grouper_find_groups($match = NULL, $stem = NULL)
-    {
-        $request = '<WsRestFindGroupsRequest>';
-        if (($match !== NULL) or ($stem !== NULL)) {
-            $request .= '<wsQueryFilter><queryFilterType>';
-            if ($match !== NULL)
-                $request .= 'FIND_BY_GROUP_NAME_APPROXIMATE';
-            if (($match !== NULL) and ($stem !== NULL))
-                $request .= ' AND ';
-            if ($stem !== NULL)
-                $request .= 'FIND_BY_STEM_NAME';
-            $request .= '</queryFilterType>';
-            if ($match !== NULL)
-                $request .= '<groupName>' . $match . '</groupName>';
-            if ($stem !== NULL)
-                $request .= '<stemName>' . $stem . '</stemName>';
-            $request .= '</wsQueryFilter>';
-        }
-        #   $request .= '<actAsSubjectLookup><subjectId>GrouperSystem</subjectId></actAsSubjectLookup>';
-        $request .= '</WsRestFindGroupsRequest>';
-        return grouper_find_groups_impl($request);
-    }
-
-    function grouper_get_group_by_uuid($match)
-    {
-        $request = '<WsRestFindGroupsRequest>';
-        $request .= '<wsQueryFilter><queryFilterType>';
-        $request .= 'FIND_BY_GROUP_UUID';
-        $request .= '</queryFilterType>';
-        $request .= '<groupUuid>' . $match . '</groupUuid>';
-        $request .= '</wsQueryFilter>';
-        $request .= '</WsRestFindGroupsRequest>';
-        $result = grouper_find_groups_impl($request);
-        return (count($result) > 0) ? $result[0] : FALSE;
-    }
-
-    function grouper_get_members($group)
-    {
-        $request = '<WsRestGetMembersRequest>
-  <includeSubjectDetail>T</includeSubjectDetail>
-  <wsGroupLookups>
-    <WsGroupLookup>
-      <groupName>' . htmlentities($group) . '</groupName>
-    </WsGroupLookup>
-  </wsGroupLookups>
-</WsRestGetMembersRequest>';
-        $result = $this->_doRest('groups', $request);
-        $members = array();
-        if (isset($result) and ($result !== FALSE) and (isset($result->results->WsGetMembersResult->wsSubjects->WsSubject))) {
-            foreach ($result->results->WsGetMembersResult->wsSubjects->WsSubject as $member) {
-                $members[] = $this->_x2pMember($member);
-            }
-        } else {
-            print_r($result);
-        }
-        return $members;
-    }
-
-    function grouper_get_group_privileges($group, $subject = NULL)
-    {
-        $request = '<WsRestGetGrouperPrivilegesLiteRequest>
-  <groupName>' . htmlentities($group) . '</groupName>';
-        if (isset($subject)) {
-            $request .= '<subjectId>' . $subject . '</subjectId>';
-        }
-        $request .= '</WsRestGetGrouperPrivilegesLiteRequest>';
-        #  <privilegeType>access</privilegeType>
-        #  <privilegeName>admin</privilegeName>
-        #  <actAsSubjectId>GrouperSystem</actAsSubjectId>
-        $result = $this->_doRest('grouperPrivileges', $request);
-        $privs = array();
-        if (isset($result) and ($result !== FALSE) and (isset($result->privilegeResults->WsGrouperPrivilegeResult))) {
-            foreach ($result->privilegeResults->WsGrouperPrivilegeResult as $member) {
-                $privs[(string) $member->wsSubject->id][] = (string) $member->privilegeName;
-            }
-        } else {
-            print_r($result);
-        }
-        return $privs;
-    }
-
-    function grouper_set_group_privileges($group, $subject, $privilege, $allowed = TRUE)
-    {
-        $request = '<WsRestAssignGrouperPrivilegesLiteRequest>
-  <allowed>' . ($allowed ? 'T' : 'F') . '</allowed>
-  <subjectId>' . $subject . '</subjectId>
-  <groupName>' . $group . '</groupName>
-  <privilegeType>access</privilegeType>
-  <privilegeName>' . $privilege . '</privilegeName>
-</WsRestAssignGrouperPrivilegesLiteRequest>';
-        #  <actAsSubjectId>GrouperSystem</actAsSubjectId>
-        return $this->_doRest('grouperPrivileges', $request, $allowed ? array(
-            'SUCCESS' ,
-            'SUCCESS_ALLOWED' ,
-            'SUCCESS_ALLOWED_ALREADY_EXISTED'
-        ) : array(
-
-            'SUCCESS_NOT_ALLOWED' ,
-            'SUCCESS_NOT_ALLOWED_DIDNT_EXIST'
-        ));
-    }
diff --git a/library/Janus/Client.php b/library/Janus/Client.php
index 30a961cfbd..23ed5ab498 100644
--- a/library/Janus/Client.php
+++ b/library/Janus/Client.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * Implementation of the Engine Block internal Service Registry interface.
diff --git a/library/Janus/Client/CacheProxy.php b/library/Janus/Client/CacheProxy.php
index fdaf2bc771..3a8056f332 100644
--- a/library/Janus/Client/CacheProxy.php
+++ b/library/Janus/Client/CacheProxy.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * A Caching Proxy for the Service Registry, will cache all function calls.
diff --git a/library/Janus/FixtureClient.php b/library/Janus/FixtureClient.php
index 1fbebf2eea..8dea091b40 100644
--- a/library/Janus/FixtureClient.php
+++ b/library/Janus/FixtureClient.php
@@ -142,7 +142,7 @@ public function getSpList($keys = array())
      */
     public function getIdpList($keys = array(), $forSpEntityId = null)
     {
-        $spEntities = array();
+        $idpEntities = array();
         $entities = $this->_getEntities();
         foreach ($entities as $entityId => $entity) {
             // Skip if the entity is not an IDP
@@ -170,9 +170,9 @@ public function getIdpList($keys = array(), $forSpEntityId = null)
             }
 
             // Add this as a SP
-            $spEntities[$entityId] = $entity;
+            $idpEntities[$entityId] = $entity;
         }
-        return $spEntities;
+        return $idpEntities;
     }
 
