diff --git a/.editorconfig b/.editorconfig
index 9752871..566a1a3 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -11,5 +11,15 @@ insert_final_newline = true
 max_line_length = 120
 
 [*.{yml,yaml,yml.j2,yaml.j2}]
-max_line_length = 120
 indent_size = 2
+
+[*.json]
+indent_size = 2
+max_line_length = 180
+
+[*.xml]
+indent_size = 2
+
+
+[*.sh]
+indent_style = tab
diff --git a/core/README.md b/core/README.md
index 7b5aa1f..7bb6eb3 100644
--- a/core/README.md
+++ b/core/README.md
@@ -25,6 +25,7 @@ You will also need to tell your local machine where to find the hosts.
 Add the following line in your hosts file (/etc/hosts )
 ```
 127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local pdp.dev.openconext.local invite.dev.openconext.local welcome.dev.openconext.local
+::1       engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local pdp.dev.openconext.local invite.dev.openconext.local welcome.dev.openconext.local
 ```
 
 If all goes wel, you can now login. Please see the section below to find out where you can login.
@@ -69,7 +70,7 @@ Since the OpenConext suite is composed of multiple docker containers, you can us
 
 If you want to start all services, you can use extras. A profile can be started by using the --profile argument to the `docker compose up` command. For example:
 ```
-docker compose up -d --profile extras
+docker compose --profile extras up -d
 ```
 
 # Starting a PHP project in development mode (only lifecycle, profile and engineblock)
diff --git a/core/docker-compose.yml b/core/docker-compose.yml
index 385a915..a0eefca 100644
--- a/core/docker-compose.yml
+++ b/core/docker-compose.yml
@@ -37,49 +37,63 @@ services:
       - openconext_mariadb:/var/lib/mysql
     healthcheck:
       test: ["CMD", "mysqladmin", "-uroot", "-psecret", "ping", "-h", "localhost"]
-      timeout: 5s
-      retries: 10
+      interval: 10s
+      timeout: 3s
+      retries: 5
     hostname: mariadb.docker
     ports:
       - 3306:3306
 
   mongo:
-    image: bitnami/mongodb:7.0
+    image: mongo:7
     environment:
-      MONGO_INITDB_ROOT_USERNAME: root
-      MONGO_INITDB_ROOT_PASSWORD: secret
-      MONGODB_ROOT_PASSWORD: secret
-      MONGODB_REPLICA_SET_NAME: openconext
-      MONGODB_REPLICA_SET_MODE: primary
-      MONGODB_REPLICA_SET_KEY: secretsecret
-      MONGODB_ADVERTISED_HOSTNAME: mongodb
+      MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USERNAME:-root}
+      MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD:-secret}
+      MONGO_REPLICA_SET_NAME: ${MONGODB_RS_NAME:-openconext}
     volumes:
       - ./mongo/:/docker-entrypoint-initdb.d/
-      - openconext_mongodb:/bitnami/mongodb
+      - openconext_mongodb:/data/db
     healthcheck:
-      test: ['CMD', 'true']
-      # test:
-      #   [
-      #     "CMD",
-      #     "mongosh",
-      #     "-u",
-      #     "managerw",
-      #     "-p",
-      #     "secret",
-      #     "--eval",
-      #     "db.stats().ok",
-      #     "mongodb://127.0.0.1/manage",
-      #   ]
-      interval: 10s
-      timeout: 10s
-      retries: 3
-      start_period: 20s
+      test: |
+        # Apart from implementing a regular healthcheck, we also use it here to initialize
+        # the Mongo replication set
+        mongosh -u $${MONGO_INITDB_ROOT_USERNAME} -p $${MONGO_INITDB_ROOT_PASSWORD} --eval '
+          try {
+            rs.status().ok;
+          }
+          catch ({ name, message }) {
+            print("error:" + name);
+            print("message:" + message);
+            if (name=="MongoServerError" && message.includes("no replset config has been received")) {
+              rs.initiate({
+                _id : "$${MONGO_REPLICA_SET_NAME}",
+                members: [ { _id: 0, host: "mongodb:27017" } ]
+              });
+              rs.status().ok;
+            }
+          };
+        '
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    entrypoint: >
+      bash -c '
+          openssl rand -base64 756 > /keyfile \
+          && chown mongodb:mongodb /keyfile \
+          && chmod 400 /keyfile \
+          && exec docker-entrypoint.sh $$@
+      '
+    command: |
+      mongod --bind_ip_all --replSet $${MONGO_REPLICA_SET_NAME} --keyFile /keyfile
+    restart: always
+    ports:
+      - "27017:27017"
     networks:
       coreconextdev:
     hostname: mongodb
 
   engine:
-    image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:prod
+    image: ghcr.io/openconext/openconext-engineblock/openconext-engineblock:6.15.4
     volumes:
       - ./:/config
     networks:
@@ -110,7 +124,7 @@ services:
     hostname: profile.docker
 
   mujina-idp:
-    image: ghcr.io/openconext/mujina/mujina-idp:8.0.12
+    image: ghcr.io/openconext/mujina/mujina-idp:latest
     volumes:
       - ./:/config
     networks:
@@ -119,7 +133,7 @@ services:
     hostname: mujina.docker
 
   managegui:
-    image: ghcr.io/openconext/openconext-manage/manage-gui:latest
+    image: ghcr.io/openconext/openconext-manage/manage-gui:9.1
     environment:
       HTTPD_CSP: ""
       HTTPD_SERVERNAME: "manage.dev.openconext.local"
@@ -141,7 +155,7 @@ services:
         condition: service_healthy
 
   manageserver:
-    image: ghcr.io/openconext/openconext-manage/manage-server:latest
+    image: ghcr.io/openconext/openconext-manage/manage-server:9.1
     environment:
       USE_SYSTEM_CA_CERTS: true
     volumes:
@@ -192,7 +206,7 @@ services:
       - "extras"
 
   oidcplaygroundgui:
-    image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-gui:3.0.1
+    image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-gui:latest
     networks:
       coreconextdev:
     hostname: oidcplagroundgui.docker
@@ -202,7 +216,7 @@ services:
       - "extras"
 
   oidcplaygroundserver:
-    image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-server:3.0.1
+    image: ghcr.io/openconext/openconext-oidc-playground/oidc-playground-server:latest
     environment:
       USE_SYSTEM_CA_CERTS: true
     volumes:
@@ -220,7 +234,7 @@ services:
       - "extras"
 
   teamsgui:
-    image: ghcr.io/openconext/openconext-teams-ng/teams-gui:9.3.1
+    image: ghcr.io/openconext/openconext-teams-ng/teams-gui:latest
     volumes:
       - ./:/config
     environment:
@@ -245,7 +259,7 @@ services:
       - "extras"
 
   teamsserver:
-    image: ghcr.io/openconext/openconext-teams-ng/teams-server:9.3.1
+    image: ghcr.io/openconext/openconext-teams-ng/teams-server:latest
     environment:
       USE_SYSTEM_CA_CERTS: true
     volumes:
@@ -280,7 +294,7 @@ services:
       - "extras"
 
   inviteclient:
-    image: ghcr.io/openconext/openconext-invite/inviteclient:0.0.23
+    image: ghcr.io/openconext/openconext-invite/inviteclient:snapshot
     volumes:
       - ./:/config
     environment:
diff --git a/core/engine/parameters.yml b/core/engine/parameters.yml
index 9d0a8b7..b0f3b75 100644
--- a/core/engine/parameters.yml
+++ b/core/engine/parameters.yml
@@ -1,151 +1,151 @@
 # This file is auto-generated during the composer install
 parameters:
-    secret: secret
-    domain: dev.openconext.local
-    hostname: engine.dev.openconext.local
-    trusted_proxies:
-        - 192.168.1.1
-        - 10.0.0.1
-    enabled_languages:
-        - nl
-        - en
-    attribute_definition_file_path: '%kernel.project_dir%/application/configs/attributes.json'
-    encryption_keys:
-        default:
-            publicFile: /config/engine/engineblock.crt
-            privateFile: /config/engine/engineblock.pem
-    forbidden_signature_methods: {  }
-    allowed_acs_location_schemes:
-        - http
-        - https
-    metadata_add_requested_attributes: all
-    php_settings:
-        memory_limit: 256M
-        display_errors: '1'
-        error_reporting: '6135'
-        date.timezone: Europe/Amsterdam
-        sendmail_from: 'OpenConext EngineBlock <openconext-engineblock@openconext.org>'
-    http_client.timeout: 60
-    api.users.metadataPush.username: manage
-    api.users.metadataPush.password: secret
-    api.users.profile.username: profile
-    api.users.profile.password: secret
-    api.users.deprovision.username: lifecycle
-    api.users.deprovision.password: secret
-    pdp.host: 'https://pdp.dev.openconext.local'
-    pdp.username: pdp_admin
-    pdp.password: secret
-    pdp.client_id: EngineBlock
-    pdp.policy_decision_point_path: /pdp/api/decide/policy
-    attribute_aggregation.base_url: 'https://aa.dev.openconext.local/internal/attribute/aggregation'
-    attribute_aggregation.username: eb
-    attribute_aggregation.password: secret
-    logger.channel: engineblock
-    logger.fingers_crossed.passthru_level: NOTICE
-    logger.fingers_crossed.action_level: ERROR
-    logger.line_format: '[%%datetime%%] %%channel%%.%%level_name%%: %%message%% %%extra%% %%context%%'
-    database.host: mariadb
-    database.port: '3306'
-    database.user: ebrw
-    database.password: secret
-    database.dbname: eb
-    database.test.host: mariadb
-    database.test.port: '3306'
-    database.test.user: ebrw
-    database.test.password: secret
-    database.test.dbname: eb
-    engineblock.metadata_push_memory_limit: 256M
-    minimum_execution_time_on_invalid_received_response: 5000
-    addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local'
-    cookie.path: /
-    cookie.secure: true
-    cookie.locale.domain: .dev.openconext.local
-    cookie.locale.expiry: 5184000
-    cookie.locale.http_only: false
-    cookie.locale.secure: true
-    view_default_title: OpenConext
-    view_default_header: OpenConext
-    view_default_logo: /images/logo.png
-    view_default_logo_width: 96
-    view_default_logo_height: 96
-    env_name: ''
-    env_ribbon_color: ''
-    ui_return_to_sp_link: false
-    email_request_access_address: help@example.org
-    monitor_database_health_check_query: 'SELECT uuid FROM user LIMIT 1;'
-    wayf.cutoff_point_for_showing_unfiltered_idps: 50
-    wayf.remember_choice: false
-    wayf.display_default_idp_banner_on_wayf: true
-    wayf.default_idp_entity_id: 'https://default-idp.dev.openconext.local'
-    global.site_notice.show: false
-    global.site_notice.allowed.tags: '<a><u><i><br><wbr><strong><em><blink><marquee><p><ul><ol><dl><li><dd><dt><div><span><blockquote><hr><h2></h2><h3><h4><h5><h6>'
-    time_frame_for_authentication_loop_in_seconds: 60
-    maximum_authentication_procedures_allowed: 5
-    maximum_authentications_per_session: 5
-    consent_store_values: true
-    email_idp_debugging:
-        from:
-            name: 'OpenConext EngineBlock'
-            address: no-reply@example.org
-        to:
-            address: coin-logs-dev@list.surfnet.nl
-            name: 'OpenConext Admin'
-        subject: 'IdP debug info from %%1$s'
-    mailer_transport: smtp
-    mailer_host: localhost
-    mailer_port: '25'
-    mailer_user: ''
-    mailer_password: ''
-    feature_eb_encrypted_assertions: true
-    feature_eb_encrypted_assertions_require_outer_signature: true
-    feature_api_metadata_push: true
-    feature_api_consent_listing: true
-    feature_api_consent_remove: true
-    feature_api_metadata_api: true
-    feature_api_deprovision: true
-    feature_run_all_manipulations_prior_to_consent: false
-    feature_block_user_on_violation: false
-    feature_enable_consent: true
-    feature_stepup_sfo_override_engine_entityid: false
-    feature_enable_idp_initiated_flow: true
-    feature_enable_sram_interrupt: true
-    profile_base_url: 'https://profile.dev.openconext.local'
-    stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/vm\.openconext\.org\/assurance\/loa[1-3]/'
-    stepup.loa.mapping:
-        10:
-            engineblock: 'http://dev.openconext.local/assurance/loa1'
-            gateway: 'http://dev.openconext.local/assurance/loa1'
-        15:
-            engineblock: 'http://dev.openconext.local/assurance/loa1_5'
-            gateway: 'http://dev.openconext.local/assurance/loa1_5'
-        20:
-            engineblock: 'http://dev.openconext.local/assurance/loa2'
-            gateway: 'http://dev.openconext.local/assurance/loa2'
-        30:
-            engineblock: 'http://dev.openconext.local/assurance/loa3'
-            gateway: 'http://dev.openconext.local/assurance/loa3'
-    stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1'
-    stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata'
-    stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on'
-    stepup.gateway.sfo.key_file: /config/engine/engineblock.crt
-    stepup.sfo.override_engine_entityid: ''
-    theme.name: skeune
-    feature_enable_sso_notification: false
-    sso_notification_encryption_algorithm: AES-256-CBC
-    sso_notification_encryption_key: '<xxx>'
-    sso_notification_encryption_key_salt: '<xxx>'
-    feature_enable_sso_session_cookie: false
-    sso_session_cookie_max_age: 0
-    auth.log.attributes: {  }
+  secret: secret
+  domain: dev.openconext.local
+  hostname: engine.dev.openconext.local
+  trusted_proxies:
+    - 192.168.1.1
+    - 10.0.0.1
+  enabled_languages:
+    - nl
+    - en
+  attribute_definition_file_path: '%kernel.project_dir%/../application/configs/attributes.json'
+  encryption_keys:
+    default:
+      publicFile: /config/engine/engineblock.crt
+      privateFile: /config/engine/engineblock.pem
+  forbidden_signature_methods: {  }
+  allowed_acs_location_schemes:
+    - http
+    - https
+  metadata_add_requested_attributes: all
+  php_settings:
+    memory_limit: 256M
+    display_errors: '1'
+    error_reporting: '6135'
+    date.timezone: Europe/Amsterdam
+    sendmail_from: 'OpenConext EngineBlock <openconext-engineblock@openconext.org>'
+  http_client.timeout: 60
+  api.users.metadataPush.username: manage
+  api.users.metadataPush.password: secret
+  api.users.profile.username: profile
+  api.users.profile.password: secret
+  api.users.deprovision.username: lifecycle
+  api.users.deprovision.password: secret
+  pdp.host: 'https://pdp.dev.openconext.local'
+  pdp.username: pdp_admin
+  pdp.password: secret
+  pdp.client_id: EngineBlock
+  pdp.policy_decision_point_path: /pdp/api/decide/policy
+  attribute_aggregation.base_url: 'https://aa.dev.openconext.local/internal/attribute/aggregation'
+  attribute_aggregation.username: eb
+  attribute_aggregation.password: secret
+  logger.channel: engineblock
+  logger.fingers_crossed.passthru_level: NOTICE
+  logger.fingers_crossed.action_level: ERROR
+  logger.line_format: '[%%datetime%%] %%channel%%.%%level_name%%: %%message%% %%extra%% %%context%%'
+  database.host: mariadb
+  database.port: '3306'
+  database.user: ebrw
+  database.password: secret
+  database.dbname: eb
+  database.test.host: mariadb
+  database.test.port: '3306'
+  database.test.user: ebrw
+  database.test.password: secret
+  database.test.dbname: eb
+  engineblock.metadata_push_memory_limit: 256M
+  minimum_execution_time_on_invalid_received_response: 5000
+  addgueststatus_guestqualifier: 'urn:collab:org:dev.openconext.local'
+  cookie.path: /
+  cookie.secure: true
+  cookie.locale.domain: .dev.openconext.local
+  cookie.locale.expiry: 5184000
+  cookie.locale.http_only: false
+  cookie.locale.secure: true
+  view_default_title: OpenConext
+  view_default_header: OpenConext
+  view_default_logo: /images/logo.png
+  view_default_logo_width: 96
+  view_default_logo_height: 96
+  env_name: ''
+  env_ribbon_color: ''
+  ui_return_to_sp_link: false
+  email_request_access_address: help@example.org
+  monitor_database_health_check_query: 'SELECT uuid FROM user LIMIT 1;'
+  wayf.cutoff_point_for_showing_unfiltered_idps: 50
+  wayf.remember_choice: false
+  wayf.display_default_idp_banner_on_wayf: true
+  wayf.default_idp_entity_id: 'https://default-idp.dev.openconext.local'
+  global.site_notice.show: false
+  global.site_notice.allowed.tags: '<a><u><i><br><wbr><strong><em><blink><marquee><p><ul><ol><dl><li><dd><dt><div><span><blockquote><hr><h2></h2><h3><h4><h5><h6>'
+  time_frame_for_authentication_loop_in_seconds: 60
+  maximum_authentication_procedures_allowed: 5
+  maximum_authentications_per_session: 5
+  consent_store_values: true
+  email_idp_debugging:
+    from:
+      name: 'OpenConext EngineBlock'
+      address: no-reply@example.org
+    to:
+      address: coin-logs-dev@list.surfnet.nl
+      name: 'OpenConext Admin'
+    subject: 'IdP debug info from %%1$s'
+  mailer_transport: smtp
+  mailer_host: localhost
+  mailer_port: '25'
+  mailer_user: ''
+  mailer_password: ''
+  feature_eb_encrypted_assertions: true
+  feature_eb_encrypted_assertions_require_outer_signature: true
+  feature_api_metadata_push: true
+  feature_api_consent_listing: true
+  feature_api_consent_remove: true
+  feature_api_metadata_api: true
+  feature_api_deprovision: true
+  feature_run_all_manipulations_prior_to_consent: false
+  feature_block_user_on_violation: false
+  feature_enable_consent: true
+  feature_stepup_sfo_override_engine_entityid: false
+  feature_enable_idp_initiated_flow: true
+  feature_enable_sram_interrupt: true
+  profile_base_url: 'https://profile.dev.openconext.local'
+  stepup.authn_context_class_ref_blacklist_regex: '/http:\/\/vm\.openconext\.org\/assurance\/loa[1-3]/'
+  stepup.loa.mapping:
+    10:
+      engineblock: 'http://dev.openconext.local/assurance/loa1'
+      gateway: 'http://dev.openconext.local/assurance/loa1'
+    15:
+      engineblock: 'http://dev.openconext.local/assurance/loa1_5'
+      gateway: 'http://dev.openconext.local/assurance/loa1_5'
+    20:
+      engineblock: 'http://dev.openconext.local/assurance/loa2'
+      gateway: 'http://dev.openconext.local/assurance/loa2'
+    30:
+      engineblock: 'http://dev.openconext.local/assurance/loa3'
+      gateway: 'http://dev.openconext.local/assurance/loa3'
+  stepup.loa.loa1: 'http://dev.openconext.local/assurance/loa1'
+  stepup.gateway.sfo.entity_id: 'https://gateway.dev.openconext.local/second-factor-only/metadata'
+  stepup.gateway.sfo.sso_location: 'https://gateway.dev.openconext.local/second-factor-only/single-sign-on'
+  stepup.gateway.sfo.key_file: /config/engine/engineblock.crt
+  stepup.sfo.override_engine_entityid: ''
+  theme.name: skeune
+  feature_enable_sso_notification: false
+  sso_notification_encryption_algorithm: AES-256-CBC
+  sso_notification_encryption_key: '<xxx>'
+  sso_notification_encryption_key_salt: '<xxx>'
+  feature_enable_sso_session_cookie: false
+  sso_session_cookie_max_age: 0
+  auth.log.attributes: {  }
 
-    sram.api_token: secret
-    sram.base_url: 'https://sbs.dev.openconext.local/api/users/'
-    sram.authz_location: authz_eb
-    sram.attributes_location: attributes_eb
-    sram.interrupt_location: interrupt
-    sram.verify_peer: false
-    sram.allowed_attributes:
-        - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
-        - 'urn:mace:dir:attribute-def:uid'
-        - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
-        - 'urn:mace:surf.nl:attribute-def:ssh-key'
+  sram.api_token: secret
+  sram.base_url: 'https://sbs.dev.openconext.local/api/users/'
+  sram.authz_location: authz_eb
+  sram.attributes_location: attributes_eb
+  sram.interrupt_location: interrupt
+  sram.verify_peer: false
+  sram.allowed_attributes:
+    - 'urn:mace:dir:attribute-def:eduPersonEntitlement'
+    - 'urn:mace:dir:attribute-def:uid'
+    - 'urn:mace:dir:attribute-def:eduPersonPrincipalName'
+    - 'urn:mace:surf.nl:attribute-def:ssh-key'
diff --git a/core/manage/application.yml b/core/manage/application.yml
index 2709b5c..05cd57c 100644
--- a/core/manage/application.yml
+++ b/core/manage/application.yml
@@ -1,4 +1,3 @@
----
 cookie:
   secure: true
   # Options are 'Strict', 'Lax' or 'None'
@@ -10,8 +9,6 @@ environment: DEV
 server:
   # The port to where this Spring Boot application listens to.
   port: 8080
-  tomcat:
-    max-threads: 1
   error:
     path: "/error"
   server-header:
@@ -23,7 +20,7 @@ server:
       cookie:
         secure: true
 
