diff --git a/README.md b/README.md
index ec20c42b13004998c58f67981bf5e5b08610c9a6..393f27a0836ba2581c5ee5c203bc52f4bb0c1fee 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,13 @@ The following services are defined via docker compose files.
 * provides the endpoint for external access
 * configured via docker labels
 
+### shibauth
+
+* based on the external unicon/shibboleth-sp:3.0.4 Apache + Shibboleth image
+* provides authentication and authorization via SAML2
+* docker configuration files set access control rules
+* traefik labels determine which services are protected via Shib
+
 ### database
 
 * based on external postgis:10 image
diff --git a/config/shibboleth/shibboleth2.xml b/config/shibboleth/dem-shibboleth2.xml
similarity index 89%
rename from config/shibboleth/shibboleth2.xml
rename to config/shibboleth/dem-shibboleth2.xml
index 2504a528513c3f82ba58d153481ace2700daa18a..2892d9ed918246a88ad960df2a9f3e36a1995877 100755
--- a/config/shibboleth/shibboleth2.xml
+++ b/config/shibboleth/dem-shibboleth2.xml
@@ -4,7 +4,7 @@
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">
-    <ApplicationDefaults entityID="https://emg.pdas.prism.eox.at/shibboleth"
+    <ApplicationDefaults entityID="https://dem.pass.copernicus.eu/shibboleth"
                          REMOTE_USER="eppn uid persistent-id targeted-id">
         <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                   checkAddress="false" handlerSSL="true" cookieProps="https">
@@ -23,7 +23,7 @@
         <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
         <AttributeResolver type="Query" subjectMatch="true"/>
         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-        <CredentialResolver type="File" key="/run/secrets/SHIB_KEY" certificate="/run/secrets/SHIB_CERT"/>
+        <CredentialResolver type="File" key="/run/secrets/DEM_SHIB_KEY" certificate="/run/secrets/DEM_SHIB_CERT"/>
     </ApplicationDefaults>
     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
diff --git a/config/shibboleth/emg-shibboleth2.xml b/config/shibboleth/emg-shibboleth2.xml
new file mode 100644
index 0000000000000000000000000000000000000000..1f158494c62eefb7abc15f311d18b93b4e04c2a5
--- /dev/null
+++ b/config/shibboleth/emg-shibboleth2.xml
@@ -0,0 +1,31 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://emg.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/EMG_SHIB_KEY" certificate="/run/secrets/EMG_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
diff --git a/config/shibboleth/index.html b/config/shibboleth/index.html
index 7d20ce72118c9f755b70352b5ccf634dd01ea6b5..d1b182504b3959bb246951fad8f652018dd9572d 100644
--- a/config/shibboleth/index.html
+++ b/config/shibboleth/index.html
@@ -2,9 +2,10 @@
 <html lang="en">
 <head>
     <meta charset="UTF-8">
-    <title>APACHE TEST</title>
+    <title>Authentication Success</title>
 </head>
 <body>
-    <h1>TESTING APACHE</h1>   
+    <h1>Your login was successful and you were granted access to the service.
+      Please access the URL, which you originally requested. Proper redirection is not implemented yet.</h1>
 </body>
 </html>
diff --git a/config/shibboleth/native.logger b/config/shibboleth/native.logger
index d360b124af310af7eb625ebaf3f8b3092d06eb5c..1a854391ae2d4e2386f10c706d4736a423a432d6 100644
--- a/config/shibboleth/native.logger
+++ b/config/shibboleth/native.logger
@@ -1,5 +1,5 @@
 # set overall behavior
-log4j.rootCategory=DEBUG, native_log
+log4j.rootCategory=INFO, native_log
 
 # fairly verbose for DEBUG, so generally leave at WARN/INFO
 log4j.category.XMLTooling.XMLObject=WARN
diff --git a/config/shibboleth/shibd.logger b/config/shibboleth/shibd.logger
index c12b408902546b0fbef845dff37803bcbce430ad..909609dfcbb274cac05f838129cfc49e1ae2fd37 100644
--- a/config/shibboleth/shibd.logger
+++ b/config/shibboleth/shibd.logger
@@ -1,5 +1,5 @@
 # set overall behavior
-log4j.rootCategory=DEBUG, shibd_log, warn_log
+log4j.rootCategory=INFO, shibd_log, warn_log
 