     /**
@@ -202,12 +202,12 @@ public function getMetaDataForKeys($entityId, $keys)
      */
     public function isConnectionAllowed($spEntityId, $idpEntityId)
     {
-        $blacklistedSpFile = self::DIR . 'blacklisted-' . md5($spEntityId);
-        $blacklistedIdpFile = self::DIR . 'blacklisted-' . md5($idpEntityId);
-        $eitherSideIsBlacklisted = (file_exists($blacklistedSpFile) || file_exists($blacklistedIdpFile));
-        if ($eitherSideIsBlacklisted) {
-            $connectionIsWhitelisted = file_exists(self::DIR . 'connection-allowed-' . md5($spEntityId) . '-' . md5($idpEntityId));
-            if ($connectionIsWhitelisted) {
+        $whiteListedSpFile  = self::DIR . 'whitelisted-' . md5($spEntityId);
+        $whiteListedIdpFile = self::DIR . 'whitelisted-' . md5($idpEntityId);
+        $eitherSideIsWhiteListed = (file_exists($whiteListedSpFile) || file_exists($whiteListedIdpFile));
+        if ($eitherSideIsWhiteListed) {
+            $connectionIsAllowed = file_exists(self::DIR . 'connection-allowed-' . md5($spEntityId) . '-' . md5($idpEntityId));
+            if ($connectionIsAllowed) {
                 return true;
             }
             else {
@@ -239,7 +239,7 @@ public function isConnectionAllowed($spEntityId, $idpEntityId)
      */
     public function getArp($spEntityId)
     {
-        $file = self::DIR . 'arp-' . md5($spEntityId);
+        $file = self::DIR . 'arp-' . md5($spEntityId) . '.json';
         if (!file_exists($file)) {
             return null;
         }
diff --git a/library/Janus/Rest/Client.php b/library/Janus/Rest/Client.php
index a4034995dc..f72aab7b4c 100644
--- a/library/Janus/Rest/Client.php
+++ b/library/Janus/Rest/Client.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class Janus_Rest_Client extends EngineBlock_Rest_Client
 {
diff --git a/library/OpenSocial/Model/Group.php b/library/OpenSocial/Model/Group.php
deleted file mode 100644
index bd56aa1bdf..0000000000
--- a/library/OpenSocial/Model/Group.php
+++ /dev/null
@@ -1,34 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- * A simple OpenSocial Group object with public fields.
- */
-class OpenSocial_Model_Group
-    implements OpenSocial_Model_Interface
-{
-    public $id;
-    public $title;
-}
\ No newline at end of file
diff --git a/library/OpenSocial/Model/Interface.php b/library/OpenSocial/Model/Interface.php
deleted file mode 100644
index 60c1db08e3..0000000000
--- a/library/OpenSocial/Model/Interface.php
+++ /dev/null
@@ -1,28 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-interface OpenSocial_Model_Interface
-{
-}
\ No newline at end of file
diff --git a/library/OpenSocial/Model/Person.php b/library/OpenSocial/Model/Person.php
deleted file mode 100644
index 38dea5a708..0000000000
--- a/library/OpenSocial/Model/Person.php
+++ /dev/null
@@ -1,59 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- * A simple OpenSocial Person object with public fields.
- */
-class OpenSocial_Model_Person
-    implements OpenSocial_Model_Interface
-{
-    public $id;
-    public $name;
-    public $nickname;
-    public $displayName;
-    public $updated;
-
-    public $anniversary;
-    public $birthday;
-    public $connected;
-    public $gender;
-    public $note;
-    public $preferredUsername;
-    public $published;
-    public $utcOffset;
-
-    // plurals
-    public $emails          = array();
-    public $urls            = array();
-    public $phoneNumbers    = array();
-    public $ims             = array();
-    public $photos          = array();
-    public $tags            = array();
-    public $relationships   = array();
-    public $addresses       = array();
-    public $organizations   = array();
-    public $accounts        = array();
-    public $appdata         = array();
-}
\ No newline at end of file
diff --git a/library/OpenSocial/README.md b/library/OpenSocial/README.md
deleted file mode 100644
index 02198d68e0..0000000000
--- a/library/OpenSocial/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-OpenSocial REST Client
-===========
-Simple client for OpenSocial JSON REST API.
-
-Currently only supports Person and Group parts of 0.9 REST API spec.
-
-Requirements
-============
-PHP > 5.2.0
-Zend_Http
-
-Examples
-========
-OpenSocial_Rest_Client::create($httpClient)->get('/person/{uid}/@all', array('uid'=>'john.doe'));
\ No newline at end of file
diff --git a/library/OpenSocial/Rest/Client.php b/library/OpenSocial/Rest/Client.php
deleted file mode 100644
index 0d5907cc1b..0000000000
--- a/library/OpenSocial/Rest/Client.php
+++ /dev/null
@@ -1,213 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- * Client for OpenSocial REST JSON API.
- *
- * @example OpenSocial_Rest_Client::create($httpClient)->get('/people/{uid}/@all', array('uid' => 'john doe'))
- *
- * @throws OpenSocial_Rest_Exception
- *
- */
-class OpenSocial_Rest_Client
-{
-    /**
-     * @var \Zend_Http_Client
-     */
-    protected $_httpClient;
-
-    /**
-     * Factory method to create a new OpenSocial REST client.
-     * Inject a fully configured Zend_Http_Client (from Zend_OAuth?)
-     *
-     * @static
-     * @param Zend_Http_Client $httpClient Configured HTTP client
-     * @return OpenSocial_Rest_Client
-     */
-    public static function create(Zend_Http_Client $httpClient)
-    {
-        return new static($httpClient);
-    }
-
-    /**
-     * Create a new OpenSocial REST client.
-     * Inject a fully configured Zend_Http_Client (from Zend_OAuth?).
-     *
-     * @param Zend_Http_Client $httpClient Configured HTTP client
-     */
-    public function __construct(Zend_Http_Client $httpClient)
-    {
-        $this->_httpClient = $httpClient;
-    }
-
-    /**
-     * @return Zend_Http_Client
-     */
-    public function getHttpClient()
-    {
-        return $this->_httpClient;
-    }
-
-    /**
-     * Get OpenSocial data for an OpenSocial URI, expect zero or one model.
-     *
-     * @param string $uri
-     * @param array  $params
-     * @return OpenSocial_Model_Interface|null
-     */
-    public function getOne($uri, $params)
-    {
-        $models = $this->get($uri, $params);
-        if (count($models) === 0) {
-            return null;
-        }
-        if (count($models) > 1) {
-            throw new OpenSocial_Rest_Exception(
-                "Multiple models found for '$uri', only one expected"
-            );
-        }
-        return array_shift($models);
-    }
-
-    /**
-     * Get OpenSocial data for an OpenSocial URI
-     *
-     * Using the following syntax:
-     * /people/{uid}/@all with params array('uid' => 'john.doe')
-     * will cause the HTTP client to use the following uri:
-     * /people/123%20abc/@all
-     *
-     * @example $client->get('/people/{uid}/@all', array('uid' => 'john.doe'));
-     *
-     * @param string $uri    (Prepared) OpenSocial URI
-     * @param array  $params Data for prepared URI
-     * @return array Models for OpenSocial data (/person returns OpenSocial_Model_Person objects, etc.)
-     */
-    public function get($uri, $params = array())
-    {
-        $uri = $this->_getPreparedUri($uri, $params);
-        $uri = $this->_prependSlash($uri);
-
-        $serviceType = $this->_getServiceTypeFromUri($uri);
-
-        $uri = $this->_httpClient->getUri(true) . $uri;
-
-        $response = $this->_httpClient->setUri($uri)->request(Zend_Http_Client::GET);
-
-        return $this->_mapResponseToModels($serviceType, $response);
-    }
-
-    /**
-     * Convert a 'prepared' URI to a full URI.
-     *
-     * @example _getPreparedUri('/people/{uid}/@all', array('uid' => 'john doe'))
-     *          returns '/people/john%20doe/@all'
-     *
-     * @param string $uri
-     * @param array  $params
-     * @return string
-     */
-    protected function _getPreparedUri($uri, array $params)
-    {
-        foreach ($params as $key => $value) {
-            $uri = str_replace('{' . $key . '}', $value, $uri);
-        }
-        return $uri;
-    }
-
-    /**
-     * Make sure the first character is a /.
-     *
-     * @param string $uri
-     * @return string URI guaranteed with leading slash
-     */
-    protected function _prependSlash($uri)
-    {
-        if ($uri[0] !== '/') {
-            return '/' . $uri;
-        }
-        else {
-            return $uri;
-        }
-    }
-
-    /**
-     * Get the type of service called in the URI.
-     *
-     * @param string $uri
-     * @return string Service (example: 'Person' or 'Group')
-     */
-    protected function _getServiceTypeFromUri($uri)
-    {
-        $secondSlashPos = strpos($uri, '/', 1);
-        $firstUriPart = substr($uri, 1, $secondSlashPos - 1);
-        return ucfirst($firstUriPart);
-    }
-
-    /**
-     * @throws OpenSocial_Rest_Exception
-     * @param  $serviceType
-     * @param Zend_Http_Response $response
-     * @return array
-     */
-    protected function _mapResponseToModels($serviceType, Zend_Http_Response $response)
-    {
-        if (strpos($response->getHeader('Content-Type'), 'application/json') !== 0) {
-            throw new OpenSocial_Rest_Exception(
-                "Unknown Content-Type for response:<br /> " . 
-                var_export($response, true) .
-                ' with body: ' .
-                var_export($response->getBody(), true) .
-                ' for request: ' .
-                $this->_httpClient->getLastRequest()
-            );
-        }
-        
-        $modelClass = 'OpenSocial_Model_' . $this->_getModelTypeForService($serviceType);
-        if (!class_exists($modelClass, true)) {
-            throw new OpenSocial_Rest_Exception("Model class $modelClass not found for service $serviceType!");
-        }
-
-        /**
-         * @var OpenSocial_Rest_Mapper_Interface $mapper
-         */
-        $mapper = new OpenSocial_Rest_Mapper_Json($modelClass);
-        return $mapper->map($response->getBody());
-    }
-
-    protected function _getModelTypeForService($serviceType)
-    {
-        switch ($serviceType) {
-            case 'Groups':
-                return 'Group';
-            case 'Person':
-                return 'Person';
-            case 'People':
-                return 'Person';
-            default:
-                throw new OpenSocial_Rest_Exception("Unknown serviceType $serviceType, can not find a model for it!");
-        }
-    }
-}
diff --git a/library/OpenSocial/Rest/Exception.php b/library/OpenSocial/Rest/Exception.php
deleted file mode 100644
index 9576b4e242..0000000000
--- a/library/OpenSocial/Rest/Exception.php
+++ /dev/null
@@ -1,28 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class OpenSocial_Rest_Exception extends EngineBlock_Exception
-{
-}
\ No newline at end of file
diff --git a/library/OpenSocial/Rest/Mapper/Interface.php b/library/OpenSocial/Rest/Mapper/Interface.php
deleted file mode 100644
index 3b65248d77..0000000000
--- a/library/OpenSocial/Rest/Mapper/Interface.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-interface OpenSocial_Rest_Mapper_Interface
-{
-    /**
-     * Map the response body, in a specific format, to an array of models
-     *
-     * @abstract
-     * @param  $responseBody
-     * @return array
-     */
-    public function map($responseBody);
-}
\ No newline at end of file
diff --git a/library/OpenSocial/Rest/Mapper/Json.php b/library/OpenSocial/Rest/Mapper/Json.php
deleted file mode 100644
index 82c99f85e4..0000000000
--- a/library/OpenSocial/Rest/Mapper/Json.php
+++ /dev/null
@@ -1,104 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-/**
- * Map an OpenSocial JSON response to a model.
- *
- * @throws OpenSocial_Rest_Exception
- */
-class OpenSocial_Rest_Mapper_Json implements OpenSocial_Rest_Mapper_Interface
-{
-    /**
-     * @var string
-     */
-    private $_modelClassName;
-
-    /**
-     * @param string $className
-     */
-    public function __construct($className)
-    {
-        $this->_modelClassName = $className;
-    }
-
-    /**
-     * Map a JSON OpenSocial response to a model.
-     *
-     * @throws OpenSocial_Rest_Exception
-     * @param string $responseBody
-     * @return array Models (array of OpenSocial_Model_Interface)
-     */
-    public function map($responseBody)
-    {
-        $data = json_decode($responseBody);
-
-        // Support for OpenSocial 1.0 wrapped entries
-        if (!isset($data->entry) && isset($data->result)) {
-            $data = $data->result;
-        }
-        if (!isset($data->entry)) {
-            throw new OpenSocial_Rest_Exception("No entry / entries found in response?");
-        }
-
-        if (!is_array($data->entry)) { // Single entry
-            return array($this->_mapEntryToModel($data->entry));
-        }
-        else { // Multiple entries
-            $groups = array();
-            foreach ($data->entry as $entry) {
-                $groups[] = $this->_mapEntryToModel($entry);
-            }
-            return $groups;
-        }
-    }
-
-    /**
-     * Map a single entity to a new model.
-     *
-     * @param stdClass $entry
-     * @return OpenSocial_Model_Interface
-     */
-    protected function _mapEntryToModel(stdClass $entry)
-    {
-        return $this->_copyEntryPropertiesToModel($entry, new $this->_modelClassName);
-    }
-
-    /**
-     * Simple copying of properties
-     *
-     * @param stdClass $entry
-     * @param OpenSocial_Model_Interface $model
-     * @return OpenSocial_Model_Interface
-     */
-    protected function _copyEntryPropertiesToModel(stdClass $entry, OpenSocial_Model_Interface $model)
-    {
-        foreach ($entry as $key => $value) {
-            if (property_exists($model, $key)) {
-                $model->$key = $value;
-            }
-        }
-        return $model;
-    }
-}
diff --git a/library/SurfConext/Identity.php b/library/SurfConext/Identity.php
index 4a2f7fcadb..c5b0603a32 100644
--- a/library/SurfConext/Identity.php
+++ b/library/SurfConext/Identity.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * The Surfnet_Identity class is responsible for storing
diff --git a/library/Surfnet/Search/Parameters.php b/library/Surfnet/Search/Parameters.php
deleted file mode 100644
index 50c4c058d6..0000000000
--- a/library/Surfnet/Search/Parameters.php
+++ /dev/null
@@ -1,135 +0,0 @@
-<?php
-/**
- * SURFconext Manage
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext Manage
- * @package
- * @copyright Copyright © 2010-2011 SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Surfnet_Search_Parameters
-{
-    const SORT_DIRECTION_ASC = 'asc';
-    const SORT_DIRECTION_DESC = 'desc';
-
-    protected $_limit;
-
-    protected $_offset = 0;
-
-    protected $_sortField;
-
-    protected $_sortDirection = self::SORT_DIRECTION_ASC;
-
-    protected $_searchParams = array();
-
-    protected function __construct()
-    {
-    }
-
-    /**
-     * @return Surfnet_Search_Parameters
-     */
-    public static function create()
-    {
-        return new self();
-    }
-
-    public function getLimit()
-    {
-        return $this->_limit;
-    }
-
-    /**
-     * @return Surfnet_Search_Parameters
-     */
-    public function setLimit($limit)
-    {
-        $this->_limit = $limit;
-        return $this;
-    }
-
-    public function getOffset()
-    {
-        return $this->_offset;
-    }
-
-    /**
-     * @return Surfnet_Search_Parameters
-     */
-    public function setOffset($offset)
-    {
-        $this->_offset = (int)$offset;
-        return $this;
-    }
-
-    public function getSortByField()
-    {
-        return $this->_sortField;
-    }
-
-    /**
-     * @return Surfnet_Search_Parameters
-     */
-    public function setSortByField($sortField)
-    {
-        $this->_sortField = $sortField;
-        return $this;
-    }
-
-    public function getSortDirection()
-    {
-        return $this->_sortDirection;
-    }
-
-    public function addSearchParam($name, $value)
-    {
-        $this->_searchParams[$name] = $value;
-        return $this;
-    }
-
-    /**
-     * Set the search parameters all at once
-     * 
-     * @var    Array
-     * @return Surfnet_Search_Parameters
-     */
-    public function setSearchParams(Array $params)
-    {
-        $this->_searchParams = $params;
-        return $this;
-    }
-
-    public function getSearchParams()
-    {
-        return $this->_searchParams;
-    }
-
-    /**
-     * @return Surfnet_Search_Parameters
-     */
-    public function setSortDirection($direction)
-    {
-        if (!in_array($direction, array(self::SORT_DIRECTION_ASC, self::SORT_DIRECTION_DESC))) {
-            throw new Exception("Unrecognized sort direction");
-        }
-
-        $this->_sortDirection = $direction;
-        return $this;
-    }
-}
\ No newline at end of file
diff --git a/library/Surfnet/Search/Results.php b/library/Surfnet/Search/Results.php
deleted file mode 100644
index c2847c27de..0000000000
--- a/library/Surfnet/Search/Results.php
+++ /dev/null
@@ -1,65 +0,0 @@
-<?php
-/**
- * SURFconext Manage
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext Manage
- * @package
- * @copyright Copyright © 2010-2011 SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-class Surfnet_Search_Results
-{
-    protected $_parameters;
-
-    protected $_results;
-
-    protected $_totalCount;
-
-    /**
-     * @param Surfnet_Search_Parameters $parameters
-     * @param mixed $results
-     * @param int $totalCount
-     */
-    public function __construct(Surfnet_Search_Parameters $parameters, $results, $totalCount)
-    {
-        $this->_parameters  = $parameters;
-        $this->_results     = $results;
-        $this->_totalCount  = $totalCount;
-    }
-
-    public function getResults()
-    {
-        return $this->_results;
-    }
-
-    public function getResultCount()
-    {
-        return count($this->_results);
-    }
-
-    public function getTotalCount()
-    {
-        return $this->_totalCount;
-    }
-
-    public function getParameters()
-    {
-        return $this->_parameters;
-    }
-}
\ No newline at end of file
diff --git a/library/Surfnet/Zend/Auth/Adapter/Saml.php b/library/Surfnet/Zend/Auth/Adapter/Saml.php
index 2918b0c1bf..1f050e0b7b 100644
--- a/library/Surfnet/Zend/Auth/Adapter/Saml.php
+++ b/library/Surfnet/Zend/Auth/Adapter/Saml.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext Manage
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext Manage
- * @package
- * @copyright Copyright © 2010-2011 SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class Surfnet_Zend_Auth_Adapter_Saml implements Zend_Auth_Adapter_Interface
 {
diff --git a/library/Surfnet/Zend/Helper/Authenticate.php b/library/Surfnet/Zend/Helper/Authenticate.php
index 89b0429077..f094a5edb5 100644
--- a/library/Surfnet/Zend/Helper/Authenticate.php
+++ b/library/Surfnet/Zend/Helper/Authenticate.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext Manage
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext Manage
- * @package
- * @copyright Copyright © 2010-2011 SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * Action helper to force authentication in every action.
diff --git a/tests/autoloading.inc.php b/tests/autoloading.inc.php
deleted file mode 100644
index d2b44ecb7c..0000000000
--- a/tests/autoloading.inc.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
-ini_set('date.timezone', 'Europe/Amsterdam');
-
-// Include composer autoloader, this intentionally included instead of required since CI system does not
-// use composer and will fail on requiring a non-existent autoload file
-$rootDir = realpath(__DIR__ . '/../');
-require_once $rootDir . '/vendor/autoload.php';
-
-$application = EngineBlock_ApplicationSingleton::getInstance();
-
-$log = new Zend_Log();
-$log->addWriter(new Zend_Log_Writer_Null());
-$application->setLogInstance($log);
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
index 959a2009a0..e6da0068d7 100644
--- a/tests/bootstrap.php
+++ b/tests/bootstrap.php
@@ -1,5 +1,25 @@
 <?php
+
 define('TEST_RESOURCES_DIR', dirname(__FILE__) . '/resources');
 
-// include the Autoloader that is used in test framework, doctrine cli and the application
-include "autoloading.inc.php";
+ini_set('date.timezone', 'Europe/Amsterdam');
+
+// Include composer autoloader, this intentionally included instead of required since CI system does not
+// use composer and will fail on requiring a non-existent autoload file
+$rootDir = realpath(__DIR__ . '/../');
+require_once $rootDir . '/vendor/autoload.php';
+
+$application = EngineBlock_ApplicationSingleton::getInstance();
+
+$log = new Zend_Log();
+$log->addWriter(new Zend_Log_Writer_Null());
+$application->setLogInstance($log);
+
+$config = new Zend_Config_Ini(
+    ENGINEBLOCK_FOLDER_APPLICATION . EngineBlock_Application_Bootstrapper::CONFIG_FILE_DEFAULT,
+    'base',
+    array('allowModifications' => true)
+);
+$config->testing = true;
+$application->setConfiguration($config);
+$application->bootstrap();
\ No newline at end of file
diff --git a/tests/controllers/IdentityProvider.php b/tests/controllers/IdentityProvider.php
index aa4f0c7d48..ea049bd66d 100644
--- a/tests/controllers/IdentityProvider.php
+++ b/tests/controllers/IdentityProvider.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class Test_Controller_IdentityProvider extends PHPUnit_Framework_TestCase
 {
diff --git a/tests/library/EngineBlock/Test/Arp/AttributeReleasePolicyEnforcerTest.php b/tests/library/EngineBlock/Test/Arp/AttributeReleasePolicyEnforcerTest.php
index f03af96f4d..037feecf4f 100644
--- a/tests/library/EngineBlock/Test/Arp/AttributeReleasePolicyEnforcerTest.php
+++ b/tests/library/EngineBlock/Test/Arp/AttributeReleasePolicyEnforcerTest.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class EngineBlock_Test_Arp_AttributeReleasePolicyEnforcer extends PHPUnit_Framework_TestCase
 {
diff --git a/tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdTest.php b/tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdTest.php
deleted file mode 100644
index eb8d0a710a..0000000000
--- a/tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdTest.php
+++ /dev/null
@@ -1,313 +0,0 @@
-<?php
-
-class EngineBlock_Test_Corto_Filter_Command_SetNameIdTest extends PHPUnit_Framework_TestCase
-{
-    /**
-     * @var EngineBlock_Test_Corto_Filter_Command_SetNameIdMock
-     */
-    private $_command;
-
-    public function setUp()
-    {
-        $command = new EngineBlock_Test_Corto_Filter_Command_SetNameIdMock();
-
-        $assertion = new SAML2_Assertion();
-        $assertion->setAttributes(array());
-        $response = new SAML2_Response();
-        $response->setAssertions(array($assertion));
-        $response = new EngineBlock_Saml2_ResponseAnnotationDecorator($response);
-        $response->setIntendedNameId('urn:collab:person:example.edu:mock1');
-        $command->setResponse($response);
-
-        $command->setCollabPersonId('urn:collab:person:example.edu:mock1');
-        $command->setRequest(new EngineBlock_Saml2_AuthnRequestAnnotationDecorator(new SAML2_AuthnRequest()));
-        $command->setIdpMetadata(array('EntityID' => 'http://idp.example.edu'));
-        $command->setSpMetadata(array('EntityID' => 'http://sp.example.edu'));
-        $command->setResponseAttributes(array());
-        $this->_command = $command;
-    }
-
-    public function testCustomNameId()
-    {
-        // Input
-        $command = clone $this->_command;
-        $nameId = array(
-            'Format' => '',
-            'Value' => '',
-        );
-
-        $response = $command->getResponse();
-        $response->setCustomNameId($nameId);
-
-        // Run
-        $command->execute();
-
-        // Output
-        $response = $command->getResponse();
-        $responseAttributes = $command->getResponseAttributes();
-
-        // Test
-        $this->assertEquals(
-            $nameId,
-            $response->getAssertion()->getNameId(),
-            'Assertion NameID is set to CustomNameId, allowing overrides in Attribute Manipulations'
-        );
-        /** @var DOMNodeList $eppn */
-        $eppn = $responseAttributes['urn:mace:dir:attribute-def:eduPersonTargetedID'][0];
-        $this->assertEquals(1, $eppn->length, "Only 1 NameID is provided");
-        $eppnNode = $eppn->item(0);
-
-        $this->assertEquals(
-            $nameId['Value'],
-            $eppnNode->attributes->getNamedItem('Value'),
-            'CustomNameId is also set in attributes'
-        );
-    }
-
-    public function testNameIdPolicyInAuthnRequest()
-    {
-        // Input
-        $command = clone $this->_command;
-
-        $response = $command->getResponse();
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
-            'Value' => $response->getIntendedNameId(),
-        );
-
-        $request = $command->getRequest();
-        /** @var SAML2_AuthnRequest $request */
-        $request->setNameIdPolicy(array('Format' => $nameId['Format']));
-
-        // Run
-        $command->execute();
-
-        // Output
-        $response = $command->getResponse();
-
-        // Test
-        $this->assertEquals(
-            $nameId,
-            $response->getAssertion()->getNameId(),
-            'Assertion NameID is set to unspecified, as requested in the AuthnRequest/NameIDPolicy[Format]'
-        );
-    }
-
-    public function testNameIdFormatInMetadata()
-    {
-        // Input
-        $command = clone $this->_command;
-
-        $response = $command->getResponse();
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
-            'Value' => $response->getIntendedNameId(),
-        );
-        $command->setSpMetadata(
-            array_merge_recursive(
-                $command->getSpMetadata(),
-                array('NameIDFormat' => $nameId['Format'])
-            )
-        );
-
-        // Run
-        $command->execute();
-
-        // Output
-        $response = $command->getResponse();
-
-        // Test
-        $this->assertEquals(
-            $nameId,
-            $response->getAssertion()->getNameId(),
-            'Assertion NameID is set to CustomNameId, allowing overrides in Attribute Manipulations'
-        );
-    }
-
-    public function testMetadataOverAuthnRequest()
-    {
-        // Input
-        $command = clone $this->_command;
-
-        $response = $command->getResponse();
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
-            'Value' => $response->getIntendedNameId(),
-        );
-        $command->setSpMetadata(
-            array_merge_recursive(
-                $command->getSpMetadata(),
-                array('NameIDFormat' => $nameId['Format'])
-            )
-        );
-        $request = $command->getRequest();
-        /** @var SAML2_AuthnRequest $request */
-        $request->setNameIdPolicy(array('Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
-
-        // Run
-        $command->execute();
-
-        // Output
-        $response = $command->getResponse();
-
-        // Test
-        $this->assertEquals(
-            $nameId,
-            $response->getAssertion()->getNameId(),
-            'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested'
-        );
-    }
-
-    public function testPersistent()
-    {
-        // Input
-        $command = clone $this->_command;
-
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-            'Value' => '',
-        );
-        $command->setSpMetadata(
-            array_merge_recursive(
-                $command->getSpMetadata(),
-                array('NameIDFormat' => $nameId['Format'])
-            )
-        );
-
-        // Run
-        $command->execute();
-
-        // Output
-        $firstResponse = $command->getResponse();
-
-        // Test
-        $this->assertEquals(
-            $nameId['Format'],
-            $firstResponse->getNameIdFormat(),
-            'Requesting Persistent gives a persistent identifier'
-        );
-
-        // Output
-        $secondResponse = $command->getResponse();
-
-        // Test
-        $this->assertEquals(
-            $firstResponse->getNameId(),
-            $secondResponse->getNameId(),
-            'Persistent NameID is persistent'
-        );
-    }
-
-    public function testTransient()
-    {
-        global $_SESSION;
-        $_SESSION = array();
-
-        // Input
-        $command = clone $this->_command;
-
-        $response = $command->getResponse();
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-            'Value' => '',
-        );
-        $command->setSpMetadata(
-            array_merge_recursive(
-                $command->getSpMetadata(),
-                array('NameIDFormat' => $nameId['Format'])
-            )
-        );
-
-        // Run
-        $command->execute();
-
-        // Output
-        $firstResponse = $command->getResponse();
-        $firstResponseNameId = $firstResponse->getNameId();
-
-        // Test
-        $this->assertEquals(
-            $nameId['Format'],
-            $firstResponseNameId['Format'],
-            'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested'
-        );
-
-        // Run
-        $command->execute();
-
-        // Output
-        $secondResponse = $command->getResponse();
-        $secondResponseNameId = $secondResponse->getNameId();
-
-        // Test
-        $this->assertEquals(
-            $firstResponseNameId['Value'],
-            $secondResponseNameId['Value'],
-            'Asking for another NameID in a given session, for the same SP and IdP, gives the same id'
-        );
-
-        // Input
-        $command->setSpMetadata(array_merge($command->getSpMetadata(), array('EntityID' => 'https://sp2.example.edu')));
-
-        // Run
-        $command->execute();
-
-        // Output
-        $thirdResponse = $command->getResponse();
-        $thirdResponseNameId = $thirdResponse->getNameId();
-
-        // Test
-        $this->assertNotEquals(
-            $secondResponseNameId,
-            $thirdResponseNameId,
-            'Asking for another NameID in a given session, for a different SP, gives a different NameID'
-        );
-
-        // Input
-        $_SESSION = array();
-
-        // Run
-        $command->execute();
-
-        // Output
-        $fourthResponse = $command->getResponse();
-        $fourthResponseNameId = $fourthResponse->getNameId();
-
-        // Test
-        $this->assertNotEquals(
-            $thirdResponseNameId,
-            $fourthResponseNameId,
-            'Asking for another NameID in a new session, for the same SP and IdP, gives a different NameID'
-        );
-    }
-
-    public function testNameIDIsAddedAtCorrectLocation()
-    {
-        global $_SESSION;
-        $_SESSION = array();
-
-        // Input
-        $command = clone $this->_command;
-        $nameId = array(
-            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-            'Value' => '',
-        );
-
-        $command->setSpMetadata(
-            array_merge_recursive(
-                $command->getSpMetadata(),
-                array('NameIDFormat' => $nameId['Format'])
-            )
-        );
-
-        // Run
-        $command->execute();
-
-        // Output
-        $outputResponse = $command->getResponse();
-
-        // Test
-        $this->assertNotEmpty($outputResponse->getAssertion()->getNameId());
-    }
-
-}
diff --git a/tests/library/EngineBlock/Test/Corto/Model/ConsentTest.php b/tests/library/EngineBlock/Test/Corto/Model/ConsentTest.php
deleted file mode 100644
index fb696acb6a..0000000000
--- a/tests/library/EngineBlock/Test/Corto/Model/ConsentTest.php
+++ /dev/null
@@ -1,77 +0,0 @@
-<?php
-/**
- * @todo, currently only arp is tested, test all other functionality too
- */
-class EngineBlock_Test_Corto_Model_ConsentTest extends PHPUnit_Framework_TestCase
-{
-    /** @var EngineBlock_Corto_Model_Consent */
-    private $consent;
-
-    /** @var EngineBlock_Corto_Filter_Command_AttributeReleasePolicy */
-    private $attributeReleasePolicyFilterMock;
-
-    public function setup()
-    {
-        EngineBlock_ApplicationSingleton::getInstance()->bootstrap();
-        $diContainer = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
-
-        $this->consent = $this->factoryConsent($diContainer);
-        $this->attributeReleasePolicyFilterMock = $this->factoryAttributeReleasePolicyFilter($diContainer);
-    }
-
-    public function testHasStoredConsentAppliesArp()
-    {
-        $serviceProviderEntityId = 'testSp';
-        $spMetadata = array();
-        $this->assertFalse($this->consent->hasStoredConsent($serviceProviderEntityId, $spMetadata));
-
-        Phake::verify($this->attributeReleasePolicyFilterMock)->execute();
-    }
-
-    public function testStoreConsentAppliesArp()
-    {
-        $serviceProviderEntityId = 'testSp';
-        $spMetadata = array();
-        $this->assertFalse($this->consent->storeConsent($serviceProviderEntityId, $spMetadata));
-
-        Phake::verify($this->attributeReleasePolicyFilterMock)->execute();
-    }
-
-    /**
-     * @param EngineBlock_Application_DiContainer $diContainer
-     * @return EngineBlock_Corto_Filter_Command_AttributeReleasePolicy
-     */
-    private function factoryAttributeReleasePolicyFilter(EngineBlock_Application_DiContainer $diContainer)
-    {
-        $attributeReleasePolicyFilterMock = Phake::mock('EngineBlock_Corto_Filter_Command_AttributeReleasePolicy');
-        $commandFilterFactoryMock = $diContainer[EngineBlock_Application_DiContainer::FILTER_COMMAND_FACTORY];
-        Phake::when($commandFilterFactoryMock)
-            ->create('AttributeReleasePolicy')
-            ->thenReturn($attributeReleasePolicyFilterMock);
-
-        return $attributeReleasePolicyFilterMock;
-    }
-
-    /**
-     * @param EngineBlock_Application_DiContainer $diContainer
-     * @return EngineBlock_Corto_Model_Consent
-     */
-    private function factoryConsent(EngineBlock_Application_DiContainer $diContainer)
-    {
-        $tableName = null;
-        $mustStoreValues = true;
-        $response = new EngineBlock_Saml2_ResponseAnnotationDecorator(new SAML2_Response());
-        $responseAttributes = array();
-
-        $consent = new EngineBlock_Corto_Model_Consent(
-            $tableName,
-            $mustStoreValues,
-            $response,
-            $responseAttributes,
-            $diContainer[EngineBlock_Application_DiContainer::FILTER_COMMAND_FACTORY],
-            $diContainer[EngineBlock_Application_DiContainer::DATABASE_CONNECTION_FACTORY]
-        );
-
-        return $consent;
-    }
-}
diff --git a/tests/library/EngineBlock/Test/Corto/Module/BindingsTest.php b/tests/library/EngineBlock/Test/Corto/Module/BindingsTest.php
index 9e950a89eb..f1ae295f58 100644
--- a/tests/library/EngineBlock/Test/Corto/Module/BindingsTest.php
+++ b/tests/library/EngineBlock/Test/Corto/Module/BindingsTest.php
@@ -33,47 +33,6 @@ public function testResponseRedirectIsNotSupported()
         $this->bindings->send($response, $remoteEntity);
     }
 
-    /**
-     * @param string $xmlFile
-     * @param string $certificateFile
-     *
-     * @dataProvider responseProvider
-     * @todo this should be fixed by Boy
-     */
-//    public function testResponseVerifies($xmlFile, $certificateFile)
-//    {
-//        return $this->markTestSkipped('FIXME with SSP signature verification!');
-//
-//        $xml2array = new EngineBlock_Corto_XmlToArray();
-//        $xml = file_get_contents($xmlFile);
-//
-//        $element = $xml2array->xml2array($xml);
-//
-//        $publicCertificate = file_get_contents($certificateFile);
-//
-//        $publicKey = openssl_pkey_get_public($publicCertificate);
-//
-//        if (isset($element['ds:Signature'])) {
-//            $this->assertTrue(
-//                $this->bindings->_verifySignatureXMLElement(
-//                    $publicKey,
-//                    $xml,
-//                    $element
-//                )
-//            );
-//        }
-//
-//        if (isset($element['saml:Assertion']['ds:Signature'])) {
-//            $this->assertTrue(
-//                $this->bindings->_verifySignatureXMLElement(
-//                    $publicKey,
-//                    $xml,
-//                    $element['saml:Assertion']
-//                )
-//            );
-//        }
-//    }
-
     /**
      * Provides a list of paths to response xml files and certificate files
      * 
diff --git a/tests/library/EngineBlock/Test/Corto/Module/Service/ProccessConsentTest.php b/tests/library/EngineBlock/Test/Corto/Module/Service/ProccessConsentTest.php
index e90159001e..f83bdb5421 100644
--- a/tests/library/EngineBlock/Test/Corto/Module/Service/ProccessConsentTest.php
+++ b/tests/library/EngineBlock/Test/Corto/Module/Service/ProccessConsentTest.php
@@ -2,21 +2,28 @@
 
 class EngineBlock_Test_Corto_Module_Service_ProccessConsentTest extends PHPUnit_Framework_TestCase
 {
-    /** @var EngineBlock_Corto_ProxyServer */
+    /**
+     * @var EngineBlock_Corto_ProxyServer
+     */
     private $proxyServerMock;
 
-    /** @var EngineBlock_Corto_XmlToArray */
+    /**
+     * @var EngineBlock_Corto_XmlToArray
+     */
     private $xmlConverterMock;
 
-    /** @var EngineBlock_Corto_Model_Consent_Factory */
+    /**
+     * @var EngineBlock_Corto_Model_Consent_Factory
+     */
     private $consentFactoryMock;
 
-    /** @var EngineBlock_Mail_Mailer */
+    /**
+     * @var EngineBlock_Mail_Mailer
+     */
     private $mailerMock;
 
-    public function setup() {
-        EngineBlock_ApplicationSingleton::getInstance()->bootstrap();
-
+    public function setup()
+    {
         $this->proxyServerMock = $this->mockProxyServer();
 
         $diContainer = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
@@ -148,13 +155,28 @@ private function mockGlobals()
         $assertion->setAttributes(array(
             'urn:mace:dir:attribute-def:mail' => 'test@test.test'
         ));
+
+        $spRequest = new SAML2_AuthnRequest();
+        $spRequest->setId('SPREQUEST');
+        $spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
+
+        $ebRequest = new SAML2_AuthnRequest();
+        $ebRequest->setId('EBREQUEST');
+        $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
+
+        $dummySessionLog = new EngineBlock_Log();
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummySessionLog);
+        $authnRequestRepository->store($spRequest);
+        $authnRequestRepository->store($ebRequest);
+        $authnRequestRepository->link($ebRequest, $spRequest);
+
         $sspResponse = new SAML2_Response();
+        $sspResponse->setInResponseTo('EBREQUEST');
         $sspResponse->setAssertions(array($assertion));
         $_SESSION['consent']['test']['response'] = new EngineBlock_Saml2_ResponseAnnotationDecorator($sspResponse);
     }
 
     /**
-     * @param EngineBlock_Corto_Model_Consent_Factory $this->consentFactoryMock
      * @return EngineBlock_Corto_Model_Consent
      */
     private function mockConsent()
diff --git a/tests/library/EngineBlock/Test/Corto/Module/Service/ProvideConsentTest.php b/tests/library/EngineBlock/Test/Corto/Module/Service/ProvideConsentTest.php
index 836140aee7..63acf82408 100644
--- a/tests/library/EngineBlock/Test/Corto/Module/Service/ProvideConsentTest.php
+++ b/tests/library/EngineBlock/Test/Corto/Module/Service/ProvideConsentTest.php
@@ -12,8 +12,6 @@ class EngineBlock_Test_Corto_Module_Service_ProvideConsentTest extends PHPUnit_F
     private $consentMock;
 
     public function setup() {
-        EngineBlock_ApplicationSingleton::getInstance()->bootstrap();
-
         $this->proxyServerMock = $this->mockProxyServer();
 
         $diContainer = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer();
@@ -43,7 +41,7 @@ public function testConsentIsSkippedWhenPriorConsentIsStored()
         $provideConsentService->serve(null);
 
         Phake::verify($this->proxyServerMock->getBindingsModule())
-            ->send(Phake::capture($message), Phake::anyParameters());
+            ->send(Phake::capture($message), Phake::capture($metadata));
         $this->assertEquals('urn:oasis:names:tc:SAML:2.0:consent:prior', $message->getConsent());
     }
 
@@ -62,7 +60,7 @@ public function testConsentIsSkippedWhenGloballyDisabled()
         $provideConsentService->serve(null);
 
         Phake::verify($this->proxyServerMock->getBindingsModule())
-            ->send(Phake::capture($message), Phake::anyParameters());
+            ->send(Phake::capture($message), Phake::capture($metadata));
         $this->assertEquals('urn:oasis:names:tc:SAML:2.0:consent:inapplicable', $message->getConsent());
     }
 
@@ -83,27 +81,10 @@ public function testConsentIsSkippedWhenDisabledPerSp()
         $provideConsentService->serve(null);
 
         Phake::verify($this->proxyServerMock->getBindingsModule())
-            ->send(Phake::capture($message), Phake::anyParameters());
+            ->send(Phake::capture($message), Phake::capture($metadata));
         $this->assertEquals('urn:oasis:names:tc:SAML:2.0:consent:inapplicable', $message->getConsent());
     }
 
-    public function testFilteredAttributesAreUsedToRenderTemplate()
-    {
-        $provideConsentService = $this->factoryService();
-
-        $expectedFilteredAttributes = array('foo');
-        Phake::when($this->consentMock)
-            ->getFilteredResponseAttributes(Phake::anyParameters())
-            ->thenReturn($expectedFilteredAttributes);
-
-        $provideConsentService->serve(null);
-
-        Phake::verify($this->proxyServerMock)
-            ->renderTemplate(Phake::capture($templateName), Phake::capture($vars));
-
-        $this->assertEquals($expectedFilteredAttributes, $vars['attributes']);
-    }
-
     /**
      * @return EngineBlock_Corto_ProxyServer
      */
@@ -115,10 +96,10 @@ private function mockProxyServer()
 
         Phake::when($proxyServerMock)
             ->getRemoteEntity('testSp')
-            ->thenReturn(array());
+            ->thenReturn(array( 'EntityID' => 'testSp' ));
         Phake::when($proxyServerMock)
             ->getRemoteEntity('testIdP')
-            ->thenReturn(array());
+            ->thenReturn(array( 'EntityID' => 'testIdP'));
 
         $bindingsModuleMock = $this->mockBindingsModule();
         $proxyServerMock->setBindingsModule($bindingsModuleMock);
@@ -139,8 +120,21 @@ private function mockProxyServer()
      */
     private function mockBindingsModule()
     {
-        // Mock bindings module
-        $bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings');
+        $spRequest = new SAML2_AuthnRequest();
+        $spRequest->setId('SPREQUEST');
+        $spRequest->setIssuer('testSp');
+        $spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
+
+        $ebRequest = new SAML2_AuthnRequest();
+        $ebRequest->setId('EBREQUEST');
+        $ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
+        
+        $dummyLog = new EngineBlock_Log();
+        $authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog);
+        $authnRequestRepository->store($spRequest);
+        $authnRequestRepository->store($ebRequest);
+        $authnRequestRepository->link($ebRequest, $spRequest);
+
         $assertion = new SAML2_Assertion();
         $assertion->setAttributes(array(
             'urn:org:openconext:corto:internal:sp-entity-id' => array(
@@ -150,11 +144,16 @@ private function mockBindingsModule()
                 null
             )
         ));
+
         $responseFixture = new SAML2_Response();
+        $responseFixture->setInResponseTo('EBREQUEST');
         $responseFixture->setAssertions(array($assertion));
         $responseFixture = new EngineBlock_Saml2_ResponseAnnotationDecorator($responseFixture);
         $responseFixture->setOriginalIssuer('testIdP');
 
+        // Mock bindings module
+        /** @var EngineBlock_Corto_Module_Bindings $bindingsModuleMock */
+        $bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings');
         Phake::when($bindingsModuleMock)
             ->receiveResponse()
             ->thenReturn($responseFixture);
diff --git a/tests/library/EngineBlock/Test/Corto/ServiceRegistry/AdapterTest.php b/tests/library/EngineBlock/Test/Corto/ServiceRegistry/AdapterTest.php
index b4e2e79b9a..b145020f14 100644
--- a/tests/library/EngineBlock/Test/Corto/ServiceRegistry/AdapterTest.php
+++ b/tests/library/EngineBlock/Test/Corto/ServiceRegistry/AdapterTest.php
@@ -1,27 +1,5 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
+
 class EngineBlock_Test_Corto_ServiceRegistry_AdapterTest extends PHPUnit_Framework_TestCase
 {
     /**
@@ -135,6 +113,7 @@ public function testGetRemoteMetaData()
                         'Location' => 'https://engine.surfconext.nl/logout'
                     )
                 ),
+                'TrustedProxy' => false,
             ),
             "https://ss.idp.ebdev.net/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" => array(
                 "SingleSignOnService" => array(
diff --git a/tests/library/EngineBlock/Test/DispatcherTest.php b/tests/library/EngineBlock/Test/DispatcherTest.php
deleted file mode 100644
index ad798d5c46..0000000000
--- a/tests/library/EngineBlock/Test/DispatcherTest.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
diff --git a/tests/library/EngineBlock/Test/LogTest.php b/tests/library/EngineBlock/Test/LogTest.php
index 0b518bba07..79974401c5 100644
--- a/tests/library/EngineBlock/Test/LogTest.php
+++ b/tests/library/EngineBlock/Test/LogTest.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * Tests for EngineBlock_Log
diff --git a/tests/library/EngineBlock/Test/RestClientMock.php b/tests/library/EngineBlock/Test/RestClientMock.php
index 4cd16d9906..c7cbe2db87 100644
--- a/tests/library/EngineBlock/Test/RestClientMock.php
+++ b/tests/library/EngineBlock/Test/RestClientMock.php
@@ -1,80 +1,57 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class EngineBlock_Test_RestClientMock
 {
-	protected $_method = NULL;
-	protected $_params = array();
-	protected $_methods = array("getMetadata", "getIdpList", "getSpList", "findIdentifiersByMetadata", "isConnectionAllowed", "arp");
-	
-	public function __construct()
-	{
-		$this->_params = array("keys"=>NULL, "key"=>NULL, "value"=>NULL, "entityid"=>NULL, "spentityid"=>NULL, "idpentityid"=>NULL);
-	}
-	
-	public function __call($call, $args)
-	{
-		if (array_key_exists($call, $this->_params)) {
-			$this->_params[$call] = $args[0];
+    protected $_method = NULL;
+    protected $_params = array();
+    protected $_methods = array("getMetadata", "getIdpList", "getSpList", "findIdentifiersByMetadata", "isConnectionAllowed", "arp");
+    
+    public function __construct()
+    {
+        $this->_params = array("keys"=>NULL, "key"=>NULL, "value"=>NULL, "entityid"=>NULL, "spentityid"=>NULL, "idpentityid"=>NULL);
+    }
+    
+    public function __call($call, $args)
+    {
+        if (array_key_exists($call, $this->_params)) {
+            $this->_params[$call] = $args[0];
         } else if (in_array($call, $this->_methods)) {
-		    $this->_method = $call;
-		}
-		// fluent interface.
-		return $this;
-	}
-	
-	public function get()
-	{
+            $this->_method = $call;
+        }
+        // fluent interface.
+        return $this;
+    }
+    
+    public function get()
+    {
         // Mock a number of test scenarios
         if ($this->_method=="getMetadata" && $this->_params["keys"]==NULL) {
             return array("name:en"=>"Ivo's SP", "description:en"=>"A description", "certData"=>"aaaaabbbbb");
         }
         if ($this->_method=="getMetadata" && $this->_params["keys"]!=NULL && strpos($this->_params["keys"], ",")!==false) {
             return array("name:en"=>"Ivo's SP", "description:en"=>"A description");
-	    }
+        }
         if ($this->_method=="getMetadata" && $this->_params["keys"]!=NULL) {
             return array("certData"=>"aaaaabbbbb");
         }
         if ($this->_method=="isConnectionAllowed") {
-        	if ($this->_params["spentityid"]=="http://ivotestsp.local" && $this->_params["idpentityid"]=="http://ivoidp") {
-        		return array("allowed"=>"yes");
-        	}
-        	return array("allowed"=>"no");
+            if ($this->_params["spentityid"]=="http://ivotestsp.local" && $this->_params["idpentityid"]=="http://ivoidp") {
+                return array("allowed"=>"yes");
+            }
+            return array("allowed"=>"no");
         }         
         if ($this->_method=="arp") {
-            return array("name"=>"someArp", "description"=>"This is a test arp", "attributes"=>array("sn", "url:en", "name:en", "description:en"));	
+            return array("name"=>"someArp", "description"=>"This is a test arp", "attributes"=>array("sn", "url:en", "name:en", "description:en"));    
         }
         if ($this->_method=="findIdentifiersByMetadata") {
-        	return array("http://ivotestsp.local");
+            return array("http://ivotestsp.local");
         }
         if ($this->_method=="getIdpList" && isset($this->_params["spentityid"])) {
             return array("http://ivotestidp.local"=>array("name:en"=>"Ivo's IDP", "description:en"=>"A description"));
         }
         if ($this->_method=="getIdpList") {
-        	return array("http://ivotestidp.local"=>array("name:en"=>"Ivo's IDP", "description:en"=>"A description"),
-        	             "http://ivotestidp2.local"=>array("name:en"=>"Another IDP", "description:en"=>"Another description"));
+            return array("http://ivotestidp.local"=>array("name:en"=>"Ivo's IDP", "description:en"=>"A description"),
+                         "http://ivotestidp2.local"=>array("name:en"=>"Another IDP", "description:en"=>"Another description"));
         }
         if ($this->_method=="getSpList") {
             return array("http://ivotestsp.local"=>array("name:en"=>"Ivo's SP", "description:en"=>"A description"),
@@ -82,5 +59,5 @@ public function get()
         }
  
         return NULL;
-   	}
+       }
 }
\ No newline at end of file
diff --git a/tests/library/EngineBlock/Test/Router/Abstract.php b/tests/library/EngineBlock/Test/Router/Abstract.php
index 2a6432da4d..dba6f28c9c 100644
--- a/tests/library/EngineBlock/Test/Router/Abstract.php
+++ b/tests/library/EngineBlock/Test/Router/Abstract.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 abstract class EngineBlock_Test_Router_Abstract extends PHPUnit_Framework_TestCase
 {
diff --git a/tests/library/EngineBlock/Test/Router/AssertionBuilder.php b/tests/library/EngineBlock/Test/Router/AssertionBuilder.php
index c945f9bf65..bd56e1ed2e 100644
--- a/tests/library/EngineBlock/Test/Router/AssertionBuilder.php
+++ b/tests/library/EngineBlock/Test/Router/AssertionBuilder.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class EngineBlock_Test_Router_AssertionBuilder
 {
diff --git a/tests/library/EngineBlock/Test/Router/CatchAllTest.php b/tests/library/EngineBlock/Test/Router/CatchAllTest.php
deleted file mode 100644
index ad798d5c46..0000000000
--- a/tests/library/EngineBlock/Test/Router/CatchAllTest.php
+++ /dev/null
@@ -1,24 +0,0 @@
-<?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
diff --git a/tests/library/EngineBlock/Test/Router/DefaultTest.php b/tests/library/EngineBlock/Test/Router/DefaultTest.php
index 9125c38885..ff5646fcfb 100644
--- a/tests/library/EngineBlock/Test/Router/DefaultTest.php
+++ b/tests/library/EngineBlock/Test/Router/DefaultTest.php
@@ -1,27 +1,5 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
+
 class EngineBlock_Test_Router_DefaultTest extends EngineBlock_Test_Router_Abstract
 {
     public function testRoutables()
diff --git a/tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdMock.php b/tests/library/EngineBlock/Test/Saml2/NameIdResolverMock.php
similarity index 79%
rename from tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdMock.php
rename to tests/library/EngineBlock/Test/Saml2/NameIdResolverMock.php
index d7746e8c05..48c3667032 100644
--- a/tests/library/EngineBlock/Test/Corto/Filter/Command/SetNameIdMock.php
+++ b/tests/library/EngineBlock/Test/Saml2/NameIdResolverMock.php
@@ -1,25 +1,10 @@
 <?php
 
-class EngineBlock_Test_Corto_Filter_Command_SetNameIdMock extends EngineBlock_Corto_Filter_Command_SetNameId
+class EngineBlock_Test_Saml2_NameIdResolverMock extends EngineBlock_Saml2_NameIdResolver
 {
     private $_serviceProviderUuids = array();
     private $_persistentIds = array();
 
-    public function getRequest()
-    {
-        return $this->_request;
-    }
-
-    public function getSpMetadata()
-    {
-        return $this->_spMetadata;
-    }
-
-    public function getCollabPersonId()
-    {
-        return $this->_collabPersonId;
-    }
-
     protected function _getUserDirectory()
     {
         $mock = new EngineBlock_Test_UserDirectoryMock();
@@ -59,4 +44,4 @@ protected function _storeServiceProviderUuid($spEntityId, $uuid)
     {
         $this->_serviceProviderUuids[$spEntityId] = $uuid;
     }
-}
+}
\ No newline at end of file
diff --git a/tests/library/EngineBlock/Test/Saml2/NameIdResolverTest.php b/tests/library/EngineBlock/Test/Saml2/NameIdResolverTest.php
new file mode 100644
index 0000000000..09d9a57ac0
--- /dev/null
+++ b/tests/library/EngineBlock/Test/Saml2/NameIdResolverTest.php
@@ -0,0 +1,238 @@
+<?php
+
+/**
+ * Tests for EngineBlock_Log
+ *
+ * @group saml2
+ */
+class EngineBlock_Test_Saml2_NameIdResolverTest extends PHPUnit_Framework_TestCase
+{
+    /**
+     * @var EngineBlock_Saml2_NameIdResolver
+     */
+    private $resolver;
+
+    /**
+     * @var EngineBlock_Saml2_AuthnRequestAnnotationDecorator
+     */
+    private $request;
+
+    /**
+     * @var EngineBlock_Saml2_ResponseAnnotationDecorator
+     */
+    private $response;
+
+    /**
+     * @var string
+     */
+    private $collabPersonId;
+
+    /**
+     * @var array
+     */
+    private $spMetadata;
+
+    public function setUp()
+    {
+        $this->request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator(new SAML2_AuthnRequest());
+
+        $assertion = new SAML2_Assertion();
+        $assertion->setAttributes(array());
+        $response = new SAML2_Response();
+        $response->setAssertions(array($assertion));
+        $response = new EngineBlock_Saml2_ResponseAnnotationDecorator($response);
+        $response->setIntendedNameId('urn:collab:person:example.edu:mock1');
+        $this->response = $response;
+
+        $this->spMetadata  = array('EntityID' => 'http://sp.example.edu');
+        $this->collabPersonId = 'urn:collab:person:example.edu:mock1';
+
+        $this->resolver = new EngineBlock_Test_Saml2_NameIdResolverMock();
+    }
+
+    public function testCustomNameId()
+    {
+        // Input
+        $nameId = array(
+            'Format' => '',
+            'Value' => '',
+        );
+        $this->response->setCustomNameId($nameId);
+
+        // Run
+        $resolvedNameID = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals($nameId, $resolvedNameID, 'CustomNameId is used');
+    }
+
+    public function testNameIdPolicyInAuthnRequest()
+    {
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+            'Value' => $this->response->getIntendedNameId(),
+        );
+        /** @var SAML2_AuthnRequest $request */
+        $request = $this->request;
+        $request->setNameIdPolicy(array('Format' => $nameId['Format']));
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $nameId,
+            $resolvedNameId,
+            'Assertion NameID is set to unspecified, as requested in the AuthnRequest/NameIDPolicy[Format]'
+        );
+    }
+
+    public function testNameIdFormatInMetadata()
+    {
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+            'Value' => $this->response->getIntendedNameId(),
+        );
+        $this->spMetadata['NameIDFormat'] = $nameId['Format'];
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $nameId,
+            $resolvedNameId,
+            'Assertion NameID is set to CustomNameId, allowing overrides in Attribute Manipulations'
+        );
+    }
+
+    public function testMetadataOverAuthnRequest()
+    {
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
+            'Value' => $this->response->getIntendedNameId(),
+        );
+        $this->spMetadata['NameIDFormat'] = $nameId['Format'];
+
+        /** @var SAML2_AuthnRequest $request */
+        $request = $this->request;
+        $request->setNameIdPolicy(array('Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $nameId,
+            $resolvedNameId,
+            'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested'
+        );
+    }
+
+    public function testPersistent()
+    {
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+            'Value' => '',
+        );
+        $this->spMetadata['NameIDFormat'] = $nameId['Format'];
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $nameId['Format'],
+            $resolvedNameId['Format'],
+            'Requesting Persistent gives a persistent identifier'
+        );
+
+        // Run
+        $resolvedNameId2 = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals($resolvedNameId, $resolvedNameId2, 'Persistent NameID is persistent');
+    }
+
+    public function testTransient()
+    {
+        global $_SESSION;
+        $_SESSION = array();
+
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+            'Value' => '',
+        );
+        $this->spMetadata['NameIDFormat'] = $nameId['Format'];
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $nameId['Format'],
+            $resolvedNameId['Format'],
+            'Assertion NameID is set to what is set for this SP in the Metadata, NOT what it requested'
+        );
+
+        // Run
+        $resolvedNameId2 = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertEquals(
+            $resolvedNameId['Value'],
+            $resolvedNameId2['Value'],
+            'Asking for another NameID in a given session, for the same SP and IdP, gives the same id'
+        );
+
+        // Input
+        $this->spMetadata['EntityID'] = 'https://sp2.example.edu';
+
+        // Run
+        $resolvedNameId3 = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertNotEquals(
+            $resolvedNameId2,
+            $resolvedNameId3,
+            'Asking for another NameID in a given session, for a different SP, gives a different NameID'
+        );
+
+        // Input
+        $_SESSION = array();
+
+        // Run
+        $resolvedNameId4 = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertNotEquals(
+            $resolvedNameId3,
+            $resolvedNameId4,
+            'Asking for another NameID in a new session, for the same SP and IdP, gives a different NameID'
+        );
+    }
+
+    public function testNameIDIsAddedAtCorrectLocation()
+    {
+        global $_SESSION;
+        $_SESSION = array();
+
+        // Input
+        $nameId = array(
+            'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+            'Value' => '',
+        );
+        $this->spMetadata['NameIDFormat'] = $nameId['Format'];
+
+        // Run
+        $resolvedNameId = $this->resolver->resolve($this->request, $this->response, $this->spMetadata, $this->collabPersonId);
+
+        // Test
+        $this->assertNotEmpty($resolvedNameId);
+    }
+}
\ No newline at end of file
diff --git a/tests/library/EngineBlock/Test/ServiceRegistryMock.php b/tests/library/EngineBlock/Test/ServiceRegistryMock.php
index 7ccb9f18cb..711d3f3f74 100644
--- a/tests/library/EngineBlock/Test/ServiceRegistryMock.php
+++ b/tests/library/EngineBlock/Test/ServiceRegistryMock.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 /**
  * @todo replace this with Phake
diff --git a/tests/library/EngineBlock/Test/ServiceRegistryTest.php b/tests/library/EngineBlock/Test/ServiceRegistryTest.php
index 6b5a87dac3..4a033acd26 100644
--- a/tests/library/EngineBlock/Test/ServiceRegistryTest.php
+++ b/tests/library/EngineBlock/Test/ServiceRegistryTest.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 // TODO: replace the calls with a mock rest server, currently tests against
 // actual content in Ivo's janus db.
diff --git a/tests/library/EngineBlock/Test/UserDirectoryMock.php b/tests/library/EngineBlock/Test/UserDirectoryMock.php
index fe5e202641..0041b8c661 100644
--- a/tests/library/EngineBlock/Test/UserDirectoryMock.php
+++ b/tests/library/EngineBlock/Test/UserDirectoryMock.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 class EngineBlock_Test_UserDirectoryMock extends EngineBlock_UserDirectory
 {
diff --git a/tests/phpunit.xml b/tests/phpunit.xml
index 5ceb6efdc5..b741544151 100644
--- a/tests/phpunit.xml
+++ b/tests/phpunit.xml
@@ -1,16 +1,15 @@
-<phpunit bootstrap="bootstrap.php" colors="true"
-	convertErrorsToExceptions="true"
-	convertNoticesToExceptions="false"
-	convertWarningsToExceptions="false">
-	<php>
-		<!-- Set the APPLICATION_ENV constant -->
-		<const name="ENGINEBLOCK_ENV" value="testing"/>
-	</php>
-	<testsuites>
-		<!-- Declare a testsuite called All -->
-		<testsuite name="All">
-			<!-- Look for our unit tests in the following directory. They must end with Test.php -->
-			<directory suffix="Test.php">.</directory>
-		</testsuite>
-	</testsuites>
+<phpunit
+        backupGlobals="false"
+        bootstrap="bootstrap.php"
+        colors="true"
+        convertErrorsToExceptions="true"
+        convertNoticesToExceptions="false"
+        convertWarningsToExceptions="false">
+    <testsuites>
+        <!-- Declare a testsuite called All -->
+        <testsuite name="All">
+            <!-- Look for our unit tests in the following directory. They must end with Test.php -->
+            <directory suffix="Test.php">.</directory>
+        </testsuite>
+    </testsuites>
 </phpunit>
diff --git a/www/authentication/css/1-column-blue-grey/consent.css b/www/authentication/css/1-column-blue-grey/consent.css
index 450fc477c7..5aea28ba56 100644
--- a/www/authentication/css/1-column-blue-grey/consent.css
+++ b/www/authentication/css/1-column-blue-grey/consent.css
@@ -1,18 +1,3 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 * {
   margin: 0; }
 
diff --git a/www/authentication/css/1-column-blue-grey/consent.scss b/www/authentication/css/1-column-blue-grey/consent.scss
index da83d99561..5a34cadd60 100644
--- a/www/authentication/css/1-column-blue-grey/consent.scss
+++ b/www/authentication/css/1-column-blue-grey/consent.scss
@@ -1,19 +1,3 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 @import "partials/general";
 @import "partials/clearfix";
 @import "partials/panel";
diff --git a/www/authentication/css/1-column-blue-grey/partials/attribute-table.scss b/www/authentication/css/1-column-blue-grey/partials/attribute-table.scss
index 772589ac46..7c1d418cd8 100644
--- a/www/authentication/css/1-column-blue-grey/partials/attribute-table.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/attribute-table.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 table, tr, th, td {
   border: 0 none;
   border-collapse: collapse;
diff --git a/www/authentication/css/1-column-blue-grey/partials/clearfix.scss b/www/authentication/css/1-column-blue-grey/partials/clearfix.scss
index 8fda86a458..33559ba7e9 100644
--- a/www/authentication/css/1-column-blue-grey/partials/clearfix.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/clearfix.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 .clearfix:after,
 #main:after {
   content: ".";
diff --git a/www/authentication/css/1-column-blue-grey/partials/datatable.scss b/www/authentication/css/1-column-blue-grey/partials/datatable.scss
index 04defff8fe..180064441e 100644
--- a/www/authentication/css/1-column-blue-grey/partials/datatable.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/datatable.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 table.datatable, table.datatable tr, table.datatable th, table.datatable td {
   border: 0 none;
   border-collapse: collapse;
diff --git a/www/authentication/css/1-column-blue-grey/partials/faq.scss b/www/authentication/css/1-column-blue-grey/partials/faq.scss
index 831416f4aa..71b75879a9 100644
--- a/www/authentication/css/1-column-blue-grey/partials/faq.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/faq.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 p.back {
   border-bottom: 1px solid #d7d7d7;
   padding-bottom: 10px;
diff --git a/www/authentication/css/1-column-blue-grey/partials/general.scss b/www/authentication/css/1-column-blue-grey/partials/general.scss
index 17f7f8d532..dfdb71aec7 100644
--- a/www/authentication/css/1-column-blue-grey/partials/general.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/general.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 * {
   margin: 0;
 }
diff --git a/www/authentication/css/1-column-blue-grey/partials/jqscroll.scss b/www/authentication/css/1-column-blue-grey/partials/jqscroll.scss
index 7d7a8aeff9..b3bc462304 100644
--- a/www/authentication/css/1-column-blue-grey/partials/jqscroll.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/jqscroll.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 #scrollViewport {
   overflow: hidden;
   height: 235px;
diff --git a/www/authentication/css/1-column-blue-grey/partials/nav-top.scss b/www/authentication/css/1-column-blue-grey/partials/nav-top.scss
index db10cca30d..d7b69fb514 100644
--- a/www/authentication/css/1-column-blue-grey/partials/nav-top.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/nav-top.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 ul.nav {
   float: right;
   list-style: none;
diff --git a/www/authentication/css/1-column-blue-grey/partials/panel.scss b/www/authentication/css/1-column-blue-grey/partials/panel.scss
index 39c95c30e0..d9f0cf1ed7 100644
--- a/www/authentication/css/1-column-blue-grey/partials/panel.scss
+++ b/www/authentication/css/1-column-blue-grey/partials/panel.scss
@@ -1,19 +1,3 @@
-//
-// Copyright 2011 SURFnet bv, The Netherlands
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-
 div#wrapper {
   margin: 0 auto;
   width: 478px;
diff --git a/www/authentication/css/error.css b/www/authentication/css/error.css
index 9d491ccdeb..55d79555e9 100644
--- a/www/authentication/css/error.css
+++ b/www/authentication/css/error.css
@@ -1,27 +1,3 @@
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
 .error-icon {
     background: url(../media/error.png) no-repeat;
     height: 32px;
diff --git a/www/authentication/css/narrow/screen.css b/www/authentication/css/narrow/screen.css
index 25ccab640d..c8f2fccb2b 100644
--- a/www/authentication/css/narrow/screen.css
+++ b/www/authentication/css/narrow/screen.css
@@ -1,28 +1,12 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 @charset "UTF-8";
 /* CSS Document */
 
 /*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 +
-+	File		: screen.css
-+	Author		: frismedia.nl
-+	Date		: 10-12-2010
-+	 
++    File        : screen.css
++    Author      : frismedia.nl
++    Date        : 10-12-2010
++     
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*/
 
 /*++++++++++++++++++++++++*/
@@ -246,7 +230,7 @@ div.suggestion a.noAccess span {
 div.suggestion a.noAccess em {
     color: #cc0000;
     font-style: normal;
-    /*	background: url(../media/noAccess.png) repeat;*/
+    /*    background: url(../media/noAccess.png) repeat;*/
     display: block;
     font-size: 11px;
 }
@@ -688,7 +672,7 @@ a.cancel {
 
 #scrollViewport {
     overflow: hidden;
-    /*	height:239px;*/
+    /*    height:239px;*/
     height: 235px;
 }
 
diff --git a/www/authentication/css/narrow/screen_ie.css b/www/authentication/css/narrow/screen_ie.css
index 267dc58b0f..4a6c816eab 100644
--- a/www/authentication/css/narrow/screen_ie.css
+++ b/www/authentication/css/narrow/screen_ie.css
@@ -1,25 +1,9 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 hr {margin:0 0 5px 0; }
 
 ul.nav li.active a {
-	position:relative; /* Ensure background image lines us at the bottom */
+    position:relative; /* Ensure background image lines us at the bottom */
 }
 
 input {
-	/*padding-top: 7px;*/ /* Vertically center text in input field */
+    /*padding-top: 7px;*/ /* Vertically center text in input field */
 }
\ No newline at end of file
diff --git a/www/authentication/css/responsive/narrow.css b/www/authentication/css/responsive/narrow.css
index a8a61909d1..b4ee7b3ba4 100644
--- a/www/authentication/css/responsive/narrow.css
+++ b/www/authentication/css/responsive/narrow.css
@@ -1,18 +1,3 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 @charset "UTF-8";
 
 h1 {
diff --git a/www/authentication/css/responsive/screen_ie.css b/www/authentication/css/responsive/screen_ie.css
index 267dc58b0f..4a6c816eab 100644
--- a/www/authentication/css/responsive/screen_ie.css
+++ b/www/authentication/css/responsive/screen_ie.css
@@ -1,25 +1,9 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 hr {margin:0 0 5px 0; }
 
 ul.nav li.active a {
-	position:relative; /* Ensure background image lines us at the bottom */
+    position:relative; /* Ensure background image lines us at the bottom */
 }
 
 input {
-	/*padding-top: 7px;*/ /* Vertically center text in input field */
+    /*padding-top: 7px;*/ /* Vertically center text in input field */
 }
\ No newline at end of file
diff --git a/www/authentication/css/wide/screen.css b/www/authentication/css/wide/screen.css
index ae6a9cbfab..5e4c0d07b7 100644
--- a/www/authentication/css/wide/screen.css
+++ b/www/authentication/css/wide/screen.css
@@ -1,19 +1,3 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 @charset "UTF-8";
 /*++++++++++++++++++++++++*/
 /*      HTML ELEMENTS     */
diff --git a/www/authentication/css/wide/screen_ie.css b/www/authentication/css/wide/screen_ie.css
index 267dc58b0f..4a6c816eab 100644
--- a/www/authentication/css/wide/screen_ie.css
+++ b/www/authentication/css/wide/screen_ie.css
@@ -1,25 +1,9 @@
-/*
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 hr {margin:0 0 5px 0; }
 
 ul.nav li.active a {
-	position:relative; /* Ensure background image lines us at the bottom */
+    position:relative; /* Ensure background image lines us at the bottom */
 }
 
 input {
-	/*padding-top: 7px;*/ /* Vertically center text in input field */
+    /*padding-top: 7px;*/ /* Vertically center text in input field */
 }
\ No newline at end of file
diff --git a/www/authentication/index.php b/www/authentication/index.php
index 48298bbab5..ddeac28209 100644
--- a/www/authentication/index.php
+++ b/www/authentication/index.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 require '../../library/EngineBlock/ApplicationSingleton.php';
 
diff --git a/www/authentication/javascript/discover.js b/www/authentication/javascript/discover.js
index c996de6d21..855def137d 100644
--- a/www/authentication/javascript/discover.js
+++ b/www/authentication/javascript/discover.js
@@ -1,27 +1,3 @@
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
 var Discover = function () {
 
     var module = {
diff --git a/www/authentication/javascript/keyboardNavigator.js b/www/authentication/javascript/keyboardNavigator.js
index 3e5d88890f..ff8ecee252 100644
--- a/www/authentication/javascript/keyboardNavigator.js
+++ b/www/authentication/javascript/keyboardNavigator.js
@@ -1,27 +1,3 @@
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
 /**
  * Manages navigation using arrow and return key
  * This singleton shouldn't be used for any other project (it's kinda messy)
@@ -29,161 +5,161 @@
  * @author Ward
  */
 var keyboardNavigator = {
-	
-	MODE_3COLUMN_GRID: 0, //Const
-	MODE_LIST: 1, //Const
-	
-	enabled:true,
-	
-	preventMouseEvents: false, //Indicates if mouseenter events should be handled
-	
-	selectedIndex: -1,
-	
-	/* Increments to use for each arrow key */
-	leftIncrement: -1,
-	upIncrement: -3,
-	rightIncrement: 1,
-	downIncrement: 3,
-	
-	itemSelector:'#organisationsContainer li',
-	selectedClass: 'selected',
-	allItems:{},
-	
-	/**
-	 * Hooks up the keypress event
-	 */
-	init: function() {
-		$(document).keydown(function(e) {
-			//We prevent selection with the mouse as long as keys are down, this is to prevent flickering and jumping selections
-			keyboardNavigator.preventMouseEvents = true;
-			if(keyboardNavigator.enabled == true) {
-				switch(e.which) {
-					case 13: //Return
-						keyboardNavigator.activate();
-						break;
-					
-					case 37: //Left
-						keyboardNavigator.navigate('left');
-						break;
-					
-					case 38: //Up
-						keyboardNavigator.navigate('up');
-						break;
-						
-					case 39: //Right
-						keyboardNavigator.navigate('right');
-						break;
-						
-					case 40: //Down
-						keyboardNavigator.navigate('down');
-						break;
-				}
-			}
-		});
-		
-		$(document).keyup(function(e) {
-			//Allow mouse selected when no keys are down
-			keyboardNavigator.preventMouseEvents = false;
-		});
-		
-		//Update selectedClass on mouse movement
-		$(this.itemSelector).live('mouseenter', function() {
-			//Handle mouse events only if they aren't prevented
-			if(keyboardNavigator.preventMouseEvents == false) {
-				keyboardNavigator.setSelectedIndex($(this).index() );
-			}
-		});
-	},
-	
-	
-	determineSelectedIndex: function() {
-		//Determine selected index based on selectedClass
-		this.selectedIndex = $(this.itemSelector + '.' + this.selectedClass).index();
-	},
-	
-	
-	/**
-	 * Updates the selectedIndex and calls updateSelectionHTML when done
-	 */
-	navigate: function(direction) {
-		//If there is no selection, we go to the first any in any case
-		
-		if(this.selectedIndex == -1) {
-			this.selectedIndex = 0;
-		} else {
-			
-			//Check the direction and increment or decrement the selectedIndex
-			if(direction == 'left') {
-				this.selectedIndex = this.selectedIndex + this.leftIncrement;
-			
-			} else if(direction == 'right') {
-				this.selectedIndex = this.selectedIndex + this.rightIncrement;
-			
-			} else if(direction == 'up') {
-				this.selectedIndex = this.selectedIndex + this.upIncrement;
-			
-			} else if (direction == 'down') {
-				this.selectedIndex = this.selectedIndex + this.downIncrement;
-			}
-			
-			//Make sure the selectedIndex is not out of bounds
-			if(this.selectedIndex < 0 ) {
-				this.selectedIndex = 0;
-			} else if(this.selectedIndex > $(this.itemSelector).size() - 1 ) {
-				this.selectedIndex = $(this.itemSelector).size() - 1;
-			}
-		}
-		
-		this.updateSelectionHTML();
-	},
-	
-	
-	/**
-	 * Updates the html to reflect the selectedIndex
-	 */
-	updateSelectionHTML: function() {
-		$(this.itemSelector).removeClass(this.selectedClass);
-		
-		var selectedItem = $(this.itemSelector).eq(this.selectedIndex);
-		selectedItem.addClass(this.selectedClass);
-		selectedItem.focus();
-	},
-	
-	/**
-	 * Calls the onclick handler on the selected element
-	 */
-	activate: function() {
-		$(this.itemSelector).eq(this.selectedIndex).click();
-	},
-	
-	/**
-	 * Set selected index
-	 * @param	index	new selected index
-	 */
-	setSelectedIndex: function(index) {
-		this.selectedIndex = index;
-		this.updateSelectionHTML();
-	},
-	
-	
-	/**
-	 * Switches between 3 column grid mode and list mode
-	 * @param	mode	mode to switch to, use one of the 'constants' (MODE_3COLUMN_GRID | MODE_LIST)
-	 */
-	setMode: function(mode) {
-		if(mode == this.MODE_3COLUMN_GRID) {
-			this.leftIncrement = -1;
-			this.upIncrement = -3;
-			this.rightIncrement = 1;
-			this.downIncrement = 3;
-			
-		} else if(mode == this.MODE_LIST) {
-			this.leftIncrement = 0;
-			this.upIncrement = -1;
-			this.rightIncrement = 0;
-			this.downIncrement = 1;
-		}
-	
-		this.setSelectedIndex(0);
-	}
+    
+    MODE_3COLUMN_GRID: 0, //Const
+    MODE_LIST: 1, //Const
+    
+    enabled:true,
+    
+    preventMouseEvents: false, //Indicates if mouseenter events should be handled
+    
+    selectedIndex: -1,
+    
+    /* Increments to use for each arrow key */
+    leftIncrement: -1,
+    upIncrement: -3,
+    rightIncrement: 1,
+    downIncrement: 3,
+    
+    itemSelector:'#organisationsContainer li',
+    selectedClass: 'selected',
+    allItems:{},
+    
+    /**
+     * Hooks up the keypress event
+     */
+    init: function() {
+        $(document).keydown(function(e) {
+            //We prevent selection with the mouse as long as keys are down, this is to prevent flickering and jumping selections
+            keyboardNavigator.preventMouseEvents = true;
+            if(keyboardNavigator.enabled == true) {
+                switch(e.which) {
+                    case 13: //Return
+                        keyboardNavigator.activate();
+                        break;
+                    
+                    case 37: //Left
+                        keyboardNavigator.navigate('left');
+                        break;
+                    
+                    case 38: //Up
+                        keyboardNavigator.navigate('up');
+                        break;
+                        
+                    case 39: //Right
+                        keyboardNavigator.navigate('right');
+                        break;
+                        
+                    case 40: //Down
+                        keyboardNavigator.navigate('down');
+                        break;
+                }
+            }
+        });
+        
+        $(document).keyup(function(e) {
+            //Allow mouse selected when no keys are down
+            keyboardNavigator.preventMouseEvents = false;
+        });
+        
+        //Update selectedClass on mouse movement
+        $(this.itemSelector).live('mouseenter', function() {
+            //Handle mouse events only if they aren't prevented
+            if(keyboardNavigator.preventMouseEvents == false) {
+                keyboardNavigator.setSelectedIndex($(this).index() );
+            }
+        });
+    },
+    
+    
+    determineSelectedIndex: function() {
+        //Determine selected index based on selectedClass
+        this.selectedIndex = $(this.itemSelector + '.' + this.selectedClass).index();
+    },
+    
+    
+    /**
+     * Updates the selectedIndex and calls updateSelectionHTML when done
+     */
+    navigate: function(direction) {
+        //If there is no selection, we go to the first any in any case
+        
+        if(this.selectedIndex == -1) {
+            this.selectedIndex = 0;
+        } else {
+            
+            //Check the direction and increment or decrement the selectedIndex
+            if(direction == 'left') {
+                this.selectedIndex = this.selectedIndex + this.leftIncrement;
+            
+            } else if(direction == 'right') {
+                this.selectedIndex = this.selectedIndex + this.rightIncrement;
+            
+            } else if(direction == 'up') {
+                this.selectedIndex = this.selectedIndex + this.upIncrement;
+            
+            } else if (direction == 'down') {
+                this.selectedIndex = this.selectedIndex + this.downIncrement;
+            }
+            
+            //Make sure the selectedIndex is not out of bounds
+            if(this.selectedIndex < 0 ) {
+                this.selectedIndex = 0;
+            } else if(this.selectedIndex > $(this.itemSelector).size() - 1 ) {
+                this.selectedIndex = $(this.itemSelector).size() - 1;
+            }
+        }
+        
+        this.updateSelectionHTML();
+    },
+    
+    
+    /**
+     * Updates the html to reflect the selectedIndex
+     */
+    updateSelectionHTML: function() {
+        $(this.itemSelector).removeClass(this.selectedClass);
+        
+        var selectedItem = $(this.itemSelector).eq(this.selectedIndex);
+        selectedItem.addClass(this.selectedClass);
+        selectedItem.focus();
+    },
+    
+    /**
+     * Calls the onclick handler on the selected element
+     */
+    activate: function() {
+        $(this.itemSelector).eq(this.selectedIndex).click();
+    },
+    
+    /**
+     * Set selected index
+     * @param    index    new selected index
+     */
+    setSelectedIndex: function(index) {
+        this.selectedIndex = index;
+        this.updateSelectionHTML();
+    },
+    
+    
+    /**
+     * Switches between 3 column grid mode and list mode
+     * @param    mode    mode to switch to, use one of the 'constants' (MODE_3COLUMN_GRID | MODE_LIST)
+     */
+    setMode: function(mode) {
+        if(mode == this.MODE_3COLUMN_GRID) {
+            this.leftIncrement = -1;
+            this.upIncrement = -3;
+            this.rightIncrement = 1;
+            this.downIncrement = 3;
+            
+        } else if(mode == this.MODE_LIST) {
+            this.leftIncrement = 0;
+            this.upIncrement = -1;
+            this.rightIncrement = 0;
+            this.downIncrement = 1;
+        }
+    
+        this.setSelectedIndex(0);
+    }
 };
\ No newline at end of file
diff --git a/www/authentication/javascript/profile.js b/www/authentication/javascript/profile.js
index 8577b6fb90..80941178f2 100644
--- a/www/authentication/javascript/profile.js
+++ b/www/authentication/javascript/profile.js
@@ -1,27 +1,3 @@
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
 var Profile = function() {
 
     var module = {
@@ -58,7 +34,7 @@ var Profile = function() {
                 // reset all icons
                 table.find('span.ui-icon').each(function() {
                     $(this).removeClass('ui-icon-triangle-1-s').removeClass('ui-icon-triangle-1-e').addClass('ui-icon-triangle-1-e');
-                })
+                });
 
                 if (isOpen) {
                     nextRow.find('div.attribute-table-wrapper').slideUp(500, function() {
@@ -93,4 +69,4 @@ var Profile = function() {
     };
 
     return module;
-}
+};
diff --git a/www/authentication/javascript/screen.js b/www/authentication/javascript/screen.js
index 3be4580fc3..e2582b5784 100644
--- a/www/authentication/javascript/screen.js
+++ b/www/authentication/javascript/screen.js
@@ -1,31 +1,7 @@
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
-
 $(document).ready(function() {
     var screen = new Screen();
     screen.init();
-})
+});
 
 var Screen = function() {
 
@@ -49,4 +25,4 @@ var Screen = function() {
     };
 
     return module;
-}
\ No newline at end of file
+};
\ No newline at end of file
diff --git a/www/profile/index.php b/www/profile/index.php
index 61d0a72419..2705d3955c 100644
--- a/www/profile/index.php
+++ b/www/profile/index.php
@@ -1,27 +1,4 @@
 <?php
-/**
- * SURFconext EngineBlock
- *
- * LICENSE
- *
- * Copyright 2011 SURFnet bv, The Netherlands
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and limitations under the License.
- *
- * @category  SURFconext EngineBlock
- * @package
- * @copyright Copyright © 2010-2011 SURFnet SURFnet bv, The Netherlands (http://www.surfnet.nl)
- * @license   http://www.apache.org/licenses/LICENSE-2.0  Apache License 2.0
- */
 
 require '../../library/EngineBlock/ApplicationSingleton.php';