-features: push, push_preview, validation, orphans, find_my_data
+features: push, push_preview, validation, orphans, find_my_data, edugain, auto_refresh
 
 push:
   eb:
@@ -47,14 +44,14 @@ push:
     name: PdP
     user: pdp_admin
     password: "secret"
-    enabled: False
+    enabled: True
 
 product:
   name: Manage
   organization: OpenConext DEV
   service_provider_feed_url: http://mds.edugain.org/edugain-v2.xml
   supported_languages: en,nl
-  show_oidc_rp: true
+  show_oidc_rp: True
 
 metadata_configuration_path: file:///config/metadata_configuration/
 metadata_templates_path: file:///config/metadata_templates/
@@ -72,10 +69,10 @@ crypto:
   public-key-location: classpath:nope
   enabled: False
 
-# Can also be file system resources like file://{{ manage_dir }}/policies/allowed_attributes.json
+# Can also be a file system resource like file:///config//policies/allowed_attributes.json
 policies:
-  allowed_attributes: classpath:/policies/allowed_attributes.json
-  extra_saml_attributes: classpath:/policies/extra_saml_attributes.json
+  allowed_attributes: file:///config//policies/allowed_attributes.json
+  extra_saml_attributes: file:///config//policies/extra_saml_attributes.json
 
 spring:
   mail:
@@ -86,11 +83,6 @@ spring:
       uri: mongodb://managerw:secret@mongo:27017/manage?ssl=false
   main:
     banner-mode: "off"
-  datasource:
-    url: jdbc:mysql://mariadb:3306/pdp?permitMysqlScheme
-    username: pdprw
-    password: secret
-    driverClassName: org.mariadb.jdbc.Driver
 
 gui:
   disclaimer:
@@ -110,6 +102,8 @@ management:
   health:
     mail:
       enabled: true
+    db:
+      enabled: True
   endpoints:
     web:
       exposure:
diff --git a/core/manage/metadata_configuration/oidc10_rp.schema.json b/core/manage/metadata_configuration/oidc10_rp.schema.json
index ce2829a..2ecee34 100644
--- a/core/manage/metadata_configuration/oidc10_rp.schema.json
+++ b/core/manage/metadata_configuration/oidc10_rp.schema.json
@@ -130,8 +130,9 @@
         "invite",
         "manage",
         "orcid",
-        "sab",
+        "sabrest",
         "voot",
+        "institution"
       ],
       "properties": {
         "enabled": {
@@ -227,7 +228,8 @@
             },
             "urn:mace:surf.nl:attribute-def:surf-autorisaties": {
               "$ref": "#/definitions/ArpAttribute",
-              "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.10"
+              "alias": "urn:oid:1.3.6.1.4.1.1076.20.100.10.50.10",
+              "multiplicity": true
             },
             "urn:mace:dir:attribute-def:isMemberOf": {
               "$ref": "#/definitions/ArpAttribute",
@@ -326,6 +328,11 @@
           "type": "number",
           "info": "The height of the logo found at logo:0:url in pixels."
         },
+        "coin:sp_specific_metadata": {
+          "type": "boolean",
+          "default": false,
+          "info": "Publish SP-specific metadata containing only whitelisted IdPs."
+        },
         "coin:push_enabled": {
           "type": "boolean",
           "default": false,
@@ -342,7 +349,7 @@
         },
         "coin:institution_id": {
           "type": "string",
-          "info": "The defined client code. Generally an abbreviation of the name of the client."
+          "info": "Deprecated. Use coin:institution_guid. The defined client code. Generally an abbreviation of the name of the client."
         },
         "coin:institution_guid": {
           "type": "string",
@@ -555,7 +562,8 @@
               "authorization_code",
               "implicit",
               "refresh_token",
-              "client_credentials"
+              "client_credentials",
+              "urn:ietf:params:oauth:grant-type:device_code"
             ]
           },
           "info": "The authorisation grant type's of this Relying Party."
@@ -691,7 +699,6 @@
       "required": [
         "name:en",
         "OrganizationName:en",
-        "secret",
         "grants"
       ],
       "additionalProperties": false
diff --git a/core/manage/metadata_configuration/saml20_idp.schema.json b/core/manage/metadata_configuration/saml20_idp.schema.json
index 09d36b7..feb4264 100644
--- a/core/manage/metadata_configuration/saml20_idp.schema.json
+++ b/core/manage/metadata_configuration/saml20_idp.schema.json
@@ -275,19 +275,6 @@
           "type": "string",
           "info": "The name of the authority that can register a service provider or identity provider."
         },
-        "logo:0:url": {
-          "type": "string",
-          "format": "url",
-          "info": "Enter the URL to the logo used for this service. e.g. https://static.example-logo.nl/media/sp/logo.png."
-        },
-        "logo:0:width": {
-          "type": "number",
-          "info": "The width of the logo found at logo:0:url in pixels."
-        },
-        "logo:0:height": {
-          "type": "number",
-          "info": "The height of the logo found at logo:0:url in pixels."
-        },
         "redirect.sign": {
           "type": "boolean",
           "info": "Whether authentication requests to this IdP will be signed by Engineblock."
@@ -497,15 +484,56 @@
           "type": "string",
           "info": "This field defines searchable words in the WAYF dialogue for this Identity Provider."
         },
-        "^shibmd:scope:([0-9]{1}):allowed$": {
+        "^shibmd:scope:(1?[0-9]{1}):allowed$": {
           "type": "string",
-          "multiplicity": 10,
+          "multiplicity": 20,
           "info": "Select the allowed permissible attribute scope for the role. The scope is an attribute-specific concept used in Shibboleth to enhance the functionality of the attribute acceptance policy features."
         },
         "^shibmd:scope:([0-9]{1}):regexp$": {
           "type": "boolean",
           "multiplicity": 10,
           "info": "If not set or absent, the text content of the shibmd:Scope is interpreted as the literal scope value.  If not set the scope component of each scoped attribute value processed by the service provider MUST exactly match the value of <shibmd:Scope> element. If set, the text content of the shibmd:Scope is interpreted as specifying a regular expression.  If set, the scope component of each scoped attribute value processed by the service provider MUST match the regular expression."
+        },
+        "^logo:([0-9]{1}):url$": {
+          "type": "string",
+          "format": "url",
+          "multiplicity": 9,
+          "sibblingIndependent": true,
+          "info": "Enter the URL to the logo used for this service. e.g. https://static.example-logo.nl/media/sp/logo.png."
+        },
+        "^logo:([0-9]{1}):width$": {
+          "type": "number",
+          "multiplicity": 9,
+          "sibblingIndependent": true,
+          "info": "The width of the logo found at logo:x:url in pixels."
+        },
+        "^logo:([0-9]{1}):height$": {
+          "type": "number",
+          "multiplicity": 9,
+          "sibblingIndependent": true,
+          "info": "The height of the logo found at logo:x:url in pixels."
+        },
+        "^DiscoveryName:([0-9]{1}):en$": {
+          "type": "string",
+          "multiplicity": 9,
+          "sibblingIndependent": false,
+          "info": "The english discovery name(s) of the Identity Provider as displayed in applications."
+        },
+        "^DiscoveryName:([0-9]{1}):nl$": {
+          "type": "string",
+          "multiplicity": 9,
+          "sibblingIndependent": false,
+          "info": "The dutch discovery name(s) of the Identity Provider as displayed in applications."
+        },
+        "^keywords:([0-9]{1}):en$": {
+          "type": "string",
+          "multiplicity": 10,
+          "info": "This field defines searchable english words in the WAYF dialogue for this Identity Provider."
+        },
+        "^keywords:([0-9]{1}):nl$": {
+          "type": "string",
+          "multiplicity": 10,
+          "info": "This field defines searchable dutch words in the WAYF dialogue for this Identity Provider."
         }
       },
       "required": [
diff --git a/core/manage/metadata_templates/policy.template.json b/core/manage/metadata_templates/policy.template.json
new file mode 100644
index 0000000..71f2c50
--- /dev/null
+++ b/core/manage/metadata_templates/policy.template.json
@@ -0,0 +1,18 @@
+{
+  "metaDataFields": {},
+  "name": "",
+  "entityid": "",
+  "description": "",
+  "serviceProviderIds": [],
+  "identityProviderIds": [],
+  "attributes": [],
+  "loas": [],
+  "denyAdvice": "",
+  "denyRule": false,
+  "allAttributesMustMatch": false,
+  "userDisplayName": "",
+  "authenticatingAuthorityName": "",
+  "denyAdviceNl": "",
+  "active": true,
+  "type": "reg"
+}
diff --git a/core/manage/metadata_templates/sram.template.json b/core/manage/metadata_templates/sram.template.json
new file mode 100644
index 0000000..abdf1fb
--- /dev/null
+++ b/core/manage/metadata_templates/sram.template.json
@@ -0,0 +1,29 @@
+{
+  "entityid": "",
+  "state": "testaccepted",
+  "allowedall": true,
+  "arp": {
+    "enabled": false,
+    "attributes": {}
+  },
+  "metaDataFields": {
+    "name:en": "",
+    "OrganizationName:en": "",
+    "AssertionConsumerService:0:Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+    "AssertionConsumerService:0:Location": "https://trusted.proxy.acs.location.rules",
+    "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
+    "coin:signature_method": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+    "connection_type": "oidc_rp",
+    "secret": "",
+    "redirectUrls": [],
+    "grants": ["authorization_code"],
+    "coin:collab_enabled": true
+  },
+  "allowedEntities": [],
+  "autoRefresh": {
+    "enabled": false,
+    "allowAll": false,
+    "fields": {
+    }
+  }
+}
diff --git a/core/manage/policies/allowed_attributes.json b/core/manage/policies/allowed_attributes.json
new file mode 100644
index 0000000..f6a048a
--- /dev/null
+++ b/core/manage/policies/allowed_attributes.json
@@ -0,0 +1,40 @@
+[
+  {
+    "value": "urn:mace:terena.org:attribute-def:schacHomeOrganization",
+    "label": "Schac home organization"
+  },
+  {
+    "value": "urn:mace:terena.org:attribute-def:schacHomeOrganizationType",
+    "label": "Schac home organization type"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonAffiliation",
+    "label": "Edu person affiliation"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonScopedAffiliation",
+    "label": "Edu person scoped affiliation"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:eduPersonEntitlement",
+    "label": "Edu person entitlement"
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:isMemberOf",
+    "label": "Is-member-of"
+  },
+  {
+    "value": "urn:collab:group:surfteams.nl",
+    "label": "SURFteams group name (fully qualified)"
+  },
+  {
+    "value": "urn:collab:sab:surfnet.nl",
+    "label": "SAB role"
+
+  },
+  {
+    "value": "urn:mace:dir:attribute-def:mail",
+    "label": "Mail address"
+
+  }
+]
\ No newline at end of file
diff --git a/core/manage/policies/extra_saml_attributes.json b/core/manage/policies/extra_saml_attributes.json
new file mode 100644
index 0000000..5f44ef7
--- /dev/null
+++ b/core/manage/policies/extra_saml_attributes.json
@@ -0,0 +1,11 @@
+[
+  {
+    "value": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+    "label": "Unspecified name ID"
+  },
+  {
+    "value": "urn:mace:surfnet.nl:collab:xacml-attribute:ip-address",
+    "label": "IP Address"
+  }
+
+]
\ No newline at end of file
diff --git a/core/mujina/logback.xml b/core/mujina/logback.xml
index 1c2ddfb..77d2472 100644
--- a/core/mujina/logback.xml
+++ b/core/mujina/logback.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
 
- <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-  <encoder>
-     <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
-   </encoder>
- </appender>
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+    </encoder>
+  </appender>
 
   <logger name="mujina" level="DEBUG"/>
 
@@ -13,4 +13,3 @@
     <appender-ref ref="STDOUT" />
   </root>
 </configuration>
-
diff --git a/core/pdp/logback.xml b/core/pdp/logback.xml
index 5cfab66..7f2bba6 100644
--- a/core/pdp/logback.xml
+++ b/core/pdp/logback.xml
@@ -1,19 +1,19 @@
 <configuration>
-   <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-      <encoder>
-        <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
-      </encoder>
-   </appender>
-   <appender name="STDOUT-DECISIONS" class="ch.qos.logback.core.ConsoleAppender">
-      <encoder>
-        <pattern>%logger{40}:%L %d{ISO8601} %5p [%t] - %m%n</pattern>
-      </encoder>
-   </appender>
-   <logger name="analytics" level="INFO" additivity="false">
-      <appender-ref ref="STDOUT-DECISIONS" />
-   </logger>
-   <logger name="pdp" level="DEBUG" />
-   <root level="WARN">
-      <appender-ref ref="STDOUT" />
-   </root>
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%d{ISO8601} %5p [%t] %logger{40}:%L - %m%n</pattern>
+    </encoder>
+  </appender>
+  <appender name="STDOUT-DECISIONS" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>%logger{40}:%L %d{ISO8601} %5p [%t] - %m%n</pattern>
+    </encoder>
+  </appender>
+  <logger name="analytics" level="INFO" additivity="false">
+    <appender-ref ref="STDOUT-DECISIONS" />
+  </logger>
+  <logger name="pdp" level="DEBUG" />
+  <root level="WARN">
+    <appender-ref ref="STDOUT" />
+  </root>
 </configuration>
diff --git a/core/sbs/config/disclaimer.css b/core/sbs/config/disclaimer.css
index e89bbfc..b56608f 100644
--- a/core/sbs/config/disclaimer.css
+++ b/core/sbs/config/disclaimer.css
@@ -1,6 +1,4 @@
-{% if environment_name!="prd" -%}
 body::after {
-    background: {{ sbs_disclaimer_color }};
-    content: "{{ sbs_disclaimer_label }}";
+    background: #cc00cc;
+    content: "DevConf";
 }
-{% endif %}
diff --git a/core/scripts/init.sh b/core/scripts/init.sh
index 4ea1548..2b234c6 100755
--- a/core/scripts/init.sh
+++ b/core/scripts/init.sh
@@ -3,7 +3,7 @@ RED='\033[0;31m'
 GREEN='\033[0;32m'
 ORANGE='\033[0;33m'
 NOCOLOR='\033[0m'
-CWD=$(dirname $0)
+CWD=$(dirname "$0")
 manageurl=https://manage.dev.openconext.local/manage/api/internal/
 
 set -e
@@ -48,16 +48,17 @@ for i in "$CWD"/*.json; do
 	url="$manageurl/search/$type"
 	json_body="{\"entityid\":\"$entityid\",\"REQUESTED_ATTRIBUTES\":[\"entityid\"],\"LOGICAL_OPERATOR_IS_AND\":true}"
 	set +e
-	command="docker compose exec managegui curl --fail-with-body -s -u sysadmin:secret -k -X POST -H \"Content-Type: application/json\" -d '$json_body' \"$url\""
-	a=$(docker compose exec managegui curl --fail-with-body -s -u sysadmin:secret -k -X POST -H "Content-Type: application/json" -d "$json_body" "$url")
+	command=(docker compose exec managegui curl --fail-with-body -s -u sysadmin:secret -k -X POST -H "Content-Type: application/json" -d "$json_body" "$url")
+	a=$( "${command[@]}" )
+	# shellcheck disable=SC2181
 	if [[ $? -ne 0 ]]; then
 		echo -e "${RED}Error while adding $entityid to manage${NOCOLOR}"
-		echo $command
-		echo $a
+		echo "${command[@]}"
+		echo "$a"
 		exit 1
 	fi
 	set -e
-	filename=$(basename $i)
+	filename=$(basename "$i")
 	if [[ $a == "[]" ]]; then
 		echo "$entityid not found, adding"
 		docker compose exec managegui curl -s -k -u sysadmin:secret -H 'Content-Type: application/json' -d @/config/scripts/"$filename" -XPOST "$manageurl"/metadata >/dev/null
@@ -73,7 +74,10 @@ printf "\n"
 echo -e "${RED}Please add the following line to your /etc/hosts:${NOCOLOR}${GREEN} \xE2\x9C\x94${NOCOLOR}"
 printf "\n"
 
-echo "127.0.0.1 engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local"
+# we need ipv6 here, because otherwise systems will first query mdns for ipv6 entries for the .local domain
+hosts="engine.dev.openconext.local manage.dev.openconext.local profile.dev.openconext.local engine-api.dev.openconext.local mujina-idp.dev.openconext.local profile.dev.openconext.local connect.dev.openconext.local teams.dev.openconext.local voot.dev.openconext.local"
+echo "127.0.0.1 $hosts"
+echo "::1       $hosts"
 
 printf "\n"
 echo "You can now login. If you want to bring the environment down, use the command below"