 # fairly verbose for DEBUG, so generally leave at INFO
 log4j.category.XMLTooling.XMLObject=INFO
diff --git a/config/shibboleth/vhr18-shibboleth2.xml b/config/shibboleth/vhr18-shibboleth2.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d18baeff32739944b9278a69cf112bc2aa5dc458
--- /dev/null
+++ b/config/shibboleth/vhr18-shibboleth2.xml
@@ -0,0 +1,31 @@
+<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    clockSkew="180">
+    <ApplicationDefaults entityID="https://vhr18.pass.copernicus.eu/shibboleth"
+                         REMOTE_USER="eppn uid persistent-id targeted-id">
+        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
+                  checkAddress="false" handlerSSL="true" cookieProps="https">
+            <SSO entityID="https://umssoidp.cdsv3.eu:443/shibboleth">
+              SAML2 
+            </SSO>
+            <Logout>SAML2 Local</Logout>
+            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
+            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
+            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
+        </Sessions>
+        <Errors supportContact="admin@eox.at"
+            helpLocation="/about.html"/>
+        <MetadataProvider type="XML" validate="false" path="idp-metadata.xml"/>
+        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
+        <AttributeResolver type="Query" subjectMatch="true"/>
+        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
+        <CredentialResolver type="File" key="/run/secrets/VHR18_SHIB_KEY" certificate="/run/secrets/VHR18_SHIB_CERT"/>
+    </ApplicationDefaults>
+    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
+    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
+
+</SPConfig>
\ No newline at end of file
diff --git a/docker-compose.dem.ops.yml b/docker-compose.dem.ops.yml
index d6023b09a6f17178e3a743f6365359e2103622d7..76fd67461278d52cfb2b160f99f34d4367ad6cc5 100644
--- a/docker-compose.dem.ops.yml
+++ b/docker-compose.dem.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://dem.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - DEM_SHIB_CERT
+      - DEM_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/dem_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/dem_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/dem-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  DEM_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  DEM_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/docker-compose.emg.ops.yml b/docker-compose.emg.ops.yml
index 86bea982b066eda5407ad9dfb92e8218d821dfe2..9e9a9c8c4c16817ef0cd0fa46d294fda19e242f8 100644
--- a/docker-compose.emg.ops.yml
+++ b/docker-compose.emg.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://emg.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - EMG_SHIB_CERT
+      - EMG_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/emg_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/emg_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/emg-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  EMG_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  EMG_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/docker-compose.vhr18.ops.yml b/docker-compose.vhr18.ops.yml
index 12a692ebc8ab0a386be72b29a223691b71c808e3..8c529ad58f6e572565ee88b49406c012f724f2bd 100644
--- a/docker-compose.vhr18.ops.yml
+++ b/docker-compose.vhr18.ops.yml
@@ -170,8 +170,8 @@ services:
     environment:
       APACHE_SERVERNAME: "https://vhr18.pass.copernicus.eu:443"
     secrets:
-      - SHIB_CERT
-      - SHIB_KEY
+      - VHR18_SHIB_CERT
+      - VHR18_SHIB_KEY
       - BASIC_AUTH_USERS_AUTH
     deploy:
       replicas: 1
@@ -226,8 +226,8 @@ configs:
     file: ./config/shibboleth/vhr18_pass-ac.xml
   shib-access-control-conf-cache:
     file: ./config/shibboleth/vhr18_pass-ac-cache.xml
-  shib-shibboleth2: # this will vary for collections
-    file: ./config/shibboleth/shibboleth2.xml
+  shib-shibboleth2:
+    file: ./config/shibboleth/vhr18-shibboleth2.xml
   shib-apache:
     file: ./config/shibboleth/shib-apache.conf
   shib-attribute-map:
@@ -241,9 +241,9 @@ configs:
   shib-idp-metadata:
     external: true
 secrets:
-  SHIB_CERT:
+  VHR18_SHIB_CERT:
     external: true
-  SHIB_KEY:
+  VHR18_SHIB_KEY:
     external: true
   BASIC_AUTH_USERS_AUTH:
     external: true
diff --git a/traefik.yml b/traefik.yml
index 4a4135d7d3b33f8973f290778a4e83347a944b19..39a93c19019a09cfdd7e5d5b0e7413b65494ec5b 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -19,7 +19,7 @@ providers:
 api:
   dashboard: true
 log:
-  level: DEBUG
+  level: INFO
 accessLog: {}
 certificatesResolvers:
   default: