diff --git a/scripts/vagrant/setup.sh b/scripts/vagrant/setup.sh
index 4fde9ec7791..6847413819a 100644
--- a/scripts/vagrant/setup.sh
+++ b/scripts/vagrant/setup.sh
@@ -43,6 +43,9 @@ cp /dataverse/conf/httpd/conf.d/dataverse.conf /etc/httpd/conf.d/dataverse.conf
 service httpd start
 curl -k --sslv3 https://pdurbin.pagekite.me/Shibboleth.sso/Metadata > /downloads/pdurbin.pagekite.me
 cp -a /etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml.orig
+cp -a /etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml.orig
+# need more attributes, such as sn, givenName, mail
+cp /dataverse/conf/vagrant/etc/shibboleth/attribute-map.xml /etc/shibboleth/attribute-map.xml
 # FIXME: automate this?
 #curl 'https://www.testshib.org/cgi-bin/sp2config.cgi?dist=Others&hostname=pdurbin.pagekite.me' > /etc/shibboleth/shibboleth2.xml
 #cp /dataverse/conf/vagrant/etc/shibboleth/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
diff --git a/src/main/java/edu/harvard/iq/dataverse/Shib.java b/src/main/java/edu/harvard/iq/dataverse/Shib.java
index acbdaf83e47..f644bb7310e 100644
--- a/src/main/java/edu/harvard/iq/dataverse/Shib.java
+++ b/src/main/java/edu/harvard/iq/dataverse/Shib.java
@@ -1,12 +1,19 @@
 package edu.harvard.iq.dataverse;
 
+import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
+import edu.harvard.iq.dataverse.authorization.RoleAssigneeDisplayInfo;
+import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.logging.Level;
 import java.util.logging.Logger;
+import javax.ejb.EJB;
 import javax.faces.context.ExternalContext;
 import javax.faces.context.FacesContext;
 import javax.faces.view.ViewScoped;
+import javax.inject.Inject;
 import javax.inject.Named;
 import javax.servlet.http.HttpServletRequest;
 
@@ -16,24 +23,61 @@ public class Shib implements java.io.Serializable {
 
     private static final Logger logger = Logger.getLogger(Shib.class.getCanonicalName());
 
+    @Inject
+    DataverseSession session;
+
+    @EJB
+    AuthenticationServiceBean authSvc;
+
     HttpServletRequest request;
 
     /**
      * @todo these are the attributes we are getting from the IdP at
      * testshib.org. What other attributes should we expect?
      *
-     * Shib-Identity-Provider:https://idp.testshib.org/idp/shibboleth
+     * Here is a dump from https://pdurbin.pagekite.me/Shibboleth.sso/Session
+     *
+     * Miscellaneous
+     *
+     * Session Expiration (barring inactivity): 479 minute(s)
+     *
+     * Client Address: 10.0.2.2
+     *
+     * SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
+     *
+     * Identity Provider: https://idp.testshib.org/idp/shibboleth
+     *
+     * Authentication Time: 2014-09-12T17:07:36.137Z
+     *
+     * Authentication Context Class:
+     * urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
+     *
+     * Authentication Context Decl: (none)
+     *
      *
-     * eppn:myself@testshib.org
      *
-     * affiliation:Member@testshib.org;Staff@testshib.org
+     * Attributes
      *
-     * unscoped-affiliation:Member;Staff
+     * affiliation: Member@testshib.org;Staff@testshib.org
      *
-     * entitlement:urn:mace:dir:entitlement:common-lib-terms
+     * cn: Me Myself And I
      *
-     * persistent-id:https://idp.testshib.org/idp/shibboleth!https://dvn-vm3.hmdc.harvard.edu/shibboleth!5HQ8MY1UftsM82eN3YvtQVAS7v0=
+     * entitlement: urn:mace:dir:entitlement:common-lib-terms
      *
+     * eppn: myself@testshib.org
+     *
+     * givenName: Me Myself
+     *
+     * persistent-id:
+     * https://idp.testshib.org/idp/shibboleth!https://pdurbin.pagekite.me/shibboleth!zylzL+NruovU5OOGXDOL576jxfo=
+     *
+     * sn: And I
+     *
+     * telephoneNumber: 555-5555
+     *
+     * uid: myself
+     *
+     * unscoped-affiliation: Member;Staff
      */
     List<String> shibAttrs = Arrays.asList(
             "Shib-Identity-Provider",
@@ -50,10 +94,78 @@ public class Shib implements java.io.Serializable {
     );
 
     List<String> shibValues = new ArrayList<>();
+    /**
+     * @todo make this configurable?
+     */
+    private final String shibIdpAttribute = "Shib-Identity-Provider";
+    private final String uniquePersistentIdentifier = "eppn";
+    private final String displayNameAttribute = "cn";
+    private boolean debug = false;
 
     public void init() {
         ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
         request = (HttpServletRequest) context.getRequest();
+        /**
+         * @todo DRY! put all these similar checks in a function
+         */
+        Object shibIdpObject = request.getAttribute(shibIdpAttribute);
+        if (shibIdpObject == null) {
+            throw new RuntimeException("Shibboleth Identity Provider attribute (" + shibIdpAttribute + ") was null");
+        }
+        String shibIdp = shibIdpObject.toString();
+        if (shibIdp.isEmpty()) {
+            throw new RuntimeException("Shibboleth Identity Provider attribute (" + shibIdpAttribute + ") was empty");
+        }
+        Object userIdentifierObject = request.getAttribute(uniquePersistentIdentifier);
+        if (userIdentifierObject == null) {
+            throw new RuntimeException("Unique persistent identifer attribute (" + uniquePersistentIdentifier + ") was null");
+        }
+        String userIdentifier = userIdentifierObject.toString();
+        if (userIdentifier.isEmpty()) {
+            throw new RuntimeException("Unique persistent identifer attribute (" + uniquePersistentIdentifier + ") was empty");
+        }
+        Object displayNameObject = request.getAttribute(displayNameAttribute);
+        if (displayNameObject == null) {
+            throw new RuntimeException("Display name attribute (" + displayNameAttribute + ") was null");
+        }
+        String displayName = displayNameObject.toString();
+        if (displayName.isEmpty()) {
+            throw new RuntimeException("Display name attribute (" + displayNameAttribute + ") was empty");
+        }
+
+        String emailAddress = "FIXMEemailAddress";
+        RoleAssigneeDisplayInfo displayInfo = new RoleAssigneeDisplayInfo(displayName, emailAddress);
+
+        String userPersistentId = shibIdp + "|" + userIdentifier;
+        /**
+         * @todo where should "shib" be defined?
+         */
+        String authPrvId = "shib";
+        AuthenticatedUser au = authSvc.lookupUser(authPrvId, userPersistentId);
+        if (au != null) {
+            logger.info("Found " + userPersistentId + ". Logging in.");
+            session.setUser(au);
+        } else {
+            logger.info("Couldn't find " + userPersistentId + ". Creating a new user.");
+            authSvc.createAuthenticatedUser(authPrvId, userPersistentId, displayInfo);
+            session.setUser(au);
+        }
+        try {
+//            FacesContext.getCurrentInstance().getExternalContext().redirect("http://pdurbin.pagekite.me");
+            FacesContext.getCurrentInstance().getExternalContext().redirect("/dataverse.xhtml");
+        } catch (IOException ex) {
+            Logger.getLogger(Shib.class.getName()).log(Level.SEVERE, null, ex);
+        }
+        if (debug) {
+            printAttributes(request);
+        }
+    }
+
+    public List<String> getShibValues() {
+        return shibValues;
+    }
+
+    private void printAttributes(HttpServletRequest request) {
         for (String attr : shibAttrs) {
 
             /**
@@ -72,9 +184,4 @@ public void init() {
         }
         logger.info("shib values: " + shibValues);
     }
-
-    public List<String> getShibValues() {
-        return shibValues;
-    }
-
 }
diff --git a/src/main/webapp/loginpage.xhtml b/src/main/webapp/loginpage.xhtml
index 081f6cea01f..2468dccbfd0 100644
--- a/src/main/webapp/loginpage.xhtml
+++ b/src/main/webapp/loginpage.xhtml
@@ -49,8 +49,37 @@
                             </div>
                         </h:form>
                     </div>
-                    <div class="col-md-7" style="margin-top:3em;">
-                        <iframe src="shib-identity-picker.html" width="450" height="320" style="background-color: lightgray"/>
+                    <div class="col-md-7" style="margin-top:3em; background-color: lightgray">
+                        <!--<iframe src="shib-identity-picker.html" width="450" height="320" style="background-color: lightgray"/>-->
+                        <p style="font-weight: bolder; font-size: x-large">Log in via your institution</p>
+
+                        <div id="idpSelect"></div>
+
+                        <script src="/resources/js/shib/idpselect_config.js" type="text/javascript" language="javascript"></script>
+
+                        <script src="/resources/js/shib/idpselect.js" type="text/javascript" language="javascript"></script>
+
+                        <noscript>
+                            <!-- If you need to care about non javascript browsers you will need to 
+                                 generate a hyperlink to a non-js DS.
+                        
+                                 To build you will need:
+                                     - URL:  The base URL of the DS you use
+                                     - EI: Your entityId, URLencoded.  You can get this from the line that 
+                                       this page is called with.
+                                     - RET: Your return address dlib-adidp.ucs.ed.ac.uk. Again you can get
+                                       this from the page this is called with, but beware of the 
+                                       target%3Dcookie%253A5269905f bit..
+                        
+                                < href=${URL}?entityID=${EI}&return=${RET}
+                            -->
+
+                            Your Browser does not support javascript. Please use 
+                            <!--FIXME not valid xhtml?-->
+                            <!--<a href="http://federation.org/DS/DS?entityID=https%3A%2F%2FyourentityId.edu.edu%2Fshibboleth&return=https%3A%2F%2Fyourreturn.edu%2FShibboleth.sso%2FDS%3FSAMLDS%3D1%26target%3Dhttps%3A%2F%2Fyourreturn.edu%2F">this link</a>.-->
+
+                        </noscript>
+
                     </div>
                 </div>
                 <div style="float: bottom">
diff --git a/src/main/webapp/shib-identity-picker.html b/src/main/webapp/shib-identity-picker.html
deleted file mode 100644
index 41688123cfd..00000000000
--- a/src/main/webapp/shib-identity-picker.html
+++ /dev/null
@@ -1,40 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
-    "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-    <head>
-        <title>Shibboleth Identity Provider Selection</title>
-        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-5" />
-        <!--<link rel="stylesheet" type="text/css" href="idpselect.css" />-->
-        <link rel="stylesheet" type="text/css" href="/resources/css/shib-identity-picker.css" />
-    </head>
-
-    <body>
-        <p style="font-weight: bolder; font-size: x-large">Log in via your institution</p>
-
-        <div id="idpSelect"></div>
-
-        <script src="/resources/js/shib/idpselect_config.js" type="text/javascript" language="javascript"></script>
-
-        <script src="/resources/js/shib/idpselect.js" type="text/javascript" language="javascript"></script>
-
-        <noscript>
-            <!-- If you need to care about non javascript browsers you will need to 
-                 generate a hyperlink to a non-js DS.
-        
-                 To build you will need:
-                     - URL:  The base URL of the DS you use
-                     - EI: Your entityId, URLencoded.  You can get this from the line that 
-                       this page is called with.
-                     - RET: Your return address dlib-adidp.ucs.ed.ac.uk. Again you can get
-                       this from the page this is called with, but beware of the 
-                       target%3Dcookie%253A5269905f bit..
-        
-                < href=${URL}?entityID=${EI}&return=${RET}
-            -->
-
-            Your Browser does not support javascript. Please use 
-            <a href="http://federation.org/DS/DS?entityID=https%3A%2F%2FyourentityId.edu.edu%2Fshibboleth&return=https%3A%2F%2Fyourreturn.edu%2FShibboleth.sso%2FDS%3FSAMLDS%3D1%26target%3Dhttps%3A%2F%2Fyourreturn.edu%2F">this link</a>.
-
-        </noscript>
-    </body>
-</html>