diff --git a/README.md b/README.md
index e789bcfec..520d102cc 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ Register a client in IAM with the following properties:
 - introspection endpoint enabled
 
 Create the folder `instance` to put the application configuration files:
- - (mandatory) `config.json` file (see the [example](app/config-sample.json))
+ - (mandatory) `config.json` file (see the [example](instance/config-sample.json))
  - (optional) `vault-config.json` file (see the [example]() needed to enable the integration with Vault 
  
 ````
diff --git a/app/__init__.py b/app/__init__.py
index 7fbfc47a8..0bd1e256a 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -15,20 +15,22 @@
 import sys
 import socket
 
-from flask import Flask
+from flask import Flask, session
 from flask_alembic import Alembic
 from sqlalchemy_utils import database_exists, create_database
 from sqlalchemy import Table, Column, String, MetaData
 from werkzeug.middleware.proxy_fix import ProxyFix
-from flask_dance.consumer import OAuth2ConsumerBlueprint
 from flask_mail import Mail
 from flask_sqlalchemy import SQLAlchemy
 from flask_migrate import Migrate, upgrade
+from flask_login import LoginManager
 from app.lib.ToscaInfo import ToscaInfo
 from app.lib.Vault import Vault
-
+from flaat import Flaat
+from flask_dance.consumer import oauth_authorized
 import logging
 
+
 # initialize SQLAlchemy
 db: SQLAlchemy = SQLAlchemy()
 
@@ -57,6 +59,17 @@
 if profile is not None and profile != 'default':
     app.config.from_object('config.' + profile)
 
+flaat = Flaat()
+flaat.set_web_framework('flask')
+flaat.set_trusted_OP_list([idp['iss'] for idp in app.config.get('TRUSTED_OIDC_IDP_LIST')])
+flaat.set_timeout(20)
+flaat.set_client_connect_timeout(20)
+flaat.set_iss_config_timeout(20)
+
+from app.lib import indigoiam, egicheckin
+from app.lib import dbhelpers
+from app.models.User import User
+
 
 @app.context_processor
 def inject_settings():
@@ -77,7 +90,9 @@ def inject_settings():
         require_ssh_pubkey=app.config.get('FEATURE_REQUIRE_USER_SSH_PUBKEY') if app.config.get(
             'FEATURE_REQUIRE_USER_SSH_PUBKEY') else "no",
         hidden_deployment_columns=app.config.get('FEATURE_HIDDEN_DEPLOYMENT_COLUMNS') if app.config.get(
-            'FEATURE_HIDDEN_DEPLOYMENT_COLUMNS') else ""
+            'FEATURE_HIDDEN_DEPLOYMENT_COLUMNS') else "",
+        enable_ports_request=app.config.get('FEATURE_PORTS_REQUEST') if app.config.get(
+            'FEATURE_PORTS_REQUEST') else "no"
     )
 
 
@@ -94,22 +109,87 @@ def inject_settings():
 from app.errors.routes import errors_bp
 app.register_blueprint(errors_bp)
 
-iam_base_url = app.config['IAM_BASE_URL']
-iam_token_url = iam_base_url + '/token'
-iam_refresh_url = iam_base_url + '/token'
-iam_authorization_url = iam_base_url + '/authorize'
-
-iam_blueprint = OAuth2ConsumerBlueprint(
-    "iam", __name__,
-    client_id=app.config['IAM_CLIENT_ID'],
-    client_secret=app.config['IAM_CLIENT_SECRET'],
-    base_url=iam_base_url,
-    token_url=iam_token_url,
-    auto_refresh_url=iam_refresh_url,
-    authorization_url=iam_authorization_url,
-    redirect_to='home'
-)
-app.register_blueprint(iam_blueprint, url_prefix="/login")
+
+def get_auth_blueprint(self):
+    if 'auth_blueprint' in session.keys():
+        bp = session['auth_blueprint']
+        if bp == 'iam':
+            return app.iam_blueprint
+        if bp == 'egi':
+            return app.egicheckin_blueprint
+    return None
+
+
+app.get_auth_blueprint = get_auth_blueprint.__get__('')
+
+
+def get_auth_userinfo(self):
+    if 'auth_blueprint' in session.keys():
+        bp = session['auth_blueprint']
+        if bp == 'iam':
+            return app.iam_blueprint.session.get("/userinfo")
+        if bp == 'egi':
+            return app.egicheckin_blueprint.session.get('/auth/realms/egi/protocol/openid-connect/userinfo')
+    return None
+
+
+app.get_auth_userinfo = get_auth_userinfo.__get__('')
+
+
+def get_user_oauth(self):
+    userid = session['userid']
+    if userid is not None:
+        user = dbhelpers.get_user(userid)
+        if user is not None and 'auth_blueprint' in session.keys():
+            bp = session['auth_blueprint']
+            if bp == 'iam':
+                return user.oauth['iam']
+            if bp == 'egi':
+                return user.oauth['egiaai']
+    return None
+
+
+app.get_user_oauth = get_user_oauth.__get__('')
+
+
+with app.app_context():
+    app.iam_blueprint = indigoiam.create_blueprint()
+    app.register_blueprint(app.iam_blueprint, url_prefix="/login")
+
+    # create/login local user on successful OAuth login
+    @oauth_authorized.connect_via(app.iam_blueprint)
+    def iam_logged_in(blueprint, token):
+        session['auth_blueprint'] = 'iam'
+        return indigoiam.auth_blueprint_login(blueprint, token)
+
+
+    if app.config.get('EGI_AAI_CLIENT_ID') and app.config.get('EGI_AAI_CLIENT_SECRET'):
+        app.egicheckin_blueprint = egicheckin.create_blueprint()
+        app.register_blueprint(app.egicheckin_blueprint, url_prefix="/login")
+
+        @oauth_authorized.connect_via(app.egicheckin_blueprint)
+        def egicheckin_logged_in(blueprint, token):
+            session['auth_blueprint'] = 'egi'
+            return egicheckin.auth_blueprint_login(blueprint, token)
+
+        # Inject the variable inject_egi_aai_enabled automatically into the context of templates
+        @app.context_processor
+        def inject_egi_aai_enabled():
+            return dict(is_egi_aai_enabled=True)
+
+
+login_manager = LoginManager()
+login_manager.login_message = None
+login_manager.login_message_category = "info"
+login_manager.login_view = "login"
+
+login_manager.init_app(app)
+
+
+@login_manager.user_loader
+def load_user(user_id):
+    return dbhelpers.get_user(user_id)
+
 
 from app.home.routes import home_bp
 app.register_blueprint(home_bp, url_prefix="/home")
@@ -138,8 +218,6 @@ def inject_settings():
 
 logging.basicConfig(level=numeric_level)
 
-from app import models
-
 # check if database exists
 engine = db.get_engine(app)
 if not database_exists(engine.url):  # Checks for the first time
diff --git a/app/config-sample.json b/app/config-sample.json
deleted file mode 100644
index 28780deab..000000000
--- a/app/config-sample.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-    "IAM_CLIENT_ID": "my_client_id",
-    "IAM_CLIENT_SECRET": "my_client_secret",
-    "IAM_BASE_URL": "https://iam-test.indigo-datacloud.eu",
-    "ORCHESTRATOR_URL": "https://indigo-paas.cloud.ba.infn.it/orchestrator",
-    "SLAM_URL": "https://indigo-slam.cloud.ba.infn.it:8443",
-    "CMDB_URL": "https://indigo-paas.cloud.ba.infn.it/cmdb",
-    "IM_URL": "https://indigo-paas.cloud.ba.infn.it/im",
-    "VAULT_URL": "https://indigo-vault.cloud.ba.infn.it:8200",
-    "VAULT_ROLE": "orchestrator",
-    "VAULT_OIDC_AUDIENCE": "********",
-    "TOSCA_TEMPLATES_DIR": "/opt/tosca-templates",
-    "IAM_GROUP_MEMBERSHIP": [ "group1" ],
-    "SUPPORT_EMAIL": "support@example.com",
-    "ENABLE_ADVANCED_MENU": "no",
-    "EXTERNAL_LINKS": [ { "url": "https://indigo-paas.cloud.ba.infn.it/status-page", "menu_item_name": "Services status" } ],
-    "LOG_LEVEL": "info"
-}
diff --git a/app/deployments/routes.py b/app/deployments/routes.py
index 5d1a5de15..764b40652 100644
--- a/app/deployments/routes.py
+++ b/app/deployments/routes.py
@@ -15,8 +15,8 @@
 import copy
 
 from flask import Blueprint, session, render_template, flash, redirect, url_for, json, request
-from app import app, iam_blueprint, tosca, vaultservice
-from app.lib import auth, utils, settings, dbhelpers, yourls
+from app import app, tosca, vaultservice
+from app.lib import auth, utils, mail_utils, settings, dbhelpers, yourls
 from app.lib.ldap_user import LdapUserManager
 from app.models.Deployment import Deployment
 from app.providers import sla
@@ -36,7 +36,6 @@
 import re
 
 
-
 deployments_bp = Blueprint('deployments_bp', __name__,
                            template_folder='templates',
                            static_folder='static')
@@ -53,9 +52,9 @@
 @deployments_bp.route('/all')
 @auth.authorized_with_valid_token
 def showdeployments():
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
-    headers = {'Authorization': 'bearer %s' % access_token}
+    headers = {'Authorization': 'bearer %s' % access_token, 'Cache-Control': 'no-cache'}
     params = "createdBy=me&page={}&size={}".format(0, 999999)
 
     if 'active_usergroup' in session and session['active_usergroup'] is not None:
@@ -82,7 +81,7 @@ def showdeployments():
 @deployments_bp.route('/<depid>/template')
 @auth.authorized_with_valid_token
 def deptemplate(depid=None):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     headers = {'Authorization': 'bearer %s' % access_token}
 
     url = settings.orchestratorUrl + "/deployments/" + depid + "/template"
@@ -115,6 +114,12 @@ def unlockdeployment(depid=None):
         dbhelpers.add_object(dep)
     return redirect(url_for('deployments_bp.showdeployments'))
 
+@deployments_bp.route('/edit', methods=['POST'])
+@auth.authorized_with_valid_token
+def editdeployment():
+    form_data = request.form.to_dict()
+    dbhelpers.update_deployment(form_data["deployment_uuid"],dict(description=form_data["description"]))
+    return redirect(url_for('deployments_bp.showdeployments'))
 
 def preprocess_outputs(browser, outputs, stoutputs):
     for key, value in stoutputs.items():
@@ -130,9 +135,12 @@ def preprocess_outputs(browser, outputs, stoutputs):
                         app.logger.debug('Error creating short url: {}'.format(str(e)))
                         pass
 
-                if origin_url.scheme == 'http' and browser['name'] == "chrome" and browser['version'] >= 86:
-                    message = stoutputs[key]['warning'] if 'warning' in stoutputs[key] else ""
-                    stoutputs[key]['warning'] = "{}<br>{}".format("The download will be blocked by Chrome. Please, use Firefox for a full user experience.", message)
+                    if origin_url.scheme == 'http' and browser['name'] == "chrome" and browser['version'] >= 86:
+                        message = stoutputs[key]['warning'] if 'warning' in stoutputs[key] else ""
+                        stoutputs[key]['warning'] = "{}<br>{}".format("The download will be blocked by Chrome. Please, "
+                                                                      "use Firefox for a full user experience.",
+                                                                      message)
+
 
 @deployments_bp.route('/<depid>/details')
 @auth.authorized_with_valid_token
@@ -152,18 +160,17 @@ def depoutput(depid=None):
         stoutputs = json.loads(dep.stoutputs.strip('\"')) if dep.stoutputs else {}
         inputs = {}
         for k, v in i.items():
-            if ((stinputs[k]['printable'] if 'printable' in stinputs[k] else True) if k in stinputs else True):
+            if (stinputs[k]['printable'] if 'printable' in stinputs[k] else True) if k in stinputs else True:
                 inputs[k] = v
 
-
-        additional_outputs = getadditionaloutputs(dep, iam_blueprint.session.token['access_token'])
+        additional_outputs = getadditionaloutputs(dep, app.get_auth_blueprint().session.token['access_token'])
 
         outputs = {**outputs, **additional_outputs}
 
         browser = request.user_agent.browser
         version = request.user_agent.version and int(request.user_agent.version.split('.')[0])
 
-        preprocess_outputs(dict(name = browser, version = version), outputs, stoutputs)
+        preprocess_outputs(dict(name=browser, version=version), outputs, stoutputs)
 
         return render_template('depoutput.html',
                                deployment=dep,
@@ -171,6 +178,7 @@ def depoutput(depid=None):
                                outputs=outputs,
                                stoutputs=stoutputs)
 
+
 def getadditionaloutputs(dep, access_token):
     uuid = dep.uuid
     status = dep.status
@@ -182,7 +190,7 @@ def getadditionaloutputs(dep, access_token):
         # try to get kubeconfig file from log
         try:
             kubeconfig = extract_info_from_deplog(access_token, uuid, 'kubeconfig')
-            additional_outputs = { "kubeconfig": kubeconfig }
+            additional_outputs = {"kubeconfig": kubeconfig}
             update = True
         except:
             app.logger.debug("Error while extracting kubeconfig file from log for deployment {}".format(dep.uuid))
@@ -194,7 +202,6 @@ def getadditionaloutputs(dep, access_token):
     return additional_outputs
 
 
-
 def extract_info_from_deplog(access_token, uuid, info_type):
     headers = {'Authorization': 'bearer %s' % access_token}
 
@@ -209,7 +216,6 @@ def extract_info_from_deplog(access_token, uuid, info_type):
 
         if info_type == "kubeconfig":
 
-            match = None
             for line in lines:
                 match = re.search('^.*KUBECONFIG file.*\n.*\n.*\n.*\n.*\n.*\"(apiVersion.*)\"\n.*\n.*$', line)
                 if match is not None:
@@ -217,9 +223,10 @@ def extract_info_from_deplog(access_token, uuid, info_type):
 
     return info
 
+
 @deployments_bp.route('/<depid>/templatedb')
 def deptemplatedb(depid):
-    if not iam_blueprint.session.authorized:
+    if not app.get_auth_blueprint().session.authorized:
         return redirect(url_for('home_bp.login'))
 
     # retrieve deployment from DB
@@ -234,7 +241,7 @@ def deptemplatedb(depid):
 @deployments_bp.route('/<depid>/log')
 @auth.authorized_with_valid_token
 def deplog(depid=None):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     headers = {'Authorization': 'bearer %s' % access_token}
 
     # app.logger.debug("Configuration: " + json.dumps(settings.orchestratorConf))
@@ -253,7 +260,7 @@ def deplog(depid=None):
 @deployments_bp.route('/<depid>/infradetails')
 @auth.authorized_with_valid_token
 def depinfradetails(depid=None, path=None):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     headers = {'Authorization': 'bearer %s' % access_token}
 
     # app.logger.debug("Configuration: " + json.dumps(settings.orchestratorConf))
@@ -266,16 +273,17 @@ def depinfradetails(depid=None, path=None):
         app.logger.debug("VMs details: {}".format(response.text))
         details = []
         for vm_details in vminfos:
-             vminfo = utils.format_json_radl(vm_details["vmProperties"])
-             details.append(vminfo)
+            vminfo = utils.format_json_radl(vm_details["vmProperties"])
+            details.append(vminfo)
 
         return render_template('depinfradetails.html', vmsdetails=details)
     return redirect(url_for('deployments_bp.showdeployments'))
 
+
 @deployments_bp.route('/<depid>/qcgdetails')
 @auth.authorized_with_valid_token
 def depqcgdetails(depid=None, path=None):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     headers = {'Authorization': 'bearer %s' % access_token}
 
     # app.logger.debug("Configuration: " + json.dumps(settings.orchestratorConf))
@@ -298,7 +306,7 @@ def depqcgdetails(depid=None, path=None):
 @deployments_bp.route('/<depid>/delete')
 @auth.authorized_with_valid_token
 def depdel(depid=None):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     headers = {'Authorization': 'bearer %s' % access_token}
     url = settings.orchestratorUrl + "/deployments/" + depid
     response = requests.delete(url, headers=headers)
@@ -320,7 +328,7 @@ def depupdate(depid=None):
     if depid is not None:
         dep = dbhelpers.get_deployment(depid)
         if dep is not None:
-            access_token = iam_blueprint.session.token['access_token']
+            access_token = app.get_auth_blueprint().session.token['access_token']
             template = dep.template
             tosca_info = tosca.extracttoscainfo(yaml.full_load(io.StringIO(template)), None)
             inputs = json.loads(dep.inputs.strip('\"')) if dep.inputs else {}
@@ -340,7 +348,6 @@ def depupdate(depid=None):
                                 settings.orchestratorConf['cmdb_url'], dep.deployment_type)
             ssh_pub_key = dbhelpers.get_ssh_pub_key(session['userid'])
 
-
             return render_template('updatedep.html',
                                    template=tosca_info,
                                    template_description=tosca_info['description'],
@@ -362,7 +369,7 @@ def depupdate(depid=None):
 @auth.authorized_with_valid_token
 def updatedep():
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     form_data = request.form.to_dict()
 
@@ -391,8 +398,8 @@ def updatedep():
             remove_sla_from_template(template)
 
         inputs = {k: v for (k, v) in form_data.items() if not k.startswith("extra_opts.") and not k == '_depid'}
-        #oldinputs = json.loads(dep.inputs.strip('\"')) if dep.inputs else {}
-        #inputs = {**oldinputs, **inputs}
+        # oldinputs = json.loads(dep.inputs.strip('\"')) if dep.inputs else {}
+        # inputs = {**oldinputs, **inputs}
 
         additionaldescription = form_data['additional_description']
 
@@ -420,7 +427,7 @@ def updatedep():
             dep.feedback_required = feedback_required
             dep.description = additionaldescription
             dep.template = template_text
-            #dep.inputs = json.dumps(inputs),
+            # dep.inputs = json.dumps(inputs),
             oldinputs = json.loads(dep.inputs.strip('\"')) if dep.inputs else {}
             updatedinputs = {**oldinputs, **inputs}
             dep.inputs = json.dumps(updatedinputs),
@@ -432,7 +439,7 @@ def updatedep():
 @deployments_bp.route('/configure', methods=['GET', 'POST'])
 @auth.authorized_with_valid_token
 def configure():
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     selected_tosca = None
 
@@ -442,8 +449,8 @@ def configure():
     if 'selected_tosca' in request.args:
         selected_tosca = request.args['selected_tosca']
 
-    if 'active_user_group' in request.args:
-        session['active_usergroup'] = request.args['active_user_group']
+    #if 'active_user_group' in request.args:
+    #    session['active_usergroup'] = request.args['active_user_group']
 
     if 'selected_group' in request.args:
         templates = tosca.tosca_gmetadata[request.args['selected_group']]['templates']
@@ -454,7 +461,13 @@ def configure():
 
     if selected_tosca:
 
-        template = tosca.tosca_info[selected_tosca]
+        template = copy.deepcopy(tosca.tosca_info[selected_tosca])
+        # Manage eventual overrides
+        for k,v in template['inputs'].items():
+            if 'group_overrides' in v and session['active_usergroup'] in v['group_overrides']:
+                overrides = v['group_overrides'][session['active_usergroup']]
+                template['inputs'][k] = {**v, **overrides}
+
         sla_id = tosca_helpers.getslapolicy(template)
 
         slas = sla.get_slas(access_token, settings.orchestratorConf['slam_url'], settings.orchestratorConf['cmdb_url'],
@@ -463,7 +476,8 @@ def configure():
         ssh_pub_key = dbhelpers.get_ssh_pub_key(session['userid'])
 
         if not ssh_pub_key and app.config.get('FEATURE_REQUIRE_USER_SSH_PUBKEY') == 'yes':
-            flash('Warning! You will not be able to deploy your service as no Public SSH key has been uploaded.', "danger")
+            flash('Warning! You will not be able to deploy your service as no Public SSH key has been uploaded.',
+                  "danger")
 
         return render_template('createdep.html',
                                template=template,
@@ -508,13 +522,12 @@ def add_sla_to_template(template, sla_id):
 @deployments_bp.route('/submit', methods=['POST'])
 @auth.authorized_with_valid_token
 def createdep():
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     selected_template = request.args.get('template')
     source_template = tosca.tosca_info[selected_template]
 
     app.logger.debug("Form data: " + json.dumps(request.form.to_dict()))
 
-
     with io.open(os.path.join(settings.toscaDir, selected_template)) as stream:
         template = yaml.full_load(stream)
         # rewind file
@@ -555,8 +568,16 @@ def createdep():
     uuidgen_deployment = str(uuid_generator.uuid1());
 
     for key,value in stinputs.items():
+
+        # Manage special type 'dependent_definition' as first
+        if value["type"] == "dependent_definition":
+            # retrieve the real type from dedicated field
+            if inputs[key + "-ref"] in stinputs:
+                value = stinputs[inputs[key + "-ref"]]
+            del inputs[key + "-ref"]
+
         # Manage security groups
-        if value["type"]=="map" and value["entry_schema"]["type"]=="tosca.datatypes.network.PortSpec":
+        if value["type"]=="map" and (value["entry_schema"]["type"]=="tosca.datatypes.network.PortSpec" or value["entry_schema"]["type"]=="tosca.datatypes.indigo.network.PortSpec"):
             if key in inputs:
                 try:
                     inputs[key] = json.loads(form_data[key])
@@ -595,9 +616,12 @@ def createdep():
                     # elif value["entry_schema"]["type"]=="tosca.datatypes.indigo.User":
                     #     if app.config.get('FEATURE_REQUIRE_USER_SSH_PUBKEY')=='yes':
                     #         if dbhelpers.get_ssh_pub_key(session['userid']):
-                    #             inputs[key] = [ { "os_user_name": session['preferred_username'], "os_user_add_to_sudoers": True, "os_user_ssh_public_key": dbhelpers.get_ssh_pub_key(session['userid'])  } ]
+                    #             inputs[key] = [ { "os_user_name": session['preferred_username'],
+                    #             "os_user_add_to_sudoers": True, "os_user_ssh_public_key":
+                    #             dbhelpers.get_ssh_pub_key(session['userid'])  } ]
                     #         else:
-                    #             flash("Deployment request failed: no SSH key found. Please upload your key.", "danger")
+                    #             flash("Deployment request failed: no SSH key found. Please upload your key.",
+                    #             "danger")
                     #             doprocess = False
                     #     else:
                     #         inputs[key] = json_data
@@ -610,17 +634,12 @@ def createdep():
             app.logger.info("Add ssh user")
             if app.config.get('FEATURE_REQUIRE_USER_SSH_PUBKEY')=='yes':
                 if dbhelpers.get_ssh_pub_key(session['userid']):
-                    inputs[key] = [ { "os_user_name": session['preferred_username'], "os_user_add_to_sudoers": True, "os_user_ssh_public_key": dbhelpers.get_ssh_pub_key(session['userid'])  } ]
+                    inputs[key] = [{"os_user_name": session['preferred_username'], "os_user_add_to_sudoers": True,
+                                    "os_user_ssh_public_key": dbhelpers.get_ssh_pub_key(session['userid'])}]
                 else:
                     flash("Deployment request failed: no SSH key found. Please upload your key.", "danger")
                     doprocess = False
 
-        # Manage special type 'dependent_definition'
-        if value["type"] == "dependent_definition":
-            # retrieve the real type from dedicated field
-            value["type"] = inputs[key + "-type"]
-            del inputs[key + "-type"]
-
         # Manage Swift-related fields
         if value["type"] == "swift_autouuid":
             if key in inputs:
@@ -658,6 +677,8 @@ def createdep():
             try:
                 del inputs[key]
                 project = next(filter(lambda tenant: tenant.get('group') == session['active_usergroup'], value['auth']['tenants']), None)
+                if not project:
+                    raise IndexError("Project not configured for S3")
                 access, secret = keystone.get_or_create_ec2_creds(access_token, project.get('name'), value["auth"]["url"], value["auth"]["identity_provider"], value["auth"]["protocol"])
                 access_key_input_name = value["inputs"]["aws_access_key"]
                 inputs[access_key_input_name] = access
@@ -676,11 +697,15 @@ def createdep():
                            functions[func](**args)
             except Forbidden as e:
                 app.logger.error("Error while testing S3: {}".format(e))
-                flash(" Sorry, your request needs a special authorization. A notification has been sent automatically to the support team. You will be contacted soon.", 'danger')
-                utils.send_authorization_request_email("Sync&Share aaS for group {}".format(session["active_usergroup"]))
+                flash(" Sorry, your request needs a special authorization. "
+                      "A notification has been sent automatically to the support team. You will be contacted soon.",
+                      'danger')
+                mail_utils.send_authorization_request_email(
+                    "Sync&Share aaS for group {}".format(session["active_usergroup"]))
                 doprocess = False
             except Exception as e:
-                flash(" The deployment submission failed with: {}. Please contact the admin(s): {}".format(e, app.config.get('SUPPORT_EMAIL')), 'danger')
+                flash(" The deployment submission failed with: {}. Please contact the admin(s): {}"
+                      .format(e, app.config.get('SUPPORT_EMAIL')), 'danger')
                 doprocess = False
 
         if value["type"] == "ldap_user":
@@ -716,9 +741,29 @@ def createdep():
 
             except Exception as e:
                 app.logger.error("Error: {}".format(e))
-                flash(" The deployment submission failed with: {}. Please try later or contact the admin(s): {}".format(e, app.config.get('SUPPORT_EMAIL')), 'danger')
+                flash(" The deployment submission failed with: {}. Please try later or contact the admin(s): {}"
+                      .format(e, app.config.get('SUPPORT_EMAIL')), 'danger')
                 doprocess = False
 
+        if value["type"] == "userinfo":
+            if key in inputs:
+                if value["attribute"] == "sub":
+                    inputs[key] = session['userid']
+
+        if value["type"] == "multiselect":
+            if key in inputs:
+                try:
+                    lval = request.form.getlist(key)
+                    if 'format' in value and value['format']['type'] == 'string':
+                        inputs[key] = value['format']['delimiter'].join(lval)
+                    else:
+                        inputs[key] = lval
+                except Exception as e:
+                    app.logger.error("Error processing input {}: {}".format(key,e))
+                    flash(
+                        " The deployment submission failed with: {}. Please try later or contact the admin(s): {}".format(
+                            e, app.config.get('SUPPORT_EMAIL')), 'danger')
+                    doprocess = False
 
 
     if swift and swift_map:
@@ -734,49 +779,46 @@ def createdep():
 
     if swift_filename:
 
-      for f in swift_filename:
+        for f in swift_filename:
 
-        file = request.files[f]
-        if file:
-            upload_folder = app.config['UPLOAD_FOLDER']
-            upload_folder = os.path.join(upload_folder, swift_uuid)
-            filename = secure_filename(file.filename)
-            fullfilename = os.path.join(upload_folder, filename)
-            if not os.path.exists(upload_folder):
-                os.makedirs(upload_folder)
-            file.save(fullfilename)
+            file = request.files[f]
+            if file:
+                upload_folder = app.config['UPLOAD_FOLDER']
+                upload_folder = os.path.join(upload_folder, swift_uuid)
+                filename = secure_filename(file.filename)
+                fullfilename = os.path.join(upload_folder, filename)
+                if not os.path.exists(upload_folder):
+                    os.makedirs(upload_folder)
+                file.save(fullfilename)
 
-            if f not in inputs:
-                inputs[f] = file.filename
+                if f not in inputs:
+                    inputs[f] = file.filename
 
-            containername = basecontainername = swift.basecontainername
-            containers = swift.getownedcontainers()
-            basecontainer = next(filter(lambda x: x['name'] == basecontainername, containers), None)
-            if basecontainer is None:
-                swift.createcontainer(basecontainername)
+                containername = basecontainername = swift.basecontainername
+                containers = swift.getownedcontainers()
+                basecontainer = next(filter(lambda x: x['name'] == basecontainername, containers), None)
+                if basecontainer is None:
+                    swift.createcontainer(basecontainername)
 
+                containername = basecontainername + "/" + swift_uuid
 
-            containername = basecontainername + "/" + swift_uuid
+                with open(fullfilename, 'rb') as ff:
+                    calchash = swift.md5hash(ff)
+                with open(fullfilename, 'rb') as ff:
+                    objecthash = swift.createobject(containername, filename, contents=ff.read())
 
-            with open(fullfilename, 'rb') as f:
-                calchash = swift.md5hash(f)
-            with open(fullfilename, 'rb') as f:
-                objecthash = swift.createobject(containername, filename, contents=f.read())
+                if hash is not None and objecthash != swift.emptyMd5:
+                    swiftprocess = True
 
-            if hash is not None and objecthash != swift.emptyMd5:
-                swiftprocess = True
+                os.remove(fullfilename)
+                os.rmdir(upload_folder)
 
-            os.remove(fullfilename)
-            os.rmdir(upload_folder)
-
-            if calchash != objecthash:
+                if calchash != objecthash:
+                    doprocess = False
+                    flash("Wrong swift file checksum!", 'danger')
+            else:
                 doprocess = False
-                flash("Wrong swift file checksum!", 'danger')
-        else:
-            doprocess = False
-            flash("Missing file object!", 'danger')
-
-
+                flash("Missing file object!", 'danger')
 
     if doprocess:
 
@@ -917,3 +959,21 @@ def add_storage_encryption(access_token, inputs):
         inputs['vault_secret_path'] = session['userid'] + '/' + vault_secret_uuid
 
     return storage_encryption, vault_secret_uuid, vault_secret_key
+
+
+@deployments_bp.route('/sendportsreq', methods=['POST'])
+def sendportsrequest():
+    form_data = request.form.to_dict()
+
+    try:
+        utils.send_ports_request_email(form_data['deployment_uuid'], email=form_data['email'], message=form_data['message'])
+
+        flash(
+            "Your request has been sent to the support team. You will receive soon a notification email about your request. Thank you!",
+            "success")
+
+    except Exception as error:
+        utils.logexception("sending email:".format(error))
+        flash("Sorry, an error occurred while sending your request. Please retry.", "danger")
+
+    return redirect(url_for('deployments_bp.showdeployments'))
diff --git a/app/deployments/templates/createdep.html b/app/deployments/templates/createdep.html
index 29868bcc3..1243b9e00 100644
--- a/app/deployments/templates/createdep.html
+++ b/app/deployments/templates/createdep.html
@@ -208,6 +208,53 @@ <h4 class="font-weight-bold text-primary">
   });
 });
 
+function validatePorts(input){
+  var port = $(input)
+  console.log("val: \"" + port.val() + "\"");
+  let val = port.val();
+  let re = /(^\[[0-9]+,[0-9]+\]$)|(^[0-9]+$)/;
+  if (!re.test(val)){
+    port.addClass("is-invalid");
+  }
+  else {
+    console.log("ok");
+    port.removeClass("is-invalid");
+  }
+
+}
+
+function validateCidr(input){
+  var cidr = $(input)
+  //console.log("val: \"" + cidr.val() + "\"");
+  let val = cidr.val();
+  let re = /^(?:[0-9]{1,3}\.){3}[0-9]{1,3}\/([0-9]|[1-2][0-9]|3[0-2])$/;
+  if (!re.test(val)){
+    cidr.addClass("is-invalid");
+  }
+  else {
+    //console.log("ok");
+    cidr.removeClass("is-invalid");
+  }
+
+}
+
+function __attachValidationHandler(input) {
+  console.log(input);
+  var valfunc = input.data("validate-function");
+  if (typeof valfunc !== 'undefined' && valfunc.length > 0) {
+
+    input.on("blur", function(){
+        eval(valfunc)($(this));
+    });
+  }
+}
+
+$(document).ready(function () {
+  $("#depSubmit").find("input").each(function() {
+        __attachValidationHandler($(this));
+    });
+});
+
 </script>
 
 {% if enable_vault_integration and ssh_pub_key is none  %}
diff --git a/app/deployments/templates/deployments.html b/app/deployments/templates/deployments.html
index 6250a046d..b0aa285de 100644
--- a/app/deployments/templates/deployments.html
+++ b/app/deployments/templates/deployments.html
@@ -35,7 +35,7 @@ <h4 class="font-weight-bold text-primary">My deployments</h4>
         </div>
         <div class="card-body">
 
-    <div class="table-responsive">
+    <div class="table-responsive" style="overflow:inherit;">
     <table class="table table-striped table-hover" id="tableUserDeployments" width="100%" cellspacing="0">
     <!--Table head-->
       <thead>
@@ -84,22 +84,19 @@ <h4 class="font-weight-bold text-primary">My deployments</h4>
                   <span class="sr-only">Toggle Dropdown</span>
                 </button>
                 <div class="dropdown-menu">
-                  {% if deployment.locked == 0 %}
-                    <a class="dropdown-item" href="#delete_confirm_{{deployment.uuid}}" data-toggle="modal" data-backdrop="static" data-keyboard="false"
-                       data-target="#delete_confirm_{{deployment.uuid}}"><span class="fas fa-trash-alt mr-2"></span>Delete</a>
-                  {% endif %}
-                  <a class="dropdown-item" href="{{ url_for('deployments_bp.deptemplate', depid=deployment.uuid) }}"><span class="fas fa-search mr-2 grey-text"></span>Show template</a>
+                    <a class="dropdown-item" data-toggle="modal" data-target="#editDeployment" data-id="{{ deployment.uuid }}" data-description="{{ deployment.description }}" data-action="{{ url_for('deployments_bp.editdeployment') }}">
+                        <span class="fas fa-edit mr-2 grey-text"></span>Edit</a>
+                    <a class="dropdown-item" href="{{ url_for('deployments_bp.deptemplate', depid=deployment.uuid) }}"><span class="fas fa-search mr-2 grey-text"></span>Show template</a>
                   {% if enable_update_deployment == "yes" and deployment.updatable == 1 %}
                     <a class="dropdown-item" href="{{ url_for('deployments_bp.depupdate', depid=deployment.uuid) }}"><span class="fas fa-plus mr-2 grey-text"></span>Update</a>
                   {% endif %}
                   {% if deployment.deployment_type == "CLOUD" %}
                       <a class="dropdown-item {% if deployment.physicalId is not defined %}disabled{% endif %}" href="{{ url_for('deployments_bp.deplog', depid=deployment.uuid) }}">
                           <span class="fas fa-file-alt mr-2 grey-text"></span>Log</a>
-                  {% endif %}
-                  {% if deployment.locked == 0 %}
-                    <a class="dropdown-item" href="{{ url_for('deployments_bp.lockdeployment', depid=deployment.uuid) }}"><span class="fas fa-lock mr-2"></span>Lock</a>
-                  {% else %}
-                    <a class="dropdown-item" href="{{ url_for('deployments_bp.unlockdeployment', depid=deployment.uuid) }}"><span class="fas fa-lock-open mr-2"></span>Unlock</a>
+                      {% if enable_ports_request == "yes" %}
+                      <a class="dropdown-item" data-toggle="modal" data-target="#requestPorts" data-id="{{ deployment.uuid }}" data-action="{{ url_for('deployments_bp.sendportsrequest') }}" >
+                          <span class="fas fa-ticket-alt mr-2 grey-text"></span>Request Ports</a>
+                     {% endif %}
                   {% endif %}
                   {% if deployment.deployment_type == "CLOUD" and session['userrole'] == 'admin' %}
                       <a class="dropdown-item {% if deployment.physicalId is not defined %}disabled{% endif %}" href="{{ url_for('deployments_bp.depinfradetails', depid=deployment.uuid) }}">
@@ -109,7 +106,15 @@ <h4 class="font-weight-bold text-primary">My deployments</h4>
                       <a class="dropdown-item {% if deployment.physicalId is not defined %}disabled{% endif %}" href="{{ url_for('deployments_bp.depqcgdetails', depid=deployment.uuid) }}">
                           <span class="fas fa-bars mr-2 grey-text"></span>Job details</a>
                   {% endif %}
-                    </div>
+                  {% if deployment.locked == 0 %}
+                    <a class="dropdown-item" href="{{ url_for('deployments_bp.lockdeployment', depid=deployment.uuid) }}"><span class="fas fa-lock mr-2"></span>Lock</a>
+                    <a class="dropdown-item" style="color: red;" href="#delete_confirm_{{deployment.uuid}}" data-toggle="modal" data-backdrop="static" data-keyboard="false"
+                       data-target="#delete_confirm_{{deployment.uuid}}"><span class="fas fa-trash-alt mr-2"></span>Delete</a>
+                  {% else %}
+                    <a class="dropdown-item" href="{{ url_for('deployments_bp.unlockdeployment', depid=deployment.uuid) }}"><span class="fas fa-lock-open mr-2"></span>Unlock</a>
+                  {% endif %}
+
+                </div>
               </div>
             </td>
         </tr>
@@ -139,6 +144,76 @@ <h5 class="modal-title" id="delete_confirm_label_{{deployment.uuid}}">Confirm de
     </div>
     </div>
     <br><br>
+    <!-- Modal REQUEST PORTS -->
+    <div class="modal fade" id="requestPorts" tabindex="-1" role="dialog" aria-labelledby="requestPorts" aria-hidden="true">
+        <div class="modal-dialog modal-lg" role="document">
+            <div class="modal-content">
+                <div class="modal-header px-lg-5">
+                    <h5 class="modal-title" id="listingModalLabel">Request Ports</h5>
+                    <button class="close" type="button" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>
+                </div>
+                <div class="modal-body">
+                    <form id="requestform" action="#" method="post">
+                        <div class="form-group">
+                            <label for="username"><strong>User</strong></label>
+                            <div>
+                                <input type="text" class="form-control" name="username" id="username" value="{{ session['username'] }}" disabled>
+                            </div>
+                        </div>
+                        <div class="form-group">
+                            <label for="email"><strong>Mail</strong></label>
+                            <div>
+                                <input type="email" class="form-control" name="email" id="email" value="{{ session['useremail'] }}" data-toggle="email">
+                            </div>
+                        </div>
+                        <div class="form-group">
+                            <label for="message">Message</label>
+                            <textarea required class="form-control" name="message" id="message" placeholder="Please, provide the list of ports to be opened." rows="3"></textarea>
+                        </div>
+                        <input type="hidden" name="deployment_uuid" value="">
+                        <div class="form-group">
+                            <div>
+                                <button type="submit" class="btn btn-success">Submit</button>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button>
+                </div>
+            </div>
+        </div>
+    </div>
+    <!-- Modal EDIT DEPLOYMENT -->
+    <div class="modal fade" id="editDeployment" tabindex="-1" role="dialog" aria-labelledby="editDeployment" aria-hidden="true">
+        <div class="modal-dialog modal-lg" role="document">
+            <div class="modal-content">
+                <div class="modal-header px-lg-5">
+                    <h5 class="modal-title">Edit</h5>
+                    <button class="close" type="button" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">×</span></button>
+                </div>
+                <div class="modal-body">
+                    <form id="editform" action="#" method="post">
+                        <div class="form-group">
+                            <label for="description"><strong>Description</strong></label>
+                            <div>
+                                <input type="text" class="form-control" maxlength="50" name="description" id="description" value="">
+                            </div>
+                        </div>
+                        <input type="hidden" name="deployment_uuid" value="">
+                        <div class="form-group">
+                            <div>
+                                <button type="submit" class="btn btn-success">Submit</button>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+                <div class="modal-footer">
+                    <button type="button" class="btn btn-primary" data-dismiss="modal">Cancel</button>
+                </div>
+            </div>
+        </div>
+    </div>
 </div>
 
 {% if ar.found %}
@@ -178,6 +253,34 @@ <h5 class="modal-title" id="delete_confirm_label_{{deployment.uuid}}">Confirm de
 });
 </script>
 
+<script>
+$('#requestPorts').on('show.bs.modal', function (event) {
+    var target = $(event.relatedTarget) // Button that triggered the modal
+    // Extract info from data-* attributes
+    var deployment = target.data('id')
+    var url = target.data('action')
+
+    var modal = $(this)
+    modal.find('.modal-title').text('Request ports for deployment \"' + deployment + '\"')
+    modal.find('input[name="deployment_uuid"]').val(deployment)
+    modal.find('#requestform').prop('action', url)
+})
+</script>
 
+<script>
+$('#editDeployment').on('show.bs.modal', function (event) {
+    var target = $(event.relatedTarget) // Button that triggered the modal
+    // Extract info from data-* attributes
+    var deployment = target.data('id')
+    var description = target.data('description')
+    var url = target.data('action')
+
+    var modal = $(this)
+    modal.find('.modal-title').text('Edit deployment \"' + deployment + '\"')
+    modal.find('input[name="deployment_uuid"]').val(deployment)
+    modal.find('input[name="description"]').val(description)
+    modal.find('#editform').prop('action', url)
+})
+</script>
 {% endblock %}
 
diff --git a/app/deployments/templates/depoutput.html b/app/deployments/templates/depoutput.html
index c80abb06a..b288bb9a1 100644
--- a/app/deployments/templates/depoutput.html
+++ b/app/deployments/templates/depoutput.html
@@ -37,7 +37,7 @@ <h4 class="font-weight-bold text-primary">{{ deployment.uuid }}</h4>
           <br>
           <p><b>STATUS:</b> {{deployment.status}}</p>
           {% if deployment.status_reason %}
-          <p><b>ERROR MSG:</b> {{deployment.status_reason}}</p>
+          <p style="white-space: pre-line;"><b>ERROR MSG:</b> {{deployment.status_reason}}</p>
           {% endif %}
           <p><b>CREATED AT:</b> {{deployment.creation_time}}</p>
           <p><b>UPDATED AT:</b> {{deployment.update_time}}</p>
diff --git a/app/deployments/templates/input_types.html b/app/deployments/templates/input_types.html
index bc0903f5d..3bd3647ea 100644
--- a/app/deployments/templates/input_types.html
+++ b/app/deployments/templates/input_types.html
@@ -5,7 +5,7 @@
  {% set mode = "" %}
 {% endif %}
 <div class="form-group" id="form-group-{{key}}">
-  {% if (value.type is not defined or (value.type != "hidden" and value.type != "swift_token" and value.type != "swift_autouuid" and value.type != "random_password" and value.type != "openstack_ec2credentials" and value.type != "uuidgen" and value.type != "ldap_user" and value.type != "ssh_user"))
+  {% if (value.type is not defined or (value.type != "hidden" and value.type != "swift_token" and value.type != "swift_autouuid" and value.type != "random_password" and value.type != "openstack_ec2credentials" and value.type != "uuidgen" and value.type != "ldap_user" and value.type != "ssh_user" and value.type != "userinfo"))
           and (update == False or value.updatable is not defined or value.updatable == True)%}
   <label for="{{key}}">
     {% if value.display_name is defined %}
@@ -29,6 +29,13 @@
       <input type="number" step="any" class="form-control" data-type="{{value.type}}" id="{{key}}" name="{{key}}" value="{{value.default}}" aria-describedby="help{{key}}" placeholder="{{value.placeholder}}" {% if value.required %}required{%endif%} {{mode}} />
     <!-- end number types -->
 
+      <!-- boolean type -->
+    {% elif value.type == "boolean" %}
+      <select class="js-example-basic-single js-states form-control" data-type="{{value.type}}" id="{{key}}" name="{{key}}" {{mode}}>
+        <option value="true" {% if value.default|lower =="true" %}selected="selected"{% endif %}>true</option>
+        <option value="false" {% if value.default|lower =="false" %}selected="selected"{% endif %}>false</option>
+      </select>
+
     <!-- list text type -->
     {% elif value.type == "list" and value.entry_schema.type|lower == "string" %}
       <fieldset class="border p-2">
@@ -51,7 +58,7 @@
       {% set range_min = value.constraints['in_range'][0].split(' ')[0] %}
       {% set range_max = value.constraints['in_range'][1].split(' ')[0] %}
       {% endif %}
-      <div class="input-group mb-3">
+      <div class="input-group">
         <input type="number" min="{{range_min}}" max="{{range_max}}" class="form-control" aria-describedby="{{key}}_append" data-validate-function="validateScalarUnitSize" data-type="{{value.type}}" data-units="{{value.default.split(' ')[1]}}" id="{{key}}" name="{{key}}" value="{{value.default.split(' ')[0]}}" {% if value.required %}required{%endif%} {{mode}} />
         <div class="input-group-append">
           <span class="input-group-text" id="{{key}}_append">{{value.default.split(' ')[1]}}</span>
@@ -60,7 +67,7 @@
     <!-- end scalar-unit.size type-->
 
     <!-- hidden types -->
-    {% elif value.type == "hidden" or value.type == "openstack_ec2credentials" or value.type == "uuidgen" or value.type == "ldap_user" or value.type == "ssh_user" %}
+    {% elif value.type == "hidden" or value.type == "openstack_ec2credentials" or value.type == "uuidgen" or value.type == "ldap_user" or value.type == "ssh_user" or value.type == "userinfo" %}
       <input type="hidden" class="form-control" data-type="{{value.type}}" id="{{key}}" name="{{key}}" value="{{value.default}}" >
     <!-- end hidden types -->
 
@@ -94,6 +101,13 @@
       {% include 'inputs/dependent_select.html' %}
     <!-- end select type -->
 
+    {% elif value.type == "multiselect" %}
+     <select class="js-example-basic-multiple form-control" id="{{key}}" name="{{key}}" multiple="multiple" {{mode}}>
+       {% for opt in value.options | python_eval %}
+        <option value="{{opt}}" style="margin: 2px;">{{opt}}</option>
+       {% endfor %}
+     </select>
+
     <!-- radio type -->
     {% elif value.type == "radio" %}
       {% for constraint in value.constraints %}
@@ -158,7 +172,8 @@ <h5 class="modal-title">Storage encryption alert</h5>
     <!-- end Port field -->
 
     <!-- Port field -->
-    {% elif value.type == "map" and value.entry_schema.type == "tosca.datatypes.network.PortSpec" %}
+    {% elif value.type == "map" and (value.entry_schema.type == "tosca.datatypes.network.PortSpec" or value.entry_schema.type == "tosca.datatypes.indigo.network.PortSpec") %}
+    {% set ports_type = "indigo" if 'indigo' in value.entry_schema.type else "" %}
       <fieldset class="border p-2">
       {% include 'inputs/ports.html' %}
       </fieldset>
@@ -218,6 +233,12 @@ <h5 class="modal-title">Storage encryption alert</h5>
 
 });
 
+$(document).ready(function() {
+    $('.js-example-basic-multiple').select2({
+      width: '100%' // https://github.com/select2/select2/issues/4220
+    });
+});
+
 </script>
 
 
diff --git a/app/deployments/templates/inputs/dependent_definition.html b/app/deployments/templates/inputs/dependent_definition.html
index 47268db51..0ea838355 100644
--- a/app/deployments/templates/inputs/dependent_definition.html
+++ b/app/deployments/templates/inputs/dependent_definition.html
@@ -1,5 +1,5 @@
 <div class="dependent_definition" id="{{key}}" data-input-name="{{key}}" data-child-id="[]" data-parent-id="{{value.parent}}" data-input-ref="{{value.constraints}}">
-    <input type="hidden" id="{{key}}-type" name="{{key}}-type" value="">
+    <input type="hidden" id="{{key}}-ref" name="{{key}}-ref" value="">
 </div>
 
 
@@ -61,8 +61,8 @@
          div.find('input').prop("disabled", false);
          div.find('select').prop("disabled", false);
 
-         //set type name
-         $('#' + iname + "-type").val(input.attr('data-type'));
+         //set ref name
+         $('#' + iname + "-ref").val(element['ref']);
       }
 
      });
diff --git a/app/deployments/templates/inputs/ports.html b/app/deployments/templates/inputs/ports.html
index c893dcda8..9a077f152 100644
--- a/app/deployments/templates/inputs/ports.html
+++ b/app/deployments/templates/inputs/ports.html
@@ -1,7 +1,7 @@
 <div class="mt-2">
     <div id="{{key}}-container"></div>
-    <button type="button" class="btn btn-sm btn-outline-info" id="add-new-item" class="add-new" data-tag-name="{{key}}" onclick="addRule(this)">Add rule</button>
-    <input id="id-{{key}}" type="hidden" data-output-type="json" name="{{key}}" value""/>
+    <button type="button" class="btn btn-sm btn-outline-info" id="add-new-item" class="add-new" data-tag-name="{{key}}" onclick="addRule(this, '{{ports_type}}')">Add rule</button>
+    <input id="id-{{key}}" type="hidden" data-output-type="json" name="{{key}}" value=""/>
 </div>
 
 
@@ -11,9 +11,13 @@
 // initialize a unique counter
 let {{key}}_idx = 1;
 
-function addRule(elem) {
+function addRule(elem, ports_type) {
     j = {{key}}_idx;
     var tagname = elem.getAttribute('data-tag-name');
+    var enableRemoteCidr = 'disabled';
+    if (ports_type == 'indigo'){
+        enableRemoteCidr = 'enabled';
+    }
     let template = `
         <div class="form-row" id="${tagname}-${j}">
           <div enctype='application/json' class="form-group">
@@ -25,11 +29,17 @@
           </div>
           <div class="form-group">
             <label>Port Range</label> <br>
-            <input type="text" class="form-control" name="${tagname}_tmp[${j}][source]" pattern="(\[[0-9]+,[0-9]+\])|[0-9]+" class="form-control" placeholder="e.g. [8080,8082] or 80" required>
+            <input type="text" class="form-control" name="${tagname}_tmp[${j}][source]" onblur="validatePorts(this)" class="form-control" placeholder="e.g. [8080,8082] or 80" required>
+            <div class="invalid-feedback">
+              Please respect the required format: <strong>[0-9]+</strong> for single port (e.g. 8080);<br> <strong>\[[0-9]+,[0-9]+\]</strong> for port range (e.g. [8080,8082]).
+            </div>
           </div>
           <div class="form-group">
             <label>Source</label> <br>
-            <input type="text" class="form-control" name="${tagname}_tmp[${j}][source_cidr]" pattern="[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}" class="form-control" value="0.0.0.0/0" disabled>
+            <input type="text" class="form-control" name="${tagname}_tmp[${j}][remote_cidr]" onblur="validateCidr(this)" class="form-control" value="0.0.0.0/0" ${enableRemoteCidr} required>
+            <div class="invalid-feedback">
+              Please respect the CIDR notation: e.g. <strong>192.168.0.0/24</strong>.<br>For single IP: <strong>192.168.22.32/32</strong>.<br><strong>0.0.0.0/0</strong> allows access from all IP addresses.
+            </div>
           </div>
           <div class="p-3 mt-2">
             <button type=button class='btn btn-sm btn-outline-danger' href="" onclick="javascript:removeRule('${tagname}'+ '-' + ${j} + ''); return false;">Remove</button>
diff --git a/app/errors/routes.py b/app/errors/routes.py
index b14ab5aa3..3ea539303 100644
--- a/app/errors/routes.py
+++ b/app/errors/routes.py
@@ -16,9 +16,9 @@
 from app import app
 
 errors_bp = Blueprint('errors', __name__,
-                           template_folder='templates',
-                           static_folder='static'
-                           )
+                      template_folder='templates',
+                      static_folder='static'
+                      )
 
 
 @errors_bp.app_errorhandler(403)
diff --git a/app/home/routes.py b/app/home/routes.py
index a34ab5c54..19ab02f1e 100644
--- a/app/home/routes.py
+++ b/app/home/routes.py
@@ -12,11 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from .. import app, iam_blueprint, tosca
-from app.lib import utils, auth, settings, dbhelpers, openstack
+from .. import app, tosca
+from app.lib import utils, mail_utils, auth, settings, dbhelpers, openstack
 from app.models.User import User
 from markupsafe import Markup
 from flask import Blueprint, json, render_template, request, redirect, url_for, session, make_response, flash
+from flask_login import logout_user
 import json
 
 iam_base_url = settings.iamUrl
@@ -30,6 +31,7 @@
 app.jinja_env.filters['tojson_pretty'] = utils.to_pretty_json
 app.jinja_env.filters['extract_netinterface_ips'] = utils.extract_netinterface_ips
 app.jinja_env.filters['intersect'] = utils.intersect
+app.jinja_env.filters['python_eval'] = utils.python_eval
 
 toscaInfo = tosca.tosca_info
 
@@ -62,38 +64,48 @@ def is_template_locked(allowed_groups, user_groups):
     else:
         return True
 
-
-def set_template_access(tosca, user_groups):
+def set_template_access(tosca, user_groups, active_group):
     info = {}
     for k, v in tosca.items():
-        access_locked = is_template_locked(v.get("metadata").get("allowed_groups"), user_groups)
-        if ("visibility" not in v.get("metadata") or v["metadata"]["visibility"] == "public") or not access_locked:
+        allowed_groups = v.get("metadata").get("allowed_groups")
+        if not allowed_groups:
+          app.logger.error("Null - {}".format(k))
+        access_locked = is_template_locked(allowed_groups, user_groups)
+        if (access_locked and ("visibility" not in v.get("metadata") or v["metadata"]["visibility"] == "public")) or (not access_locked and (active_group in allowed_groups.split(',') or allowed_groups == "*")):
             v["metadata"]["access_locked"] = access_locked
-            info[k] = v
+            info[k]=v
     return info
 
 
-def check_template_access(user_groups):
+def check_template_access(user_groups, active_group):
     if tosca.tosca_gmetadata:
-        templates_info = set_template_access(tosca.tosca_gmetadata, user_groups)
+        templates_info = set_template_access(tosca.tosca_gmetadata, user_groups, active_group)
         enable_template_groups = True
     else:
-        templates_info = set_template_access(toscaInfo, user_groups)
+        templates_info = set_template_access(toscaInfo, user_groups, active_group)
         enable_template_groups = False
     return templates_info, enable_template_groups
 
-
 @app.route('/')
 @home_bp.route('/')
 def home():
-    if not iam_blueprint.session.authorized:
+    auth_blueprint = app.get_auth_blueprint()
+    try:
+        if auth_blueprint is None or not auth_blueprint.session.authorized:
+            return redirect(url_for('home_bp.login'))
+        account_info = app.get_auth_userinfo()
+    except Exception as e:
+        app.logger.error("Invalid user/token: {}".format(str(e)))
+        flash("Invalid user/token. Please login again.", 'danger')
         return redirect(url_for('home_bp.login'))
 
-    account_info = iam_blueprint.session.get("/userinfo")
+    templates_info = {}
+    tg = False
 
     if account_info.ok:
         account_info_json = account_info.json()
-        user_groups = account_info_json['groups']
+        user_groups = session['usergroups']  # auth_blueprint.session['usergroups']
+        # user_groups = account_info_json['groups']
         user_id = account_info_json['sub']
 
         supported_groups = []
@@ -102,14 +114,6 @@ def home():
             if len(supported_groups) == 0:
                 app.logger.warning("The user {} does not belong to any supported user group".format(user_id))
 
-        session['userid'] = user_id
-        session['username'] = account_info_json['name']
-        session['preferred_username'] = account_info_json['preferred_username']
-        session['useremail'] = account_info_json['email']
-        session['userrole'] = 'user'
-        session['gravatar'] = utils.avatar(account_info_json['email'], 26)
-        session['organisation_name'] = account_info_json['organisation_name']
-        session['usergroups'] = user_groups
         session['supported_usergroups'] = supported_groups
         if 'active_usergroup' not in session:
             session['active_usergroup'] = next(iter(supported_groups), None)
@@ -139,17 +143,7 @@ def home():
 
         session['userrole'] = user.role  # role
 
-        # templates_info = {}
-        # tg = False
-        #
-        # if tosca.tosca_gmetadata:
-        #     templates_info = {k: v for (k, v) in tosca.tosca_gmetadata.items() if
-        #              check_template_access(v.get("metadata").get("allowed_groups"), user_groups)}
-        #     tg = True
-        # else:
-        #     templates_info = {k: v for (k, v) in toscaInfo.items() if
-        #      check_template_access(v.get("metadata").get("allowed_groups"), user_groups)}
-        templates_info, enable_template_groups = check_template_access(user_groups)
+        templates_info, enable_template_groups = check_template_access(user_groups, session['active_usergroup'] )
 
         return render_template(app.config.get('PORTFOLIO_TEMPLATE'), templates_info=templates_info,
                                enable_template_groups=enable_template_groups)
@@ -165,8 +159,16 @@ def set_active_usergroup():
 
 @home_bp.route('/logout')
 def logout():
+
+    # blueprint = app.get_auth_blueprint()
+    # if blueprint is not None:
+    #    blueprint.session.get("/logout")
+    oauth = app.get_user_oauth()
+    if oauth is not None:
+        dbhelpers.delete_object(oauth)
+
+    logout_user()
     session.clear()
-    iam_blueprint.session.get("/logout")
     return redirect(url_for('home_bp.login'))
 
 
@@ -211,25 +213,25 @@ def callback():
     if mail_sender and user_email != '' and rf == 1:
         if status == 'CREATE_COMPLETE':
             try:
-                utils.create_and_send_email("Deployment complete", mail_sender, [user_email], uuid, status)
+                mail_utils.create_and_send_email("Deployment complete", mail_sender, [user_email], uuid, status)
             except Exception as error:
                 utils.logexception("sending email:".format(error))
 
         if status == 'CREATE_FAILED':
             try:
-                utils.create_and_send_email("Deployment failed", mail_sender, [user_email], uuid, status)
+                mail_utils.create_and_send_email("Deployment failed", mail_sender, [user_email], uuid, status)
             except Exception as error:
                 utils.logexception("sending email:".format(error))
 
         if status == 'UPDATE_COMPLETE':
             try:
-                utils.create_and_send_email("Deployment update complete", mail_sender, [user_email], uuid, status)
+                mail_utils.create_and_send_email("Deployment update complete", mail_sender, [user_email], uuid, status)
             except Exception as error:
                 utils.logexception("sending email:".format(error))
 
         if status == 'UPDATE_FAILED':
             try:
-                utils.create_and_send_email("Deployment update failed", mail_sender, [user_email], uuid, status)
+                mail_utils.create_and_send_email("Deployment update failed", mail_sender, [user_email], uuid, status)
             except Exception as error:
                 utils.logexception("sending email:".format(error))
 
@@ -245,17 +247,18 @@ def getauthorization():
     tasks = json.loads(request.form.to_dict()["pre_tasks"].replace("'", "\""))
 
     functions = {'openstack.get_unscoped_keystone_token': openstack.get_unscoped_keystone_token,
-                 'send_mail': utils.send_authorization_request_email}
+                 'send_mail': mail_utils.send_authorization_request_email}
 
     for task in tasks["pre_tasks"]:
         func = task["action"]
         args = task["args"]
-        args["access_token"] = iam_blueprint.session.token['access_token']
+        args["access_token"] = app.get_auth_blueprint().session.token['access_token']
         if func in functions:
             functions[func](**args)
 
     return render_template("success_message.html", title="Message sent",
-                           message="Your request has been sent to the support team. <br>You will receive soon a notification email about your request. <br>Thank you!")
+                           message="Your request has been sent to the support team. "
+                                   "<br>You will receive soon a notification email about your request. <br>Thank you!")
 
 
 @home_bp.route('/sendaccessreq', methods=['POST'])
@@ -263,10 +266,12 @@ def sendaccessrequest():
     form_data = request.form.to_dict()
 
     try:
-        utils.send_authorization_request_email(form_data['service_type'], email=form_data['email'], message=form_data['message'])
+        mail_utils.send_authorization_request_email(form_data['service_type'], email=form_data['email'],
+                                                    message=form_data['message'])
 
         flash(
-            "Your request has been sent to the support team. You will receive soon a notification email about your request. Thank you!",
+            "Your request has been sent to the support team. "
+            "You will receive soon a notification email about your request. Thank you!",
             "success")
 
     except Exception as error:
@@ -285,10 +290,10 @@ def contact():
     try:
         message = Markup(
             "Name: {}<br>Email: {}<br>Message: {}".format(form_data['name'], form_data['email'], form_data['message']))
-        utils.send_email("New contact",
-                   sender=app.config.get('MAIL_SENDER'),
-                   recipients=[app.config.get('SUPPORT_EMAIL')],
-                   html_body=message)
+        mail_utils.send_email("New contact",
+                              sender=app.config.get('MAIL_SENDER'),
+                              recipients=[app.config.get('SUPPORT_EMAIL')],
+                              html_body=message)
 
     except Exception as error:
         utils.logexception("sending email:".format(error))
diff --git a/app/home/static/css/style.css b/app/home/static/css/style.css
index f2b998a15..11189a4c9 100644
--- a/app/home/static/css/style.css
+++ b/app/home/static/css/style.css
@@ -264,11 +264,16 @@ hr.style-seven:before { /* Not really supposed to work, but does */
 }
 
 .login-btn {
+    position: relative;
     border: 4px solid #eee;
     -moz-box-shadow:    0px 0px 20px #ccc;
     -webkit-box-shadow: 0px 0px 20px #ccc;
     box-shadow:         0px 0px 20px #ccc;
+}
 
+.login-btn > i {
+  font-size: 20px;
+  font-family: FontAwesome, 'Raleway', sans-serif;
 }
 
 .project-thumb {
@@ -299,7 +304,7 @@ hr.style-seven:before { /* Not really supposed to work, but does */
 
 /*-- Custom Modal Settings --*/
 .modal-content {
-  border-radius: 0;
+  border-radius: 10px;
 }
 
 .modal-dialog {
@@ -307,6 +312,12 @@ hr.style-seven:before { /* Not really supposed to work, but does */
   margin: 0 auto; /* Eliminate top margin on bootstrap modal */
 }
 
+.modal-header > p {
+  display: inline; 
+  color: black; 
+  font-size: 20px;
+}
+
 .modal-thumb img {
   width: 66%;
   padding-top: 20px;
@@ -319,6 +330,11 @@ hr.style-seven:before { /* Not really supposed to work, but does */
   margin: 0 auto;
 }
 
+.modal-body > div > a {
+  font-size: 18px; 
+  display: block;
+}
+
 .close {
   font-size: 40px;
   font-weight: 200;
@@ -387,4 +403,4 @@ footer {
   }
 
   
-}
\ No newline at end of file
+}
diff --git a/app/home/static/images/egi_logo.png b/app/home/static/images/egi_logo.png
new file mode 100644
index 000000000..6d16b0baf
Binary files /dev/null and b/app/home/static/images/egi_logo.png differ
diff --git a/app/home/templates/base.html b/app/home/templates/base.html
index d088ccf77..346090806 100644
--- a/app/home/templates/base.html
+++ b/app/home/templates/base.html
@@ -23,8 +23,8 @@
     <script type="text/javascript" src="https://cdn.datatables.net/responsive/2.2.2/js/responsive.bootstrap4.min.js"></script>
     <script type="text/javascript" src="https://cdn.datatables.net/scroller/2.0.0/js/dataTables.scroller.min.js"></script>
     <!-- Select2 -->
-    <link href="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.6-rc.0/css/select2.min.css" rel="stylesheet">
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.0.6-rc.0/js/select2.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/select2/4.1.0-rc.0/js/select2.min.js" integrity="sha512-4MvcHwcbqXKUHB6Lx3Zb5CEAVoE9u84qN+ZSMM6s7z8IeJriExrV3ND5zRze9mxNlABJ6k864P/Vl8m0Sd3DtQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/select2/4.1.0-rc.0/css/select2.min.css" integrity="sha512-aD9ophpFQ61nFZP6hXYu4Q/b/USW7rpLCQLX6Bi0WJHXNO7Js/fUENpBQf/+P4NtpzNX0jSgR5zVvPOJp+W2Kg==" crossorigin="anonymous" referrerpolicy="no-referrer" />
     <!-- Toggle -->
     <link href="https://cdn.jsdelivr.net/gh/gitbrent/bootstrap4-toggle@3.4.0/css/bootstrap4-toggle.min.css" rel="stylesheet">
     <script src="https://cdn.jsdelivr.net/gh/gitbrent/bootstrap4-toggle@3.4.0/js/bootstrap4-toggle.min.js"></script>
@@ -124,7 +124,7 @@
                 </ul>
                 {% if session['username'] %}
                 <ul class="navbar-nav ml-auto">
-                    {% if session['active_usergroup'] != None %}
+                    {% if session['active_usergroup'] != None and 'gets3creds' not in request.path and 'overview' not in request.path %}
                     <li class="nav-item dropdown">
                         <a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#">
                             {{ session['active_usergroup'] }}<span class="caret"></span>
@@ -146,6 +146,10 @@
                             <a class="dropdown-item" href="{{ url_for('vault_bp.ssh_keys') }}">SSH keys</a>
                             <a class="dropdown-item" href="{{ url_for("vault_bp.manage_service_creds") }}">Service Credentials</a>
                             {% endif %}
+                            {% set s3_groups = ( s3_allowed_groups | intersect(session['supported_usergroups'])) %}
+                            {% if enable_s3creds == "yes" and (session['userrole']=='user:s3' or (s3_allowed_groups|length==0 or s3_groups|length >= 1)) %}
+                            <a class="dropdown-item" href="{{ url_for('swift_bp.gets3creds') }}">S3 credentials</a>
+                            {% endif %}
                             <div class="dropdown-divider"></div>
                             <a class="dropdown-item" href="{{ url_for("home_bp.logout") }}">Logout</a>
                         </div>
diff --git a/app/home/templates/deep/home.html b/app/home/templates/deep/home.html
index b45959da6..ef1021ba5 100644
--- a/app/home/templates/deep/home.html
+++ b/app/home/templates/deep/home.html
@@ -9,7 +9,7 @@
         <h1 class="display-4">{{ welcome_message }}</h1>
         <p></p>
         <p>
-          <a class="btn btn-primary btn-lg" role="button" href="{{ url_for("iam.login") }}">Please login, or register &raquo;</a>
+          <button type="button" class="btn btn-primary" data-wow-delay="0.4s" data-toggle="modal" data-target="#signinModal">Sign in</button>
         </p>
       </div>
       <div class="col-lg-3">
@@ -17,6 +17,34 @@ <h1 class="display-4">{{ welcome_message }}</h1>
       </div>
     </div>
   </div>
+
+    <!-- Modal -->
+    <div class="modal fade" id="signinModal" tabindex="-1" role="dialog" aria-labelledby="signinModalLabel" aria-hidden="true">
+      <div class="modal-dialog modal-notify modal-info modal-sm" role="document">
+        <div class="modal-content">
+          <div class="modal-header">
+            <p class="heading lead" style="color: black">Sign in with:</p>
+            <!-- h4 class="modal-title w-100 font-weight-bold">Sign in</h4-->
+            <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+              <span aria-hidden="true" class="white-text">&times;</span>
+            </button>
+          </div>
+          <div class="modal-body mx-3">
+            <!--div class="md-form mb-5"-->
+              <div class="row justify-content-center">
+                <a class="btn btn-outline-black wow fadeInDown" data-wow-delay="0.4s" href="{{ url_for('iam.login') }}"><img src="/home/static/images/indigodc_logo.png" height="25"/>&nbsp;INDIGO - IAM</a>
+              </div>
+              {% if is_egi_aai_enabled is defined %}
+              <div class="row justify-content-center">
+                <a class="btn btn-outline-black wow fadeInDown" data-wow-delay="0.4s" href="{{ url_for('egiaai.login') }}"><img src="/home/static/images/egi_logo.png" height="25"/>&nbsp;EGI Checkin</a>
+              </div>
+              {% endif %}
+            <!--/div-->
+          </div>
+        </div>
+      </div>
+    </div>
+
 </div>
 
 <style>
diff --git a/app/home/templates/home.html b/app/home/templates/home.html
index 50e96cc02..083a6bf10 100644
--- a/app/home/templates/home.html
+++ b/app/home/templates/home.html
@@ -23,8 +23,9 @@
 		<!-- Import Google Font -->
 		<link href='https://fonts.googleapis.com/css?family=Raleway:400,100' rel='stylesheet' type='text/css'>
         <!-- Bootstrap -->
-        <link rel='stylesheet' href='https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css'><link rel="stylesheet" href="static/css/style.css">
+        <link rel='stylesheet' href='https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css'>
 
+        <link rel="stylesheet" href="static/css/style.css">
 
 </head>
 <body>
@@ -33,14 +34,38 @@
   <div class="container">
     <br>
     <img src="static/images/background2.jpeg" class="parallax-img">
-    <!--img src="static/images/indigodc_logo.png" alt="INDIGO-DataCloud" class="profile-img"-->
     <h1>INDIGO-DC PaaS Orchestrator</h1>
     <hr class="style-seven" />
     <h4>High level orchestration of heterogeneous Cloud resources</h4>
     <p>
-      <a class="btn btn-lg login-btn" style="border-radius: 0;background: #38A1DB;" href="{{ url_for("iam.login") }}" role="button" target="_blank"><i class="fa fa-sign-in"> Login</i></a>
+      <button type="button" class="btn btn-info login-btn" data-toggle="modal" data-target="#signinModal"><i class="fa fa-sign-in"> Login</i></button>
     </p>
   </div>
+
+    <!-- Modal -->
+    <div class="modal fade" id="signinModal" tabindex="-1" role="dialog" aria-labelledby="signinModalLabel" aria-hidden="true">
+      <div class="modal-dialog modal-sm" style="margin: 20px auto;" role="document">
+        <div class="modal-content">
+          <div class="modal-header">
+            <p class="lead">Sign in with:</p>
+            <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+              <span aria-hidden="true">&times;</span>
+            </button>
+          </div>
+          <div class="modal-body">
+              <div class="row">
+                <a class="btn" href="{{ url_for('iam.login') }}"><img src="/home/static/images/indigodc_logo.png" height="40"/>&nbsp;INDIGO - IAM</a>
+              </div>
+              {% if is_egi_aai_enabled is defined %}
+              <div class="row">
+                <a class="btn" href="{{ url_for('egiaai.login') }}"><img src="/home/static/images/egi_logo.png" height="40"/>&nbsp;EGI Checkin</a>
+              </div>
+              {% endif %}
+          </div>
+        </div>
+      </div>
+    </div>
+
 </div>
 
 <!------------------------------------
@@ -77,7 +102,7 @@ <h4>High level orchestration of heterogeneous Cloud resources</h4>
             <li><a href="#about">About</a></li>
             <li><a href="#projects">Projects</a></li>
             <li><a href="#contact">Contact</a></li>
-            <li><button class="btn btn-info navbar-btn" onclick="window.location.href='{{ url_for("iam.login") }}';">Sign in</button></li>
+            <!--<li><button class="btn btn-info navbar-btn" onclick="window.location.href='{{ url_for("iam.login") }}';">Sign in</button></li>-->
           </ul>
         </div>
         <!-- END .navbar-collapse -->
@@ -140,7 +165,7 @@ <h3>Docker compose</h3>
         <div class="row">
           <div class="col-md-12 soft-transition">
             <br>
-            <a class="btn btn-lg btn-info" role="button" href="{{url_for('iam.login')}}">Try it now!</a>
+            <a class="btn btn-lg btn-info" role="button" data-toggle="modal" data-target="#signinModal">Try it now!</a>
           </div>
         </div>
 
@@ -233,11 +258,9 @@ <h1>Contact</h1>
         <fieldset class="form-group">
           <textarea class="form-control" id="input_project_info" rows="3" placeholder="Tell us about your project!" name="message"></textarea>
         </fieldset>
+        <input type="submit" id="submit" class="btn btn-clear-light soft-transition" name="submit" value="Send">
+      </form>
     </div>
-    <input type="submit" id="submit" class="btn btn-clear-light soft-transition" name="submit" value="Send">
-    </form>
-
-</div>
 
 </section>
 
@@ -257,4 +280,4 @@ <h1>Contact</h1>
 <script src='https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js'></script><script  src="static/js/script.js"></script>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/app/home/templates/portfolio.html b/app/home/templates/portfolio.html
index 82e36eccd..b97c18445 100644
--- a/app/home/templates/portfolio.html
+++ b/app/home/templates/portfolio.html
@@ -53,8 +53,11 @@ <h5>
                        <!-- maintenance: do not show configure button -->
                     {% else %}
                     <div class="col-4">
-                    {% import 'configure.j2' as configure %}
-                    {{ configure.create_configure_button(enable_template_groups, tosca_name, tosca['metadata']['allowed_groups']) }}
+                        {% if enable_template_groups %}
+                        <a href="{{ url_for('deployments_bp.configure', selected_group=tosca_name) }}" class="badge badge-pill badge-primary">Configure</a>
+                        {% else %}
+                        <a href="{{ url_for('deployments_bp.configure', selected_tosca=tosca_name) }}" class="badge badge-pill badge-primary">Configure</a>
+                        {% endif %}
                     </div>
                     {% endif %}
                 </div>
diff --git a/app/lib/ToscaInfo.py b/app/lib/ToscaInfo.py
index 7a455d4cc..74d6aafc6 100644
--- a/app/lib/ToscaInfo.py
+++ b/app/lib/ToscaInfo.py
@@ -117,8 +117,9 @@ def extracttoscainfo(self, template, tosca):
                 tosca_metadata_path = self.tosca_metadata_dir + "/"
                 for mpath, msubs, mnames in os.walk(tosca_metadata_path):
                     for mname in mnames:
-                        if fnmatch(mname, os.path.splitext(tosca)[0] + '.metadata.yml') or \
-                                fnmatch(mname, os.path.splitext(tosca)[0] + '.metadata.yaml'):
+                        fmname = os.path.relpath(os.path.join(mpath, mname), self.tosca_metadata_dir)
+                        if fnmatch(fmname, os.path.splitext(tosca)[0] + '.metadata.yml') or \
+                                fnmatch(fmname, os.path.splitext(tosca)[0] + '.metadata.yaml'):
                             # skip hidden files
                             if mname[0] != '.':
                                 tosca_metadata_file = os.path.join(mpath, mname)
@@ -157,8 +158,9 @@ def extracttoscainfo(self, template, tosca):
                 tosca_pars_path = self.tosca_params_dir + "/"  # this has to be reassigned here because is local.
                 for fpath, subs, fnames in os.walk(tosca_pars_path):
                     for fname in fnames:
-                        if fnmatch(fname, os.path.splitext(tosca)[0] + '.parameters.yml') or \
-                                fnmatch(fname, os.path.splitext(tosca)[0] + '.parameters.yaml'):
+                        ffname = os.path.relpath(os.path.join(fpath, fname), self.tosca_params_dir)
+                        if fnmatch(ffname, os.path.splitext(tosca)[0] + '.parameters.yml') or \
+                                fnmatch(ffname, os.path.splitext(tosca)[0] + '.parameters.yaml'):
                             # skip hidden files
                             if fname[0] != '.':
                                 tosca_pars_file = os.path.join(fpath, fname)
@@ -222,7 +224,7 @@ def eleasticdeployment(template):
 
 def updatabledeployment(inputs):
     updatable = False
-    for key,value in inputs.items():
+    for key, value in inputs.items():
         if 'updatable' in value:
             if value['updatable'] == True:
                 updatable = True
diff --git a/app/lib/VaultClient.py b/app/lib/VaultClient.py
index 72461575a..428226f7e 100644
--- a/app/lib/VaultClient.py
+++ b/app/lib/VaultClient.py
@@ -118,7 +118,8 @@ def write_secret(self, token, secret_path, key, value):
         secret_dict=dict()
         secret_dict[key]=value
         try:
-            response = self.client.secrets.kv.v2.create_or_update_secret(path=secret_path, mount_point='secrets', cas=0, secret=secret_dict)
+            response = self.client.secrets.kv.v2.create_or_update_secret(path=secret_path, mount_point='secrets',
+                                                                         cas=0, secret=secret_dict)
         except hvac.exceptions.InvalidRequest as e:
             raise Exception("[FATAL] Unable to write vault path: {}".format(str(e)))
 
diff --git a/app/lib/auth.py b/app/lib/auth.py
index 854901162..8747458d0 100644
--- a/app/lib/auth.py
+++ b/app/lib/auth.py
@@ -12,18 +12,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from app import app, iam_blueprint
-from flask import redirect, render_template, session, url_for, json
+from app import app
+from flask import render_template, session, json
 from functools import wraps
 import ast
 import requests
-from . import utils, settings
+from . import utils, settings, dbhelpers
+
+
+def get_access_token(sub):
+    user = dbhelpers.get_user(sub)
+    if user is not None:
+        return user.oauth.token
+    return None
 
 
 def validate_configuration():
     if not settings.orchestratorConf.get('im_url'):
         app.logger.debug("Trying to (re)load config from Orchestrator: " + json.dumps(settings.orchestratorConf))
-        access_token = iam_blueprint.session.token['access_token']
+        access_token = app.get_auth_blueprint().session.token['access_token']
         configuration = utils.getorchestratorconfiguration(settings.orchestratorUrl, access_token)
         settings.orchestratorConf = configuration
 
@@ -32,12 +39,12 @@ def authorized_with_valid_token(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
 
-        if not iam_blueprint.session.authorized or 'username' not in session:
-            return redirect(url_for('iam.login'))
+        if not app.get_auth_blueprint().session.authorized or 'username' not in session:
+            return render_template(app.config.get('HOME_TEMPLATE'))
 
-        if iam_blueprint.session.token['expires_in'] < 60:
+        if app.get_auth_blueprint().session.token['expires_in'] < 60:
             app.logger.debug("Force refresh token")
-            iam_blueprint.session.get('/userinfo')
+            app.get_auth_userinfo()
 
         validate_configuration()
 
diff --git a/app/lib/dbhelpers.py b/app/lib/dbhelpers.py
index 94c01d587..a897ce463 100644
--- a/app/lib/dbhelpers.py
+++ b/app/lib/dbhelpers.py
@@ -12,18 +12,24 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from app import app, iam_blueprint, db
+from app import app, db
 from . import settings
 import requests
 from dateutil import parser
 from app.models.Deployment import Deployment
 from app.models.User import User
+from app.models.OAuth import OAuth
 from flask import json
 import datetime
 
 
-def add_object(object):
-    db.session.add(object)
+def add_object(obj):
+    db.session.add(obj)
+    db.session.commit()
+
+
+def delete_object(obj):
+    db.session.delete(obj)
     db.session.commit()
 
 
@@ -51,6 +57,10 @@ def delete_ssh_key(subject):
     db.session.commit()
 
 
+def get_oauth(idoauth):
+    return OAuth.query.get(idoauth)
+
+
 def update_deployment(depuuid, data):
     Deployment.query.filter_by(uuid=depuuid).update(data)
     db.session.commit()
@@ -63,6 +73,7 @@ def get_user_deployments(user_sub):
 def get_deployment(uuid):
     return Deployment.query.get(uuid)
 
+
 def getdeploymenttype(dep):
     deptype = ''
     if 'cloudProviderEndpoint' in dep:
@@ -121,7 +132,7 @@ def updatedeploymentsstatus(deployments, userid):
             app.logger.info("Deployment with uuid:{} not found!".format(uuid))
 
             # retrieve template
-            access_token = iam_blueprint.session.token['access_token']
+            access_token = app.get_auth_blueprint().session.token['access_token']
             headers = {'Authorization': 'bearer %s' % access_token}
 
             url = settings.orchestratorUrl + "/deployments/" + uuid + "/template"
@@ -216,10 +227,10 @@ def cvdeployment(d):
                             template_parameters=d.template_parameters if d.template_parameters is not None else '',
                             template_metadata=d.template_metadata if d.template_metadata is not None else '',
                             selected_template=d.selected_template,
-                            inputs=json.loads(
-                                d.inputs.replace("\n", "\\n")) if (d.inputs is not None and d.inputs is not '') else '',
-                            stinputs=json.loads(
-                                d.stinputs.replace("\n", "\\n")) if (d.stinputs is not None and d.stinputs is not '') else '',
+                            inputs=json.loads(d.inputs.replace("\n", "\\n"))
+                            if (d.inputs is not None and d.inputs is not '') else '',
+                            stinputs=json.loads(d.stinputs.replace("\n", "\\n"))
+                            if (d.stinputs is not None and d.stinputs is not '') else '',
                             params=d.params,
                             deployment_type=d.deployment_type,
                             provider_name='' if d.provider_name is None else d.provider_name,
diff --git a/app/lib/decoders.py b/app/lib/decoders.py
new file mode 100644
index 000000000..c63932d27
--- /dev/null
+++ b/app/lib/decoders.py
@@ -0,0 +1,79 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2020-2021
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+import re
+from flaat import tokentools, issuertools
+from app import app, flaat
+
+
+class IndigoTokenDecoder:
+    @staticmethod
+    def get_groups(info):
+        return info['groups']
+
+
+class EgiTokenDecoder:
+    @staticmethod
+    def get_groups( info):
+        if info is not None and 'eduperson_entitlement' in info.keys():
+            memberships = info['eduperson_entitlement']
+        else:
+            memberships = []
+        pattern = 'urn:mace:egi.eu:group:(.*):role=vm_operator#aai.egi.eu'
+
+        groups = []
+        for m in memberships:
+            match = re.search(pattern, m)
+            if match:
+                groups.append(match.group(1))
+
+        return groups
+
+
+class TokenDecoderFactory:
+
+    def __init__(self):
+        self._creators = {}
+
+    def register_format(self, fmt, creator):
+        self._creators[fmt] = creator
+
+    def get_decoder(self, fmt):
+        creator = self._creators.get(fmt)
+        if not creator:
+            raise ValueError(fmt)
+        return creator()
+
+
+factory = TokenDecoderFactory()
+factory.register_format('indigoiam', IndigoTokenDecoder)
+factory.register_format('egicheckin', EgiTokenDecoder)
+
+
+class TokenDecoder:
+    @staticmethod
+    def get_groups(request):
+        access_token = tokentools.get_access_token_from_request(request)
+        issuer = issuertools.find_issuer_config_in_at(access_token)
+        # info = flaat.get_info_thats_in_at(access_token)
+        info = flaat.get_info_from_userinfo_endpoints(access_token)
+        iss = issuer['issuer']
+
+        idp = next(filter(lambda x: x['iss'] == iss, app.config.get('TRUSTED_OIDC_IDP_LIST')))
+
+        if 'client_id' in idp and 'client_secret' in idp:
+            flaat.set_client_id(idp['client_id'])
+            flaat.set_client_secret(idp['client_secret'])
+            info = flaat.get_info_from_introspection_endpoints(access_token)
+        decoder = factory.get_decoder(idp['type'])
+        return decoder.get_groups(info)
diff --git a/app/lib/egicheckin.py b/app/lib/egicheckin.py
new file mode 100644
index 000000000..9f511a177
--- /dev/null
+++ b/app/lib/egicheckin.py
@@ -0,0 +1,123 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2020-2021
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from flask import flash, current_app as app
+from flask_dance import OAuth2ConsumerBlueprint
+from flask_dance.consumer.storage.sqla import SQLAlchemyStorage
+from app import db
+from app.models.OAuth import OAuth
+from app.models.User import User
+from flask_login import current_user, login_user
+from app import app, flaat
+from app.lib import utils, dbhelpers, decoders
+from flaat import tokentools
+
+from flask import json, session
+
+
+def create_blueprint():
+    egicheckin_base_url = app.config['EGI_AAI_BASE_URL']
+    egicheckin_token_url = egicheckin_base_url + '/protocol/openid-connect/token'
+    egicheckin_refresh_url = egicheckin_base_url + '/protocol/openid-connect/token'
+    egicheckin_authorization_url = egicheckin_base_url + '/protocol/openid-connect/auth'
+
+    return OAuth2ConsumerBlueprint(
+        "egiaai", __name__,
+        client_id=app.config['EGI_AAI_CLIENT_ID'],
+        client_secret=app.config['EGI_AAI_CLIENT_SECRET'],
+        auto_refresh_kwargs={
+            "client_id": app.config['EGI_AAI_CLIENT_ID'],
+            "client_secret": app.config['EGI_AAI_CLIENT_SECRET'],
+        },
+        base_url=egicheckin_base_url,
+        token_url=egicheckin_token_url,
+        auto_refresh_url=egicheckin_refresh_url,
+        authorization_url=egicheckin_authorization_url,
+        scope=['openid', 'profile', 'email', 'offline_access', 'eduperson_entitlement'],
+        redirect_to='home',
+        storage=SQLAlchemyStorage(OAuth, db.session, user=current_user)
+    )
+
+def auth_blueprint_login(blueprint, token):
+    if not token:
+        flash("Failed to log in with EGI Checkin.", category="error")
+        return False
+
+    account_info = blueprint.session.get('/auth/realms/egi/protocol/openid-connect/userinfo')
+    jwt = tokentools.get_accesstoken_info(token['access_token'])
+
+    if not account_info.ok:
+        msg = "Failed to fetch user info."
+        flash(msg, category="error")
+        return False
+
+    user_id = jwt['body']['sub']
+    issuer = jwt['body']['iss']
+
+    account_info_json = account_info.json()
+    session['userid'] = user_id  # account_info_json['sub']
+    session['username'] = account_info_json['preferred_username']
+    email = account_info_json['email']
+    session['useremail'] = email
+    admins = json.dumps(app.config['ADMINS'])
+    role = 'admin' if email in admins else 'user'
+    session['userrole'] = role
+    session['gravatar'] = utils.avatar(account_info_json['email'], 26)
+    session['organisation_name'] = user_id.split('@')[1]
+
+    info = flaat.get_info_from_userinfo_endpoints(token['access_token'])
+    groups = decoders.EgiTokenDecoder.get_groups(info)
+    session['usergroups'] = groups
+
+    # check database
+    # if user not found, insert
+    #
+    app.logger.info(dir(User))
+    user = dbhelpers.get_user(account_info_json['sub'])
+    if user is None:
+        user = User(sub=user_id,
+                    name=account_info_json['name'],
+                    username=account_info_json['preferred_username'],
+                    given_name=account_info_json['given_name'],
+                    family_name=account_info_json['family_name'],
+                    email=email,
+                    organisation_name=user_id.split('@')[1],
+                    picture=utils.avatar(email, 26),
+                    role=role,
+                    active=1)
+        dbhelpers.add_object(user)
+
+    # session['userrole'] = user.role  # role
+
+    # Find this OAuth token in the database, or create it
+    oauth = OAuth.query.filter_by(
+        provider=blueprint.name,
+        provider_user_id=user_id,
+    ).first()
+
+    if not oauth:
+        oauth = OAuth(provider=blueprint.name,
+                      provider_user_id=user_id,
+                      token=token,
+                      issuer=issuer)
+    else:
+        oauth.token = token  # store token
+
+    if not oauth.user:
+        oauth.user = user
+
+    dbhelpers.add_object(oauth)
+    login_user(oauth.user)
+    # flash("Successfully signed in.")
+
+    return False
diff --git a/app/lib/indigoiam.py b/app/lib/indigoiam.py
new file mode 100644
index 000000000..7647e2e3c
--- /dev/null
+++ b/app/lib/indigoiam.py
@@ -0,0 +1,130 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2020-2021
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from flaat import tokentools
+from flask import current_app as app, flash
+from flask_dance import OAuth2ConsumerBlueprint
+from flask_dance.consumer.storage.sqla import SQLAlchemyStorage
+from app import db
+from flask_login import current_user, login_user
+from app import app
+from app.lib import utils,  settings, dbhelpers
+from app.models.OAuth import OAuth
+from app.models.User import User
+from markupsafe import Markup
+from werkzeug.exceptions import Forbidden
+from flask import json, session
+
+
+def create_blueprint():
+    iam_base_url = app.config['IAM_BASE_URL']
+    iam_token_url = iam_base_url + '/token'
+    iam_refresh_url = iam_base_url + '/token'
+    iam_authorization_url = iam_base_url + '/authorize'
+
+    return OAuth2ConsumerBlueprint(
+        "iam", __name__,
+        client_id=app.config['IAM_CLIENT_ID'],
+        client_secret=app.config['IAM_CLIENT_SECRET'],
+        scope=['openid', 'profile', 'email', 'offline_access'],
+        base_url=iam_base_url,
+        token_url=iam_token_url,
+        auto_refresh_url=iam_refresh_url,
+        authorization_url=iam_authorization_url,
+        redirect_to='home',
+        storage=SQLAlchemyStorage(OAuth, db.session, user=current_user)
+    )
+
+
+def auth_blueprint_login(blueprint, token):
+    if not token:
+        flash("Failed to log in with IAM.", category="error")
+        return False
+
+    account_info = blueprint.session.get('/userinfo')
+    jwt = tokentools.get_accesstoken_info(token['access_token'])
+
+    if not account_info.ok:
+        msg = "Failed to fetch user info."
+        flash(msg, category="error")
+        return False
+
+    user_id = jwt['body']['sub']
+    issuer = jwt['body']['iss']
+
+    account_info_json = account_info.json()
+    user_groups = account_info_json['groups']
+
+    if settings.iamGroups:
+        if set(settings.iamGroups) & set(user_groups) == set():
+            app.logger.debug("No match on group membership. User group membership: "
+                             + json.dumps(user_groups))
+            message = Markup(
+                'Your identity has been verified successfully, but you are not authorized to access the services.<br>' +
+                'Please, contact the administrators ({}) in order to get proper permissions'.format(
+                    app.config.get('SUPPORT_EMAIL')))
+            raise Forbidden(description=message)
+
+    session['userid'] = user_id  # account_info_json['sub']
+    session['username'] = account_info_json['name']
+    email = account_info_json['email']
+    admins = json.dumps(app.config['ADMINS'])
+    role = 'admin' if email in admins else 'user'
+    session['useremail'] = email
+    session['userrole'] = role
+    session['gravatar'] = utils.avatar(account_info_json['email'], 26)
+    session['organisation_name'] = account_info_json['organisation_name']
+    session['usergroups'] = account_info_json['groups']
+
+    # check database
+    # if user not found, insert
+    #
+    app.logger.info(dir(User))
+    user = dbhelpers.get_user(account_info_json['sub'])
+    if user is None:
+        user = User(sub=account_info_json['sub'],
+                    name=account_info_json['name'],
+                    username=account_info_json['preferred_username'],
+                    given_name=account_info_json['given_name'],
+                    family_name=account_info_json['family_name'],
+                    email=email,
+                    organisation_name=account_info_json['organisation_name'],
+                    picture=utils.avatar(email, 26),
+                    role=role,
+                    active=1)
+        dbhelpers.add_object(user)
+
+    # session['userrole'] = user.role  # role
+
+    # Find this OAuth token in the database, or create it
+    oauth = OAuth.query.filter_by(
+        provider=blueprint.name,
+        provider_user_id=user_id,
+    ).first()
+
+    if not oauth:
+        oauth = OAuth(provider=blueprint.name,
+                      provider_user_id=user_id,
+                      token=token,
+                      issuer=issuer)
+    else:
+        oauth.token = token  # store token
+
+    if not oauth.user:
+        oauth.user = user
+        dbhelpers.add_object(oauth)
+
+    login_user(oauth.user)
+    # flash("Successfully signed in.")
+
+    return False
diff --git a/app/lib/ldap_user.py b/app/lib/ldap_user.py
index 13818c99c..46e757979 100644
--- a/app/lib/ldap_user.py
+++ b/app/lib/ldap_user.py
@@ -12,8 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import random,os,hashlib
-import ldap,ldap.modlist
+import random
+import ldap
+import ldap.modlist
 from . import VaultClient
 
 
@@ -21,6 +22,7 @@ class Error(Exception):
     """Base class for exceptions"""
     pass
 
+
 class AlreadyExistingError(Error):
 
     def __init__(self, username, email):
@@ -28,32 +30,33 @@ def __init__(self, username, email):
         self.message = message
         super().__init__(message)
 
+
 class PasswordMismatch(Error):
     def __init__(self, username, email):
         message = "Password changed for existing ldap user {} with email {}".format(username, email)
         self.message = message
         super().__init__(message)
 
+
 class LdapUserManager(object):
 
     def __init__(self, ldapsocket, ldapcacert, ldapbase, binduser, bindpw, secretstore : VaultClient):
 
         self.ldapsocket = ldapsocket
         self.ldapbase = ldapbase
-        self.binduser = "uid={},{}".format(binduser,self.ldapbase)
+        self.binduser = "uid={},{}".format(binduser, self.ldapbase)
         self.bindpw = bindpw
 
         if(ldapcacert):
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, ldapcacert)
 
         # bind
-        self.l = ldap.initialize(ldapsocket)
-        self.l.bind(self.binduser, self.bindpw)
+        self.ld = ldap.initialize(ldapsocket)
+        self.ld.bind(self.binduser, self.bindpw)
         self.vault = secretstore
 
-
     def get_users(self):
-        r = self.l.search_s(self.ldapbase, ldap.SCOPE_SUBTREE, 'uid=*')
+        r = self.ld.search_s(self.ldapbase, ldap.SCOPE_SUBTREE, 'uid=*')
         existingusers = []
         for i in r:
             d = i[1]
@@ -67,7 +70,7 @@ def create_user(self, username, email):
 
         pw = ""
         if username.encode('UTF-8') in existingusers:
-            #read the credentials from vault
+            # read the credentials from vault
             user = self.vault.v1_read_secret('ldap_user')
 
             if user is None:
@@ -85,7 +88,7 @@ def create_user(self, username, email):
             uid = username.encode('UTF-8')
             modlist = {"objectClass": [b"inetOrgPerson"], "uid": [uid], "mail": [email.encode('UTF-8')],
                        'userPassword': [hpw.encode('UTF-8')], 'sn': [uid], 'givenName': uid, 'cn': uid}
-            r = self.l.add_s(dn, ldap.modlist.addModlist(modlist))
+            self.ld.add_s(dn, ldap.modlist.addModlist(modlist))
 
             # store credentials in vault
             self.vault.v1_write_secret('ldap_user', {"username": username, "password": pw})
@@ -93,30 +96,29 @@ def create_user(self, username, email):
         return username, pw
 
     def reset_password(self, username):
-        (pw,hpw) = pwgen()
+        (pw, hpw) = pwgen()
         dn = "uid={},{}".format(username, self.ldapbase)
-        modList = [(ldap.MOD_REPLACE,'userPassword',hpw.encode('UTF-8'))]
-        rr = self.l.modify_s(dn,modList)
+        modlist = [(ldap.MOD_REPLACE, 'userPassword', hpw.encode('UTF-8'))]
+        self.ld.modify_s(dn, modlist)
         return pw
 
     def verify_password(self, username, password):
         pw = password.encode('UTF-8')
         query = "uid={}".format(username)
-        result = self.l.search_s(self.ldapbase,ldap.SCOPE_SUBTREE, query)
+        result = self.ld.search_s(self.ldapbase, ldap.SCOPE_SUBTREE, query)
         cpw = result[0][1]['userPassword'][0]
 
-        return pwverify(cpw,pw)
-
+        return pwverify(cpw, pw)
 
 
 def pwgen():
-    #generate password
+    # generate password
     chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-    pw = ''.join(random.choice(chars) for i in range(10)) # clear password
+    pw = ''.join(random.choice(chars) for i in range(10))  # clear password
     # use SSHA = seeded SHA1
-    #return (pw.decode('UTF-8'),"{SSHA}" + encode(h.digest() + salt).decode('UTF-8'))
+    # return (pw.decode('UTF-8'),"{SSHA}" + encode(h.digest() + salt).decode('UTF-8'))
     hpw = pw
-    return (pw,hpw)
+    return pw, hpw
 
 
 def pwverify(cpw, pw):
diff --git a/app/lib/mail_utils.py b/app/lib/mail_utils.py
new file mode 100644
index 000000000..3d1d70853
--- /dev/null
+++ b/app/lib/mail_utils.py
@@ -0,0 +1,54 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2019-2021
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from app import app, mail
+from flask_mail import Message
+from threading import Thread
+from flask import session, render_template
+from markupsafe import Markup
+
+def send_authorization_request_email(service_type, **kwargs):
+    user_email = kwargs['email'] if 'email' in kwargs else ""
+    message = kwargs['message'] if 'message' in kwargs else ""
+    message = Markup(
+        "The following user has requested access for service \"{}\": <br>username: {} " \
+        "<br>IAM id (sub): {} <br>IAM groups: {} <br>email registered in IAM: {} " \
+        "<br>email provided by the user: {} " \
+        "<br>Message: {}".format(service_type, session['username'], session['userid'],
+                                 session['usergroups'], session['useremail'], user_email, message))
+
+    sender = kwargs['email'] if 'email' in kwargs else session['useremail']
+    send_email("New Authorization Request",
+               sender=sender,
+               recipients=[app.config.get('SUPPORT_EMAIL')],
+               html_body=message)
+
+
+def create_and_send_email(subject, sender, recipients, uuid, status):
+    send_email(subject,
+               sender=sender,
+               recipients=recipients,
+               html_body=render_template(app.config.get('MAIL_TEMPLATE'), uuid=uuid, status=status))
+
+
+def send_email(subject, sender, recipients, html_body):
+    msg = Message(subject, sender=sender, recipients=recipients)
+    msg.html = html_body
+    msg.body = "This email is an automatic notification"  # Add plain text, needed to avoid MPART_ALT_DIFF with AntiSpam
+    Thread(target=send_async_email, args=(app, msg)).start()
+
+
+def send_async_email(app, msg):
+    with app.app_context():
+        mail.send(msg)
+
diff --git a/app/lib/openstack.py b/app/lib/openstack.py
index b79a15794..1a9639bf5 100644
--- a/app/lib/openstack.py
+++ b/app/lib/openstack.py
@@ -12,7 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import requests, json
+import requests
+import json
 
 
 def get_unscoped_keystone_token(access_token, auth_url, identity_provider='infn-cc', protocol='oidc', **kwargs):
@@ -22,6 +23,7 @@ def get_unscoped_keystone_token(access_token, auth_url, identity_provider='infn-
     ----------
     access_token : str
         The bearer token
+    auth_url: str
     identity_provider : str, optional
         the name of the identity provider as configured in keystone (default is infn-cc)
     protocol: str, optional
@@ -46,12 +48,12 @@ def get_unscoped_keystone_token(access_token, auth_url, identity_provider='infn-
     return token, user_id
 
 
-
 def get_project_list(auth_url, unscoped_token):
     """Get the list of projects the user is authorized to access
 
     Parameters
     ----------
+    auth_url : str
     unscoped_token : str
         The unscoped token
 
@@ -70,12 +72,12 @@ def get_project_list(auth_url, unscoped_token):
     return response.json().get('projects')
 
 
-
 def get_scoped_token(auth_url, unscoped_token, project_id):
     """Get a scoped (tenant-specific) keystone token using an unscoped token.
 
     Parameters
     ----------
+    auth_url : str
     unscoped_token : str
         The unscoped token
     project_id : str
@@ -104,6 +106,7 @@ def list_ec2_credentials(auth_url, user_id, project_id, scoped_token):
 
     Parameters
     ----------
+    auth_url : str
     user_id : str
         The id of the user
     project_id : str
@@ -130,11 +133,12 @@ def list_ec2_credentials(auth_url, user_id, project_id, scoped_token):
     return credentials
 
 
-def create_ec2_credentials(auth_url, user_id,project_id,scoped_token):
+def create_ec2_credentials(auth_url, user_id, project_id, scoped_token):
     """Create EC2 credentials for the given user in the given project.
 
     Parameters
     ----------
+    auth_url : str
     user_id : str
         The id of the user
     project_id : str
@@ -171,6 +175,7 @@ def get_or_create_ec2_creds(access_token, project, auth_url, identity_provider='
         The user access token issued by the OpenID Connect IdP
     project : str
         The project the credentials must be valid for
+    auth_url : str
     identity_provider : str
         the identity provider as configured in keystone (default is infn-cc)
     protocol:
@@ -200,19 +205,21 @@ def get_or_create_ec2_creds(access_token, project, auth_url, identity_provider='
             credentials = list_ec2_credentials(auth_url, user_id, project_id, scoped_token)
 
             if not credentials:
-                credentials = [ create_ec2_credentials(auth_url, user_id,project_id,scoped_token) ]
+                credentials = [create_ec2_credentials(auth_url, user_id, project_id, scoped_token)]
 
             if credentials:
-                    access = credentials[0].get('access')
-                    secret = credentials[0].get('secret')
+                access = credentials[0].get('access')
+                secret = credentials[0].get('secret')
 
     return access, secret
 
+
 def delete_ec2_credential(auth_url, user_id, credential_id, scoped_token):
     """Delete EC2 credential for given user.
 
     Parameters
     ----------
+    auth_url : str
     user_id : str
         The id of the user
     credential_id : str
@@ -229,7 +236,6 @@ def delete_ec2_credential(auth_url, user_id, credential_id, scoped_token):
     requests.delete(url, headers=headers)
 
 
-
 def delete_ec2_creds(access_token, project, auth_url, identity_provider='infn-cc', protocol='oidc'):
     """Delete EC2 credential using the user access token issued by an OpenID Connect IdP
 
@@ -239,6 +245,7 @@ def delete_ec2_creds(access_token, project, auth_url, identity_provider='infn-cc
         The user access token issued by the OpenID Connect IdP
     project : str
         The project the credentials must be valid for
+    auth_url : str
     identity_provider : str
         the identity provider as configured in keystone (default is infn-cc)
     protocol:
@@ -260,4 +267,3 @@ def delete_ec2_creds(access_token, project, auth_url, identity_provider='infn-cc
             if credentials:
                 for cred in credentials:
                     delete_ec2_credential(auth_url, user_id, cred.get('access'), scoped_token)
-
diff --git a/app/lib/s3.py b/app/lib/s3.py
index a3b1f2f88..0c1dfb3ff 100644
--- a/app/lib/s3.py
+++ b/app/lib/s3.py
@@ -29,7 +29,7 @@ def create_bucket(access_key, secret_key, s3_url, bucket, **kwargs):
     try:
         response = client.create_bucket(Bucket=bucket)
     except botocore.exceptions.ClientError as error:
-        if error.response['Error']['Code'] == 'SignatureDoesNotMatch':
+        if error.response['ResponseMetadata']['HTTPStatusCode'] == 403:
             raise Forbidden("You don't have the permission for the requested storage resource")
         else:
             raise error
diff --git a/app/lib/sqlalchemy_helpers.py b/app/lib/sqlalchemy_helpers.py
new file mode 100644
index 000000000..b47a58f08
--- /dev/null
+++ b/app/lib/sqlalchemy_helpers.py
@@ -0,0 +1,75 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2020-2021
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Ref: https://docs.sqlalchemy.org/en/13/core/custom_types.html#backend-agnostic-guid-type
+from sqlalchemy.types import TypeDecorator, CHAR, Integer
+from sqlalchemy.dialects.postgresql import UUID
+import uuid
+
+
+class GUID(TypeDecorator):
+    """Platform-independent GUID type.
+
+    Uses PostgreSQL's UUID type, otherwise uses
+    CHAR(32), storing as stringified hex values.
+
+    """
+    impl = CHAR
+
+    def load_dialect_impl(self, dialect):
+        if dialect.name == 'postgresql':
+            return dialect.type_descriptor(UUID())
+        else:
+            return dialect.type_descriptor(CHAR(32))
+
+    def process_bind_param(self, value, dialect):
+        if value is None:
+            return value
+        elif dialect.name == 'postgresql':
+            return str(value)
+        else:
+            if not isinstance(value, uuid.UUID):
+                return "%.32x" % uuid.UUID(value).int
+            else:
+                # hexstring
+                return "%.32x" % value.int
+
+    def process_result_value(self, value, dialect):
+        if value is None:
+            return value
+        else:
+            if not isinstance(value, uuid.UUID):
+                value = uuid.UUID(value)
+            return value
+
+
+class IntEnum(TypeDecorator):
+    """
+    Enables passing in a Python enum and storing the enum's *value* in the db.
+    The default would have stored the enum's *name* (ie the string).
+    """
+    impl = Integer
+
+    def __init__(self, enumtype, *args, **kwargs):
+        super(IntEnum, self).__init__(*args, **kwargs)
+        self._enumtype = enumtype
+
+    def process_bind_param(self, value, dialect):
+        if isinstance(value, int):
+            return int(value)
+
+        return value.value
+
+    def process_result_value(self, value, dialect):
+        return self._enumtype(value)
diff --git a/app/lib/utils.py b/app/lib/utils.py
index a84468c37..25c6f39c4 100644
--- a/app/lib/utils.py
+++ b/app/lib/utils.py
@@ -20,17 +20,20 @@
 import string
 import secrets
 from hashlib import md5
-from app import app, mail
-from flask_mail import Message
-from threading import Thread
-from flask import session, render_template
-from markupsafe import Markup
+from app import app
 
 
 def to_pretty_json(value):
     return json.dumps(value, sort_keys=True,
                       indent=4, separators=(',', ': '))
 
+def python_eval(obj):
+    if isinstance(obj, str):
+        try:
+            return eval(obj)
+        except Exception as e:
+            app.logger.warn("Error calling python_eval(): {}".format(e))
+    return obj
 
 def intersect(a, b):
     return set(a).intersection(b)
@@ -38,13 +41,14 @@ def intersect(a, b):
 
 def extract_netinterface_ips(input):
     res = {}
-    for key,value in input.items():
+    for key, value in input.items():
         if re.match("net_interface.[0-9].ip", key):
-            new_key = key.replace('.','_')
+            new_key = key.replace('.', '_')
             res[new_key] = value
 
     return res
 
+
 def xstr(s):
     return '' if s is None else str(s)
 
@@ -87,6 +91,7 @@ def getorchestratorconfiguration(orchestrator_url, access_token):
 
     return configuration
 
+
 def format_json_radl(vminfo):
     res = {}
     for elem in vminfo:
@@ -129,6 +134,21 @@ def send_authorization_request_email(service_type, **kwargs):
                recipients=[app.config.get('SUPPORT_EMAIL')],
                html_body=message)
 
+def send_ports_request_email(deployment_uuid, **kwargs):
+    user_email = kwargs['email'] if 'email' in kwargs else ""
+    message = kwargs['message'] if 'message' in kwargs else ""
+    message = Markup(
+        "The following user has requested to open further ports for deployment \"{}\": <br>username: {} " \
+        "<br>IAM id (sub): {} <br>email registered in IAM: {} " \
+        "<br>email provided by the user: {} " \
+        "<br>Message: {}".format(deployment_uuid, session['username'], session['userid'],
+                                  session['useremail'], user_email, message))
+
+    sender = kwargs['email'] if 'email' in kwargs else session['useremail']
+    send_email("New Ports Request",
+               sender=sender,
+               recipients=[app.config.get('SUPPORT_EMAIL')],
+               html_body=message)
 
 def create_and_send_email(subject, sender, recipients, uuid, status):
     send_email(subject,
diff --git a/app/lib/yourls.py b/app/lib/yourls.py
index 4b059bf5d..13f8c8793 100644
--- a/app/lib/yourls.py
+++ b/app/lib/yourls.py
@@ -15,6 +15,7 @@
 from app import app
 import requests
 
+
 def url_shorten(url, keyword=None):
     shorturl = None
     api_url = "{}/yourls-api.php".format(app.config.get('YOURLS_SITE'))
@@ -29,4 +30,3 @@ def url_shorten(url, keyword=None):
             shorturl = json_resp["shorturl"]
 
     return shorturl
-
diff --git a/app/models/Deployment.py b/app/models/Deployment.py
index a98bd94fa..4505b10de 100644
--- a/app/models/Deployment.py
+++ b/app/models/Deployment.py
@@ -53,7 +53,7 @@ class Deployment(db.Model):
     vault_secret_key = db.Column(db.String(36), nullable=True)
     elastic = db.Column(db.Integer, nullable=True, default=0)
     updatable = db.Column(db.Integer, nullable=True, default=0)
-    sub = db.Column(db.String(36), ForeignKey('users.sub'))
+    sub = db.Column(db.String(256), ForeignKey('users.sub'))
     user = relationship("User", back_populates="deployments")
 
     def __repr__(self):
diff --git a/app/models/OAuth.py b/app/models/OAuth.py
new file mode 100644
index 000000000..3f46f5559
--- /dev/null
+++ b/app/models/OAuth.py
@@ -0,0 +1,48 @@
+# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2019-2020
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from app import db
+from sqlalchemy.orm.collections import attribute_mapped_collection
+from flask_dance.consumer.storage.sqla import OAuthConsumerMixin
+from app.models.User import User
+from flaat import tokentools
+
+
+class OAuth(OAuthConsumerMixin, db.Model):
+    __table_args__ = (
+        db.UniqueConstraint("provider", "provider_user_id"),
+    )
+    provider_user_id = db.Column(db.String(256), nullable=False)
+    user_id = db.Column(db.String(256), db.ForeignKey(User.sub), nullable=False)
+    issuer = db.Column(db.String(50), nullable=False)
+    user = db.relationship(
+        User,
+        # This `backref` thing sets up an `oauth` property on the User model,
+        # which is a dictionary of OAuth models associated with that user,
+        # where the dictionary key is the OAuth provider name.
+        backref=db.backref(
+            "oauth",
+            collection_class=attribute_mapped_collection("provider"),
+            cascade="all, delete-orphan",
+        ),
+    )
+
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+        token = kwargs['token']
+        jwt = tokentools.get_accesstoken_info(token['id_token'])
+        if 'provider_user_id' not in kwargs:
+            self.provider_user_id = jwt['body']['sub']
+        if 'issuer' not in kwargs:
+            self.issuer = jwt['body']['iss']
diff --git a/app/models/User.py b/app/models/User.py
index 2e6fa14ea..4c040337f 100644
--- a/app/models/User.py
+++ b/app/models/User.py
@@ -14,11 +14,12 @@
 
 from app import db
 from sqlalchemy.orm import relationship
+from flask_login import UserMixin
 
 
-class User(db.Model):
+class User(UserMixin, db.Model):
     __tablename__ = 'users'
-    sub = db.Column(db.String(36), primary_key=True)
+    sub = db.Column(db.String(256), primary_key=True)
     name = db.Column(db.String(128), nullable=True)
     username = db.Column(db.String(64), nullable=False)
     given_name = db.Column(db.String(64), nullable=True)
@@ -31,6 +32,8 @@ class User(db.Model):
     active = db.Column(db.Integer, nullable=False, default='1')
     deployments = relationship("Deployment", back_populates="user")
 
+    def get_id(self):
+        return self.sub
+
     def __repr__(self):
         return '<User {}>'.format(self.sub)
-
diff --git a/app/providers/routes.py b/app/providers/routes.py
index c7dd9fd88..9da405ba7 100644
--- a/app/providers/routes.py
+++ b/app/providers/routes.py
@@ -14,7 +14,7 @@
 
 from flask import Blueprint, render_template, flash, request
 from app.providers import sla
-from app import app, iam_blueprint
+from app import app
 from app.lib import auth, settings
 import requests
 
@@ -28,7 +28,7 @@ def getslas():
     slas = {}
 
     try:
-        access_token = iam_blueprint.session.token['access_token']
+        access_token = app.get_auth_blueprint().session.token['access_token']
         app.logger.debug("SLAM_URL: {}".format(settings.orchestratorConf['slam_url']))
         slas = sla.get_slas(access_token, settings.orchestratorConf['slam_url'], settings.orchestratorConf['cmdb_url'])
         app.logger.debug("SLAs: {}".format(slas))
@@ -46,12 +46,12 @@ def get_monitoring_info():
     serviceid = request.args.get('service_id', None)
     # servicetype = request.args.get('service_type',None)
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     headers = {'Authorization': 'bearer %s' % access_token}
-    url = settings.orchestratorConf[
-              'monitoring_url'] + "/monitoring/adapters/zabbix/zones/indigo/types/infrastructure/groups/" + \
-          provider + "/hosts/" + serviceid
+    url = settings.orchestratorConf['monitoring_url'] + \
+        "/monitoring/adapters/zabbix/zones/indigo/types/infrastructure/groups/" + \
+        provider + "/hosts/" + serviceid
     response = requests.get(url, headers=headers)
 
     monitoring_data = {}
diff --git a/app/swift/swift.py b/app/swift/swift.py
index 5e674456c..25cd8cce7 100644
--- a/app/swift/swift.py
+++ b/app/swift/swift.py
@@ -112,7 +112,7 @@ def pack(self, data):
         iv = get_random_bytes(AES.block_size)
         cipher = AES.new(self.private_key, AES.MODE_CBC, iv)
         return b64encode(iv + cipher.encrypt(pad(data.encode('utf-8'),
-                                                      AES.block_size))).decode('utf-8')
+                         AES.block_size))).decode('utf-8')
 
     def _unpack(self, data):
         raw = b64decode(data)
diff --git a/app/users/routes.py b/app/users/routes.py
index 7c0f67094..07a7eee07 100644
--- a/app/users/routes.py
+++ b/app/users/routes.py
@@ -14,8 +14,7 @@
 
 from flask import Blueprint, session, render_template, flash, request
 from app.lib import auth, dbhelpers, settings
-from app.models.User import User
-from app import app, iam_blueprint
+from app import app
 import requests
 
 
@@ -68,7 +67,7 @@ def show_deployments(subject):
     if user is not None:
         #
         # retrieve deployments from orchestrator
-        access_token = iam_blueprint.session.token['access_token']
+        access_token = app.get_auth_blueprint().session.token['access_token']
 
         headers = {'Authorization': 'bearer %s' % access_token}
 
@@ -98,5 +97,5 @@ def show_deployments(subject):
         return render_template('dep_user.html', user=user, deployments=deployments)
     else:
         flash("User not found!", 'warning')
-        users = User.get_users()
+        users = dbhelpers.get_users()
         return render_template('users.html', users=users)
diff --git a/app/vault/routes.py b/app/vault/routes.py
index 8ecd55438..d960cc42d 100644
--- a/app/vault/routes.py
+++ b/app/vault/routes.py
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 from flask import Blueprint, render_template, flash, request, redirect, url_for, session, json
-from app import app, iam_blueprint, vaultservice
+from app import app, vaultservice
 from app.lib import auth, sshkey as sshkeyhelpers, settings, dbhelpers
 from app.providers import sla
 from app.models.Deployment import Deployment
@@ -42,7 +42,7 @@ def read_secret(depid=None):
     vault_read_token_time_duration = app.config.get("READ_TOKEN_TIME_DURATION")
     vault_read_token_renewal_duration = app.config.get("READ_TOKEN_RENEWAL_TIME_DURATION")
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     # retrieve deployment from DB
     dep = dbhelpers.get_deployment(depid)
@@ -76,7 +76,7 @@ def read_secret(depid=None):
 @vault_bp.route('/create_ssh_key/<subject>')
 @auth.authorized_with_valid_token
 def create_ssh_key(subject):
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     privkey, pubkey = sshkeyhelpers.generate_ssh_key()
     privkey = privkey.decode("utf-8").replace("\n", "\\n")
     store_privkey(access_token, privkey)
@@ -132,7 +132,7 @@ def read_privkey(subject):
     vault_read_token_time_duration = app.config.get("READ_TOKEN_TIME_DURATION")
     vault_read_token_renewal_duration = app.config.get("READ_TOKEN_RENEWAL_TIME_DURATION")
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     jwt_token = auth.exchange_token_with_audience(iam_base_url,
                                                   iam_client_id, iam_client_secret, access_token, vault_bound_audience)
@@ -169,7 +169,7 @@ def delete_ssh_key(subject):
 
     dbhelpers.delete_ssh_key(subject)
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     privkey_key = session['userid'] + '/ssh_private_key'
 
     jwt_token = auth.exchange_token_with_audience(iam_base_url,
@@ -204,7 +204,7 @@ def manage_service_creds():
   slas={}
 
   try:
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     slas = sla.get_slas(access_token, settings.orchestratorConf['slam_url'], settings.orchestratorConf['cmdb_url'])
     app.logger.debug("Service details: {}".format(slas))
 
@@ -223,7 +223,7 @@ def read_service_creds():
     serviceid = request.args.get('service_id', None)
     servicetype = request.args.get('service_type', None)
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
     jwt_token = auth.exchange_token_with_audience(iam_base_url,
                                                   iam_client_id, iam_client_secret, access_token, vault_bound_audience)
 
@@ -257,7 +257,7 @@ def write_service_creds():
 
         creds = request.form.to_dict()
 
-        access_token = iam_blueprint.session.token['access_token']
+        access_token = app.get_auth_blueprint().session.token['access_token']
 
         jwt_token = auth.exchange_token_with_audience(iam_base_url,
                                                   iam_client_id, iam_client_secret, access_token, vault_bound_audience)
@@ -279,7 +279,7 @@ def delete_service_creds():
 
     serviceid = request.args.get('service_id', "")
 
-    access_token = iam_blueprint.session.token['access_token']
+    access_token = app.get_auth_blueprint().session.token['access_token']
 
     jwt_token = auth.exchange_token_with_audience(iam_base_url,
                                                   iam_client_id, iam_client_secret, access_token, vault_bound_audience)
diff --git a/app/vault/templates/service_creds.html b/app/vault/templates/service_creds.html
index 28b878cc0..448b52aed 100644
--- a/app/vault/templates/service_creds.html
+++ b/app/vault/templates/service_creds.html
@@ -1,6 +1,6 @@
 {% extends "base.html" %}
 {% block content %}
-
+<br>
 <div class="container-fluid">
 
     <div class="card shadow mb-4">
diff --git a/config/deep.py b/config/deep.py
index ba6b63928..fde91d223 100644
--- a/config/deep.py
+++ b/config/deep.py
@@ -1,12 +1,10 @@
-#### LOOK AND FEEL SETTINGS
+# LOOK AND FEEL SETTINGS
 WELCOME_MESSAGE = "Welcome to the DEEP PaaS Dashboard!"
 NAVBAR_BRAND_TEXT = "DEEP Orchestrator Dashboard"
 NAVBAR_BRAND_ICON = "/home/static/images/deep/logo.png"
 FAVICON_PATH = "/home/static/images/deep/favicon_io"
 MAIL_IMAGE_SRC = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAABWCAYAAACKNNmtAAAABmJLR0QAPABbAJF6c4x7AAAACXBIWXMAACmwAAApsAF506pJAAAAB3RJTUUH4gESCzMmehupoQAAIABJREFUeNrtnXmc1PT5x9+Z2QU2CEVEUUHxYqhW1FZ/XtUKJSDBQqjaemDrFTxqba1tPVuPtrZa1Go9WiV41HrgSaAyKAHPKl54UA+CiOKFICgCsyy7O/n98X2yhmF2J5nZXRbd5/WC3Z1Jvkm+eT7P/X2+Gh2QctlMGrgGGA/kmzlsATBCN/1P6KROaiOq6sD31gXo2sL33QCt8xV2UltSahO+96Dz9XXS11mDfCXJsJwegC4askqA3gDUAWs8185FjsVz7c5J6wTIVxIITcxtWM6OwGHAvsAAoC/wDTETA6AW+Az42LCchcDTwFTPtb/onMmNSx3Shhcn/UbglBYOmw8M0U1/SQcGxv7A1cD/iTkb16RtkH93A7/2XPuzTm3S6YN8JchzbQzLGWxYzlTgWeAA0dRJ5rpKtMuJwArDcs4BeocA7KROgGxi5tSkUGNohuVcIcAY3YqXuAJ43LCc/QSAnZPeCZBNydc4OfxzFnAO0L0NLjUYmGNYjtkJkk6AbGomVR/Dcl4BhrbDJacblnN0J0g6AbJJaA/DcmqAe4E92/HSkwzL2b8TJJ0A6fDaA7iknTRHlHQga1hOWoFkYufL6ARIx9Ic8nOE+Bwbg3oBt6lfqztfShtRZ6KwfL+jO1CufZMFngI+ANLATsAoYO+E44w2LKfKc09o6HwrnQDpaHQCsG2C4/PA9cD50XKSCF1kWM5A4E5UYjHu+9scWNb5OjpNrI5hXo2ZhGE5OnC4SP849Aawj+fav/RcO1fMsZZM+QLPtfcF/hxz3Jzn2q0Gjk6Hf0PqLDVpYnwHb2rLpRzGWAdvio1hOf2BxTHn71NgN8+1l5UqF/n+6FuYPe2kkFn/ApxXYuzzPNe+whgzCW/qyS0x/ubAt4DtgS34sgZsNbAEWOi59rwigO0EyNcVIAU1U9VADSo6tBswCFVQWA2sEV/hf8C78vdxCfyPXT3XfisJw4XHGpaTBUY2c9gsz7WNYWMmMmvq+Oi5aaAnqjDyBOAHwGYx7/U94GEx8/4nGqqhowEml81oYv2E/Bvopt9Y5Dh00+94AKn0xtoSIAXA2BYwUWHa/YBdSpzeALwodv+gGJdzPNcen5S5hlm3oNEIaN1QUbLDgYHy9dvAg8Dl+SCoS2laYXHkT4AfAttU+BqXANOBKZ5rT2tnAAA08VDu4UyKFHsAGWA7vqyG7sr61dBLBORv6abvtwY/ahsbDO0JkIhk7oWqsh0r0jbdBu85AIZ5rv1YJRpO/IJeouEQZvg8/E5+dhGp/wMxn1qT1gILgdM9137KsBwCAma542lr4ZrLZgYDvwJGiBasQa2jKXW/IWDuAq7UTX9lubyqVfgA1fLy+gGHAgeiMsoDipy6EngLeAF4FHgF+Ew3/dVFxm0rgHQHjgL+EWOiK6UPgaGeay9o9UCBAGPImElUacFQYIoAva3pRonCfdFWwMhlM92APYCrgINaafg7gD8CC3XTzycBilbmw3QFfoRaBPRdUXtJqQ54HlXgd49u+vMj6rXVABKRsvvIpH+vnSyFNwUgn7QFOOT3S4ELaN9w/XxgvGgTLQiCIOoDFfEV+qJK9YMW+OBdYdwDgd+J2dvaVAf8C7hMN/334oIkFRfdkd+PE5V7C3B0meBA7MeDgYuBV3LZzP25bKZ3a5prEXCMRiXmvteOjBQuempVkudJGZbzAHAR7Z/LGoQqvf+559qBpmml+Ot88dueb+bfnQKOCcCTbQSOkN/GA3Nz2cyRoq0qA0jUWcplM7vlsplnRV31o/XqGzSxm48APsplM8dLNKmxlZjp58DUNrDN47yQrq0JdvnZA7hVHPeNRRpwnWE5l6MpHhpy+MSW5qFGfIhi/7bKZTMe8Js28gULqTdwXy6b+VUoXFoCSiqmr/F78R32bwemug14CNi1FZjpPOC6jcRE32hNv0DArou/8VM2LoVq41wCLgOoatTKDfjsBAzbCM9wNXB7Lpvp1pLVUvKhctnMbNq/WjWMAmlJfZCIWXU0ak33xqQhwBOV5g8E8DWoHMVQOh790nPtvxeGsyXYcgNwKh2X7hGBU18MKKnmzKpcNtM7l808vhFfiFYOIwk4DqkQHF9IFGoxKrZeBxAEiW9py0rAESn96CKMVs67WAk8B0wAjhU/7NvAPqjw6WniT75EeTVdAXCtYTlDN9HM+9HA5RFrab0vq5oJtWlit393U3pSAccA8ZPKoekCrAXACnGya1Ja0Le2vsseA3ovm/Deii2ru1bVJwFaRc8jdCdwZBlD3Az8MwWvPOraLTXau0mqCXZdW189pEu64ZLGILV5dboxiSC73rCc7wHL2xAon6Cinq+iqhtq5fOewI6oauhhfJkziktn57KZOt30LyjUIusBJPLls6jMcjm0XM5/RxikC6rqdS9UPVCbZO9F2qaAC8uIrC0CLM+15xWaCcEXoPXkjVw2M04jqJ69YHeue8ykvjGNprXY3PE9DRaUW6IReZ7bywDHWlRHlMley8Bo0lKea9cDr9XOGNijIV+VvvwRi6cXDiImSECV6Iz3XPvysGatFell4Oe66T8jwjuABnTzHRHsA0O20oTfjgL+Jg55XDorl808rZv+9KJmTES1XEGyRUDrJFz3IDBZN/2PWvBnUqh1D8cC30fFyMulJh8kYlodADyTYIwG4BrPtX8bNdEK7lkTh+4sIKhON2if13bnmtmH8cw7GVJasB5Q8oFGOpWnKpU/P/vgqZeXaybK738SwCehpcBPPNd+NO4JEcthb/Fz+lalGrnrxYOZ/NIBrGuoKiUMotTHc+3lh46dyEOnTqjUB3kTuEQ3/XsLA0cxn+s84NdAn5inzAMODJPXTT5Ibfab4YX3A85OiOyRwHDd9P+mm/5Hqx/eldoZG5Y05aYPRDf9vG76/9FN/1hU1n1Ca5lWQvclPPWnzYEjIjAuEnAAaPWNVWzWdS3njnA5c8gj1FSvY01dN9bWV7NmXVf691rB3tstOq8ccESfxbCcG8sAx3xUecujhuUw7IdOEnAMQVU49AVoyKc5Zp+nuch8gAAI4iv+fwA0BGUbCiES/w0cXA44IumJy4XPXo557cHhnIdjaLXTM9SManJQFgE7xBzsDt30yw43Rl7MCFTTg2+Uq0GEoc4E/p7g/LGea7vFgBFx2E4BbmrJ+M4HGm8u6c8nq3rSr9cKMlt9fLlu+ue7Vx+Jdfb95WqOy1AJtiRcthz4rufa88vUHDNRRZjrR3G0gLnv78jvph1FKp4WqQMynmsvriCKdZNu+qdVKjhz2QwreZ9ebK8FBJ5YLXFogG76i3PZDKl8qmmw38UERz3w2xAccbKRxShkQt30H5Ubf6cC/0MHkhi9lxUDR/S+ctnMaQKOoCVRp2kBg/u9x4hdX+Nb23xwR02Xut8DicAx3HKaLiKJzQsSgmMJ8H3PtefHXfQUAcdeEpDZvNhx+UBjr/7vMnrw3Lj3Ui2RoXLpet30T8tlM1q5vBV9l70YQI05PxA/7vmYp14Vnp/qPtInl81sFTEjStEFuulfmctmKq7krZ0xMBxjLmBUAJK9iVd+Htq1fyowzdZTzbls5piINirJqI35FPWN6dvrG9MnasPea0j6YvMBzFI+1IUkT2wuAUZ6rv1a3IBABBwHAh4llg5rWsBx//cU3apjRe9SwCGG5ZRTRfA4KqMOQRC0RtlRjflW+LyfoaqdV8U47Xu5bGZQkw8iiN88xol36aZ/5ZrpaoIrfYCakQuimmQRqlZmdRnRnpHEL+uwPddeW0zSCtMchCqTTlJKM1WiRo0F0cAWaZg1EcNymDXVxrCc8cAfEk7hGmCc59qvFgN8CXAMRmXltyjpFAQavbuv4shvz6lf1xir9OtbCRzjJjkDHKebfh2APqr1iqDDuivd9JeJIC5FWwEH5bIZUrlspkYYrFTh4jzd9McBpNpoJbtu+rOBf8b35poWCx0R8xTXc+1njDHFHfJcNjMSVdSYhJ4EjtdNP0i+1kALo28/Es2RZGZXAz/yXHt2GWbVHsB/gC1jhyobqlf9YPeXjktp+ThqZADQO0G+COAM3fQ/rNSsKgUSVMnUv2KcYgHpFCrJclAMdP8mnOSakX6rP0Ak8vBbMRtKP3TX2rxhOX0SmFfnAATpoBjT7Evy7PtcYKRu+p8nfbGR0PSxorGSmCS1qLxN1rAcgiARk+wNzEatT49L9QEc18f6371VqfzDMc/ZNWUsysc89i1gUhLtWy5IdNMPUMulS5laI9C0VApVFNijxMEvAc+snb5Lmz2AbvrkpjUxWbxQ886L64lfHv0s8KFhOcx6aHwh0wwAHkMt/opLr2twUF7TanMPD0w0LxFwjEQVZyYpWa9Dre6bHY4zq0SziYiG3FXMwS0SXC8PnKib/lT5e2bM83bXtNjb5N1MGywNaIHXnkL1F2iJuhIEe6WIV0n5qG76q7uNerttb3x0kxrMorqBtEzbU0/8NR7/RTUhKGSaPVHrFfQEt7oIsGpMvzYdBOiHLSgHHAejSkiS+DoBcJrn2reX4ZB/S8yqJL28csCPddO/M6Ih58U8N66G+gL4b1tqjmLCQua+FI1IoYrWStrutC/VCkPHceziNI1uAF4Pyy5yMzKQh1w20w9VWp/EoVwJHKCb/kIVJSlLc+wnkrh3QnCM81z7tjJs78HAE6jS8iRO8wm66T8Qgkx8nVUxz4/7bB+jFuC1l/YIf42TVN4vFcd+103/xXZ+gHqZuDgvcUAcHxN4v0mijvQhRU9U4duOCW5vGbCXbvqfVOBz7IXKWCfxOfLAxZ5r3x2pnYprVg0EpiU0qxqBU3XTvy8aypdr5uX9lKK4a/7rkkYuW4nP4qQUdkvFULkfFaim9iAtZkQniOk3NIjkDyXqthJ9GpTgnnLAD3XTfzdp/icCjoGU12DhPM+1/xgHGAVm1TdRFcoDElxrLTBON/1JuWyGfP7L1zBsrBO+mzg+U33C991utCYbdlDizVJmYiqGJPu4raMLFVKi/dJz2Ux3YDLJ9/M4UDf9/yadiwg4+omvMyDhdX8LXBmOlcCsGiRCYJeEc3mKbvqTc9kMWj5gs8PeavpylqrQ7RaToVd2VIbpbi5YT/i3QNVxJEGejkuavIitShxXta6xarPgpR5dapdyB8nayawFRumm/2oFmmOA+ABJNcc/Pde+Mvwjjlkl4NhJolVbJrhWI/AL3fTvKPGccSN9H9HxaW2pA1IxwmtbqMkf1BEfMI3qpFeKum77jRV71C3b+j5U18EkdKJu+o9VAI5eEuRIqjmu9Fz79LiaIwKOnYEZqC6EcWkdKtl5Yy6bKbVyMu5am083AYDUxAHI0hLH7KjU9vz2vvkgJkBKljLnAy2974CFExrzqaQ7zx6jm/495ZiYAo6uwGtlmHPXo6p5Y/fEFXDsCDzNl21K49KZuunfuWZGBg3oPqrFdx13Id27QdAxez9HqJT/vTZF6RCblstmdmnnG09ROnkJi6hGJfhafgANXl+yXZe6xmotATjP0E3/nnKiVfJzc/EBkq5unAKcHTaNThCtGiBm1dYJzaqzdNO/OZfN0H2kHydsPSbm2D6zdujo22t8s8T376eIt5jEbK87lhdeE0tSvbNDF1RSsYSjErBg6da8vbRvqTUN4ZcXh+ZGOWaV0AOoDutJ6E7gKM+16xOaVduj8iq7J7hWA2Drpn9tKSEQAb0Rw99DrJLPcvWxItk1sYRh6/NZHJ/hfylUiXEpGitLT9uchCF3B3YudWxtfZfQSS+5WKEq1cj1T5h0bblkWwOu1k3/j+WaVcJIL5C8A8lU4GTPtdclNKu2QyVVk5pVv9VN/7bwqVt61si9xC3F94EVMStNtiZZpK01BDDEW+c/J4Wqbiy1Mn8f4DvtCPBrEh5fMiua0gLeXd6HO58/uKVGBDfopv/rpMIgImG7GZbzEPGqE6L0X+AEz7Xr4phVXzyseuoFT27bvzrdOKUq3dg/nYodbGwEfq2b/jW5GVIg2kLx6bAvn21cAsf/Rc+142bcewAHrclmqG2HXFtEEBwT4/BHUiKB55Q4sCeqqTBtpUkitvRpxN+jL2Qmjxhx9y5VDUyeewD/+2j7Yk0I7gLO+vTFvdDyQZAUHEK3obZUSEJPAqM81/4sjlk14fwz6XnYmwQ5tn39vZ1nT31tn+/cN/cAXlq8E+lUvpQJmQdO003/6jUzMtBY+jFT6hl7AZcSL3nbgCrfSUK/6G767ZZPyGUzQyldQbEKeEuTEy5G7fddio7XTf9fbQEOMRcyIk3j1Eat19VEGO3gkt53oNFnsy+49sjb6FkTtlXiMd30v5/0vgvWkd+L6nifhOaiui+uimNShdf756Xjt3158Q5P+ku32TkERIBGv14r+MMPJtO3R7Oy4kLd9P8cx7cqeLbpCfzQhZ5r7yLvNcma9LN007+2HcBRhWqldGyJQ+8Hjg4lwj2oUopSdHsumxlWYMu1Fjh6oNaA9ymTSf8U53hNC/hkVS/OvO8k3vi4f1CdbpgSgiPJM0XyHJphOdeVAY63gCM9114Vt2+W59ocNe5vVTNe3/P+Bcu23jmdyqNJ26GUlueDz3pz+t3jeeadQaod0fqa4xwFjkGxwWFYjm5Yzt0JgzSxczcF9DepG2tr32NYDHCAan/UmBK7bD6qs0gcujeXzewXt318THBUSxRmSNIxQuaSPlBT4pxTlWpkxZrNuGT6j7SjbzlrWRH7tAQDTYr6CfcDP09424tQe4csSspIy1f3OG5NXbcDiplS6VSe+nyKCd5o/v64CVpAOpVvROU5JuSmZ6AFE2zk2FsLE5xZkjVgeMRz7Zlx/KhmAiS35LKZzVq77q+gwuCBGKd8DDypm/56NuV4VEa1FPUG5uSyGTPaz3RNgocq2FZhAGrDyP1aYS5+SszKUE0LWFtfzcpafbxhOTnDcsYbltNTWnCWMtS6GJbzPcNylpN8G4LFwEGeay8xxpbVdfGMoASXNeZTZF/fi3G3/oIZb+z1oG76NwLoo3z0kX6z0n3GlBPR0NKG5VioUG2S/VRqgXMrfH8Hodblp1rLSomAow+qcLN7jNOeCKt9tYJBjhJzKy7dDFwV3TAxzs3K75uJqvsD5XVYLOyLFUq+41HNmMtJUq0Uh/9Z1GaZH6N69K6Wid0OlRW3KK+R9FJxyF9SWujkxAMYlvMxMZOBQaBRn0/TJd3wNCrHMgd4M4yWRcZMo1qH7g8cT3k9ma/xXPtXw6yJTfsXVtAX6zrgN7rpr8tNz6CP8isFR1/Ucuo47ywAttNN/8Pc9MwGrUerZKAkvWCXo2p/LtVNf0GMm06jWgydgordlxsVa3YLNsNy7kBt1VwJrRO/rE4iM1UCks3KFWbAnp5rV7Qs07CcGaj9IMuhFagVfEtRxYSBgG1riVRuUea4r6dh8CMFfYAr3P7AQy0vWF1Oe6mCpngPEb+i4Wzd9P8WAlMrMnBP4HWgfxkP9S5qWecL8vsq1MKZbVBtHYfHiTSVC5DhYycxc8rJISM9RettAlkpfQ4M8Vz71Ur3Gzcs57uoequOQkuBHT3Xzg23HGa27v4gK1DFpXN0019XzBJp7jMJ+hwn2ijuzlVzgQOAdeFYWjOo20EQvDMdl0ptoNNFHOjRG/k+1wFjPNd+pBXAET7bVSTrodyW4BjRHPBbcQOdWRJEeqyUlSIaY7iY74MTXKMO1WP6qUKfrjnVlBGQbLcpAaQISG6nslaYldK+nmu/0JoDDh8zSQu04GLUBqgbE/h7ea79ZnPAb+UdphrFPPwMtYV4uIdLGlUftrv4UZtR3tZ3RfMwGziykU6HPirsuohNjAQcaFqwznPtY1D9sGrb+TY+APbzXPuFMnICLWiRSQRaEHiufQmqYd7KjSSc+rUEjjagNKr7504SOTwXtVXHn8WnNVDl6+WA44bmijZLbeL5Dqqu6F/t/AI+FD+mIpDk86lQm0wQsE9vp/u/F5XneL61GchzT24SAJ5rPyiRp4fa8d38AzjAc+1P2xEcbUkOac5sLhCgxYwEaMCPSRYCLpf+DfwMtXfIqeWYWC3Y8F1Q+0XcTrLOgnFpDTAOmB6WrLcHAxmWU4XKEN9NvB7L5dBH4jC/6Ll2rLKpTWATz9t00z8RVCuoYkWbLeYKIogKdNOfLPbdHajQbmtSHWrl3Wjd9H+CCom2RVHkOs+1H/dcewCqmvNZytu4Mkp5VEuhq4Denmu7sp1Ze0rXBs+1H0Hlk65AJSMbW2HcvIx1GbCd59rP0/o9Ct5FtSVqb//pIt30T8xlM9ROzzRb0RybCQuSfN9CtZI/FtijQok7GbV928wwlCeS5zZazmUsAb6jm/7HSS5YKNUNy9kNtX/id8Vc2ZN4YcG3JYjxKPC059rLio3fXlRQXNgHlRQbDRxGsgZ1oMLzD6PW0s8q99liapBXZO6PFauhVxtP1ULgdN30Z+ayGQINuo+sYJ/0FkAS9q7aXqJEhxNvHcQSVI3PnahO6g266efXM+mmZwCtJy0vqm8EVuij5ucrZSj5OyXASAH9BDS7iOPXW5z8RcCrAczRVHa9Ma65sZGAkkYlOHdDLZU9WARaYbeTz1EtRZ8SULwG1Huu3VgJ6GMC5DVUmdFaVMLyDuJtUVAOTdDg/BrTj61dKzJjmknYbIsKDfdG9dwKw3NLqmBBFwFDc+dvKjTMcpi16TuobUpJAKKb/trIeYdKlGrPMrRfsYDPc8DvddN/Y002Q1qDbjF3KNBacTI2WWb/OpExxsEr6AbfVmZhUoCsV8T6n50hnd4Dldkeg9qmr1vMSy8T03c68Lxu+m+Xy6NaJ8t0UkfTIIWCtwk0qlx9f1Q3km0kaJQXC+V9VInUc7rpL4meV4kAryqQJLqYRHWFEkVCiV0kEpRoLwfDcvZE7WI7x3PtdeVOuGE5o4FXoXGx557a0nEDUH13n/Nce2ULx6VFKgWRqM3aAt+kYulaWKMUl0aMvol8Kh31KfoKUzQCyzzXXhPeo/hP+8j7ebm9wWBYzpbiS8wsrBauhAoY/B1i7GOZmz4QLZWi5tC3NhinIoCgdh7yUCUMhY7MSNS65L+gapyS0IWoFjj7UrpRXUs0FfgFpbtr/BDVz/ZAWt7Z9EDUlm950aYBkDMs511giufad0eSckkZZgBwjAZXzZSwb1IKwSF7ifxOJGePECCG5TwG/NFz7SXSpO5q4BOSr1FpDdoPFa7tRxu0HU3C4K25v2FhHuTbNL8VdG9UZ5MtS9m4RSigmfj5MGtS0fO+P/qWYoffB7wRl79iHNNTIjzzUL1z/ysAHgHcZVjO+4blDPBcm+FjbhZtMLHZ6FHBc+wmwqRr4fw0V3oS/TxST3Ymar39PqgM/UnAmahG2KcB14l2D+c5aG7MotcpmPfw7+Y+b27MrypVlXuiMdpJe9OKhAGr1jsm5U1bLwwaNkTrL2bcslnuyWrCC7Z2mT3tJAzL6YGKi3+KRq03xf5xMedSQrT9UDtILSdhx3fU9gKLC8Y+A7UV9DTDcg4OYKURMZWkc2JPoNZz7aWhpom0VdvgHgwc0Nbrn7UlamerVZ5rr4hqK/l9b1QC8iVU1eyKyHD3GJZzDjCqBS1WeK0a4FPPtXNNjD6giB6YyobZCPk8MudItLLWc+1Py5jzrzZASLGPdPI4xHPtd8OPvQebdm29FLU6LaypqkfVQ12GyviuFRPh+Ei8fRtU4nCmSPLzhYHO8KbY9xmWswg4DxonQzq6W5MjTlu9YTl3ipmRSIMXfuC59g3io1wLDPdc+365x+HAH1H5n25AnWE584DjPNdeKsfYqIw2AbxiWE5efIdDPdeeZ1jOz8Rx7St+3RrDcp4ATmD9ZuJnorZoO8xz7RUFDI/n2kuAW4RZ19uwZuTYW6kPGjAspydqg8wDBSBfGJYz2XPtcyNj7Yoqv/mrd6F6Tu9fNobl9Baz6XHvQvtCmZdwTcp1AhAMy/FQbZO+FgBJAV0Ny4n6IPVFjn1VJOgpwAURtdsFVcaxbUGZ9w6o7Pj14uccjVoHnzIs5zhJuFWLnb0VavXe31FJrPcjY2wReVG7oZaRvi3MVAtcJPdVUanFiLGTyAfBzQKQIyN+16ESNTkftSR3T1S18AIJRCAS/36ZmxtRSbAuEeAehWr5Oh1VjXuIjNHfc+0hkdv4cSgsjDHrL9GN+kQRid5EM6acGDL/HNTKzYtQWeuTgHMMy+nrufYJEQExmA1XFFah9jxfGNFKO6EqH0CtSVmBWjY96esAkEbUYpOZBSozEGkX/WydSO5fAxdEpNFW4iSfXjB2F+BXnmvfKH8/ZljOUnE+L5MQXXgP/YA9PNcuVWr/F7mPoZ5rfyDXf1xChxWp/PrGRtKpVIBqoxltcnxBQSTuUZH+zxmWc7rn2v/wXPtl0a6nVMF1MyJOujDy0IIM/COG5bwF3G5YzmDPtecNH3tbOggaamReAm9qWevXf4XaxfgIqfwFyBqWczswzrCcqzzXnpdwWBvVmmnrsAQFeNiwnLkk249kk6BCJ10T0+YpcQzDf0+gqmejUisv6jdtWM6pBVKvng3bCC1HrQxramcJXC4/o02e08CzpcBhWM7WIt1meK79QWTvvs9Ra+Qr6iz+2LRTQsFQFzraYtask98PNSzn58KEw8Q02qdAINBYZAcvz7XzhuVUG5ZzuGE5v5QxvhOJrCHggBibvJRg5kVI/+WIljlbhOOeZYx5DKpq+FPDWi/gcNPXQYOkgJc81z6vCEOOQxUoRl/0kyL5zo1M0O/EHv2iYIhVYi5FSzTWyWc7FNxDnEVa3cWVnFdocgiYKwKIYU0CAk2k4tsRU+YQMREDVD1WPjKXJbeSljFOlfByTgAQRN5FdzlutTDflgDDR09i5rTEWqQf8F7o3EeCAMtl7HJK/ndA1UsVzvlHX0WAFGOilDinhZRuJlR4LbCjYTkHGpaXYyQJAAAD/0lEQVQzFrUe4aEiycRUdAw5Py+OY12RsHCcMG6jnM9w6+boPXWrDBxOaO/3QxXQPSWf90EtTnoOGOS5dm/PtfuAtnVcSW9YzrfFD5uEanawhRqDoaJ5gwKgD/FcmyBVlsXYIBo+3cwbLzXvxSot6ii+r2X66wKQWBTpaDhRNMEYVH/fj4BHipzSh0g/Jzl/W5nscjK/n6Eqg0cqtKSjEu3gcp104+jrouPcU/BzkESjbl3fBAz2L8IggfxXyGQDRVtcHka9hL4jQYoo3QDsbFjOkYWOeKSjfErC3MVorjje2zcB/yEbw3JCk/b1iCavb9JWX16nPxtu5/xyaEoqE2uiaNuKlj18BcO8gDFmIt7U8UgUI+yNe4Xn2muLZJ91wDYs5zwxTaoltLgkNJMSAvRzw3JmA2cZlnM4BFMNy9FQrX72Tuikb25YzhZAilqqZUfaG1Bd5q+LMNLnwkyHGJZzq0jYzYHfFGHuNSFYDct5UuZ6lfwDONSwnIUCrP4S8SoEwGTgROA+0c5PGJZTJ9fVDcsZilrvMb6Z5/qrBFyONyznSqDWsJwamff3+DLp+r74nscblnN1AA2SgzqdDZcc/FOikUOVZtUCCLajY3RZaXMN0oXmt/mtLvgZggMxF9ZEIkuF4KiR7/cWc+UeiTQNBc4JI1B8ufVaSyZSlBF/L47/A6j01oOobo8vyjXTMQXEfwSk81C1Ps/LvZwqkbdGeabXUetYfiKBi3tQPapqI89JRDo/hlp49II87zdR5TyzxcyajqoOeEIERZNzL8nCpeIUT0f1HX5J7jWL2uP7XrnXhhA04T2IgPJQOZuLBSj3ij+1szzXYjnuc9RipYFynw/Ke/pG1GQV0N4vcz1Lfj4gWsVrxiwrVRCrbUoa5AcS2y9mnjwqZtS8IpJuDSrG/6zn2iuLaI9LxVd5FpVHGCETfRNqSWdIn8g1mlsleIQyG9IhA6w2LOcwVPfxkSIFzxTm3o3SG8XPkZB0o7yodXIPi1BFi2uj5ow8088EGEcIY94kkb5/R5gcSeyZqH0odhHG/9Bz7TrDcg5F5VaGiFa6RObhwOg9G9ZEPNeeb1jOD2WcsfJzrQBsBrDGc+3AsJy18uyFfsXFAowfi4l7GXBnoLGi4LibBOwnitl7Dar0ZpLMSfj8a4yxzuEEjJZ3uRz4pQiJu9hwOXaeFkqNKL3LcsegluprCr8r8vdQw3ICw3J2TzJugS2d6JqVPpfYzS2cNzH2eEMPv7Xo983VQcWdk5LPMP5ujNETWzy/uXOHj3HKe09H3NJcvV1F7yrXDrtLlUNaBYBKiQTZDzhD1OxoipTKd1InfR2d9JSo/J+IKj6pNdcBdFIndQT6fzD7jsoCrptBAAAAAElFTkSuQmCC"
 
-### Template Paths
+# Template Paths
 HOME_TEMPLATE = 'deep/home.html'
 FOOTER_TEMPLATE = 'deep/footer.html'
-
-
diff --git a/config/default.py b/config/default.py
index 43a360845..d24a5e1ac 100644
--- a/config/default.py
+++ b/config/default.py
@@ -4,6 +4,12 @@
 IAM_CLIENT_ID = "XXX-XXX-XXX-XXX-XXX"
 IAM_CLIENT_SECRET = "************"
 IAM_BASE_URL = "https://iam.example.com"
+EGI_AAI_BASE_URL="https://https://aai-dev.egi.eu/oidc/"
+EGI_AAI_CLIENT_ID=""
+EGI_AAI_CLIENT_SECRET=""
+
+TRUSTED_OIDC_IDP_LIST = [ { 'iss': 'https://iam.example.org/', 'type': 'indigoiam' } ]
+
 ORCHESTRATOR_URL = "https://orchestrator.example.com"
 CALLBACK_URL = "https://dashboard.example.com/home/callback"
 
@@ -43,6 +49,7 @@
 FEATURE_HIDDEN_DEPLOYMENT_COLUMNS = "4, 5, 7"
 FEATURE_VAULT_INTEGRATION = "no"
 FEATURE_REQUIRE_USER_SSH_PUBKEY = "no"
+FEATURE_PORTS_REQUEST = "no"
 
 ### VAULT INTEGRATION SETTINGS
 VAULT_ROLE = "orchestrator"
diff --git a/config/infn-cloud.py b/config/infn-cloud.py
index 5120b5b87..c632d1782 100644
--- a/config/infn-cloud.py
+++ b/config/infn-cloud.py
@@ -7,6 +7,7 @@
 
 
 FEATURE_REQUIRE_USER_SSH_PUBKEY = "yes"
+FEATURE_PORTS_REQUEST = "yes"
 
 ### Template Paths
 HOME_TEMPLATE = 'infn-cloud/home.html'
diff --git a/migrations/versions/7e9fa167c199_eighth_update.py b/migrations/versions/7e9fa167c199_eighth_update.py
index 3fdb46de4..6ed21ab3f 100644
--- a/migrations/versions/7e9fa167c199_eighth_update.py
+++ b/migrations/versions/7e9fa167c199_eighth_update.py
@@ -7,7 +7,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '7e9fa167c199'
diff --git a/migrations/versions/88bc3c2c02a6_initial_migration.py b/migrations/versions/88bc3c2c02a6_initial_migration.py
index 8481813a0..7eee6d29f 100644
--- a/migrations/versions/88bc3c2c02a6_initial_migration.py
+++ b/migrations/versions/88bc3c2c02a6_initial_migration.py
@@ -18,43 +18,43 @@
 
 def upgrade():
     op.create_table('users',
-    sa.Column('sub', sa.String(length=36), nullable=False),
-    sa.Column('name', sa.String(length=128), nullable=True),
-    sa.Column('username', sa.String(length=64), nullable=False),
-    sa.Column('given_name', sa.String(length=64), nullable=True),
-    sa.Column('family_name', sa.String(length=64), nullable=True),
-    sa.Column('email', sa.String(length=64), nullable=False),
-    sa.Column('organisation_name', sa.String(length=64), nullable=True),
-    sa.Column('picture', sa.String(length=128), nullable=True),
-    sa.Column('role', sa.String(length=32), nullable=True),
-    sa.Column('active', sa.Boolean, nullable=False, server_default='1'),
-    sa.PrimaryKeyConstraint('sub')
+        sa.Column('sub', sa.String(length=36), nullable=False),
+        sa.Column('name', sa.String(length=128), nullable=True),
+        sa.Column('username', sa.String(length=64), nullable=False),
+        sa.Column('given_name', sa.String(length=64), nullable=True),
+        sa.Column('family_name', sa.String(length=64), nullable=True),
+        sa.Column('email', sa.String(length=64), nullable=False),
+        sa.Column('organisation_name', sa.String(length=64), nullable=True),
+        sa.Column('picture', sa.String(length=128), nullable=True),
+        sa.Column('role', sa.String(length=32), nullable=True),
+        sa.Column('active', sa.Boolean, nullable=False, server_default='1'),
+        sa.PrimaryKeyConstraint('sub')
     )
     op.create_table('deployments',
-    sa.Column('uuid', sa.String(length=36), nullable=False),
-    sa.Column('creation_time', sa.DateTime(), nullable=True),
-    sa.Column('update_time', sa.DateTime(), nullable=True),
-    sa.Column('physicalId', sa.String(length=36), nullable=True),
-    sa.Column('description', sa.String(length=256), nullable=True),
-    sa.Column('status', sa.String(length=128), nullable=True),
-    sa.Column('status_reason', sa.String(length=256), nullable=True),
-    sa.Column('outputs', sa.Text(), nullable=True),
-    sa.Column('task', sa.String(length=64), nullable=True),
-    sa.Column('links', sa.Text(), nullable=True),
-    sa.Column('provider_name', sa.String(length=128), nullable=True),
-    sa.Column('endpoint', sa.String(length=256), nullable=True),
-    sa.Column('template', sa.Text(), nullable=True),
-    sa.Column('inputs', sa.Text(), nullable=True),
-    sa.Column('params', sa.Text(), nullable=True),
-    sa.Column('locked', sa.Boolean, nullable=False, server_default='0'),
-    sa.Column('feedback_required', sa.Boolean, nullable=False, server_default='0'),
-    sa.Column('remote', sa.Boolean, nullable=False, server_default='0'),
-    sa.Column('issuer', sa.String(length=256), nullable=True),
-    sa.Column('storage_encryption', sa.Boolean, nullable=False, server_default='0'),
-    sa.Column('vault_secret_uuid', sa.String(length=36), nullable=True),
-    sa.Column('vault_secret_key', sa.String(length=36), nullable=True),
-    sa.Column('sub', sa.String(length=36), nullable=True),
-    sa.PrimaryKeyConstraint('uuid')
+        sa.Column('uuid', sa.String(length=36), nullable=False),
+        sa.Column('creation_time', sa.DateTime(), nullable=True),
+        sa.Column('update_time', sa.DateTime(), nullable=True),
+        sa.Column('physicalId', sa.String(length=36), nullable=True),
+        sa.Column('description', sa.String(length=256), nullable=True),
+        sa.Column('status', sa.String(length=128), nullable=True),
+        sa.Column('status_reason', sa.String(length=256), nullable=True),
+        sa.Column('outputs', sa.Text(), nullable=True),
+        sa.Column('task', sa.String(length=64), nullable=True),
+        sa.Column('links', sa.Text(), nullable=True),
+        sa.Column('provider_name', sa.String(length=128), nullable=True),
+        sa.Column('endpoint', sa.String(length=256), nullable=True),
+        sa.Column('template', sa.Text(), nullable=True),
+        sa.Column('inputs', sa.Text(), nullable=True),
+        sa.Column('params', sa.Text(), nullable=True),
+        sa.Column('locked', sa.Boolean, nullable=False, server_default='0'),
+        sa.Column('feedback_required', sa.Boolean, nullable=False, server_default='0'),
+        sa.Column('remote', sa.Boolean, nullable=False, server_default='0'),
+        sa.Column('issuer', sa.String(length=256), nullable=True),
+        sa.Column('storage_encryption', sa.Boolean, nullable=False, server_default='0'),
+        sa.Column('vault_secret_uuid', sa.String(length=36), nullable=True),
+        sa.Column('vault_secret_key', sa.String(length=36), nullable=True),
+        sa.Column('sub', sa.String(length=36), nullable=True),
+        sa.PrimaryKeyConstraint('uuid')
     )
     # ### end Alembic commands ###
 
diff --git a/migrations/versions/98c3d8971d6c_first_update.py b/migrations/versions/98c3d8971d6c_first_update.py
index cfcaafd9a..5b1a4fb2d 100644
--- a/migrations/versions/98c3d8971d6c_first_update.py
+++ b/migrations/versions/98c3d8971d6c_first_update.py
@@ -19,24 +19,27 @@
 def upgrade():
     op.add_column('deployments', sa.Column('elastic', sa.Boolean, server_default='0', nullable=False))
     op.alter_column('deployments', 'status_reason',
-               existing_type=mysql.VARCHAR(length=256),
-               type_=mysql.MEDIUMTEXT)
-    op.create_foreign_key(None, 'deployments', 'users', ['sub'], ['sub'])
+                    existing_type=mysql.VARCHAR(length=256),
+                    type_=mysql.MEDIUMTEXT)
+    op.create_foreign_key('deployments_ibfk_1', 'deployments', 'users', ['sub'], ['sub'])
     op.add_column('users', sa.Column('sshkey', sa.Text(), nullable=True))
     op.alter_column('users', 'role',
-               existing_type=mysql.VARCHAR(length=32),
-               nullable=False)
+                    existing_type=mysql.VARCHAR(length=32),
+                    nullable=False)
     # ### end Alembic commands ###
 
 
 def downgrade():
     op.alter_column('users', 'role',
-               existing_type=mysql.VARCHAR(length=32),
-               nullable=True)
+                    existing_type=mysql.VARCHAR(length=32),
+                    nullable=True)
     op.drop_column('users', 'sshkey')
-    op.drop_constraint(None, 'deployments', type_='foreignkey')
+    try:
+        op.drop_constraint('deployments_ibfk_1', 'deployments', type_='foreignkey')
+    except:
+        pass
     op.alter_column('deployments', 'status_reason',
-               existing_type=mysql.MEDIUMTEXT,
-               type_=mysql.VARCHAR(256))
+                    existing_type=mysql.MEDIUMTEXT,
+                    type_=mysql.VARCHAR(256))
     op.drop_column('deployments', 'elastic')
     # ### end Alembic commands ###
diff --git a/migrations/versions/98c3d8971d6d_second_update.py b/migrations/versions/98c3d8971d6d_second_update.py
index 20fce2005..55976bda3 100644
--- a/migrations/versions/98c3d8971d6d_second_update.py
+++ b/migrations/versions/98c3d8971d6d_second_update.py
@@ -6,7 +6,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '98c3d8971d6d'
diff --git a/migrations/versions/98c3d8971d6e_third_update.py b/migrations/versions/98c3d8971d6e_third_update.py
index ae61aff08..f482569b4 100644
--- a/migrations/versions/98c3d8971d6e_third_update.py
+++ b/migrations/versions/98c3d8971d6e_third_update.py
@@ -6,7 +6,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '98c3d8971d6e'
diff --git a/migrations/versions/98c3d8971d6f_fourth_update.py b/migrations/versions/98c3d8971d6f_fourth_update.py
index 2a4795adb..8a0ab7f8a 100644
--- a/migrations/versions/98c3d8971d6f_fourth_update.py
+++ b/migrations/versions/98c3d8971d6f_fourth_update.py
@@ -6,7 +6,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '98c3d8971d6f'
diff --git a/migrations/versions/98c3d8971d70_fifth_update.py b/migrations/versions/98c3d8971d70_fifth_update.py
index 574ebc52b..ca658f2e7 100644
--- a/migrations/versions/98c3d8971d70_fifth_update.py
+++ b/migrations/versions/98c3d8971d70_fifth_update.py
@@ -6,7 +6,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '98c3d8971d70'
diff --git a/migrations/versions/98c3d8971d71_sixth_update.py b/migrations/versions/98c3d8971d71_sixth_update.py
index 82c61c5ff..44a887a7e 100644
--- a/migrations/versions/98c3d8971d71_sixth_update.py
+++ b/migrations/versions/98c3d8971d71_sixth_update.py
@@ -6,7 +6,6 @@
 """
 from alembic import op
 import sqlalchemy as sa
-from sqlalchemy.dialects import mysql
 
 # revision identifiers, used by Alembic.
 revision = '98c3d8971d71'
diff --git a/migrations/versions/a0b6f9dd0342_seventh_update.py b/migrations/versions/a0b6f9dd0342_seventh_update.py
index 9fe63a257..9b31ce4f8 100644
--- a/migrations/versions/a0b6f9dd0342_seventh_update.py
+++ b/migrations/versions/a0b6f9dd0342_seventh_update.py
@@ -15,6 +15,7 @@
 branch_labels = None
 depends_on = None
 
+
 def upgrade():
     op.add_column('deployments', sa.Column('additional_outputs', sa.Text, nullable=True))
     op.add_column('deployments', sa.Column('stoutputs', sa.Text, nullable=True))
@@ -27,4 +28,3 @@ def downgrade():
     op.drop_column('deployments', 'stoutputs')
     op.drop_column('deployments', 'template_type')
     # ### end Alembic commands ###
-
diff --git a/migrations/versions/a0c034ff9873_ninth_update.py b/migrations/versions/a0c034ff9873_ninth_update.py
new file mode 100644
index 000000000..1b9773138
--- /dev/null
+++ b/migrations/versions/a0c034ff9873_ninth_update.py
@@ -0,0 +1,66 @@
+
+"""Ninth Update
+
+Revision ID: a0c034ff9873
+Revises: a0b6f9dd0342
+Create Date: 2021-09-07 15:00:00.192947
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sqlalchemy_utils
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision = 'a0c034ff9873'
+down_revision = '7e9fa167c199'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    try:
+        op.drop_constraint('deployments_ibfk_1', 'deployments', type_='foreignkey')
+    except:
+        pass
+    op.alter_column('deployments', 'sub',
+                    existing_type=mysql.VARCHAR(length=36),
+                    type_=mysql.VARCHAR(length=256),
+                    nullable=False)
+    op.alter_column('users', 'sub',
+                    existing_type=mysql.VARCHAR(length=36),
+                    type_=mysql.VARCHAR(length=256),
+                    nullable=False)
+    op.create_foreign_key('deployments_ibfk_1', 'deployments', 'users', ['sub'], ['sub'])
+    op.create_table('flask_dance_oauth',
+                    sa.Column('id', sa.Integer(), nullable=False),
+                    sa.Column('provider', sa.String(length=50), nullable=False),
+                    sa.Column('created_at', sa.DateTime(), nullable=False),
+                    sa.Column('token', sqlalchemy_utils.types.json.JSONType(), nullable=False),
+                    sa.Column('provider_user_id', sa.String(length=256), nullable=False),
+                    sa.Column('user_id', sa.String(length=256), nullable=False),
+                    sa.Column('issuer', sa.String(length=50), nullable=False),
+                    sa.ForeignKeyConstraint(['user_id'], ['users.sub'], ),
+                    sa.PrimaryKeyConstraint('id'),
+                    sa.UniqueConstraint('provider', 'provider_user_id')
+                    )
+
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    op.drop_table('flask_dance_oauth')
+    try:
+        op.drop_constraint('deployments_ibfk_1', 'deployments', type_='foreignkey')
+    except:
+        pass
+    op.alter_column('deployments', 'sub',
+                    existing_type=mysql.VARCHAR(length=256),
+                    type_=mysql.VARCHAR(length=36),
+                    nullable=False)
+    op.alter_column('users', 'sub',
+                    existing_type=mysql.VARCHAR(length=256),
+                    type_=mysql.VARCHAR(length=36),
+                    nullable=False)
+    op.create_foreign_key('deployments_ibfk_1', 'deployments', 'users', ['sub'], ['sub'])
+    # ### end Alembic commands ###
diff --git a/requirements.txt b/requirements.txt
index 4929d69e0..5963cddd7 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,26 +1,26 @@
-Flask==1.1.1
-Werkzeug==0.16.0
-Flask_Dance==2.2.0
-Flask-Mail==0.9.1
-PyYAML==5.1.2
-python-dateutil==2.8.1
-requests==2.22.0
-cryptography==2.7
-packaging==19.2
-sqlalchemy==1.3.12
-SQLAlchemy-Utils==0.36.1
-flask-sqlalchemy==2.4.1
-Flask-Migrate==2.5.2
+alembic==1.7.7
+boto3==1.21.27
+cryptography==36.0.2
+flaat==0.10.1
+Flask==2.0.3
 Flask-Alembic==2.0.1
-alembic==0.9.9
-Flask-Script==2.0.6
-visitor==0.1.3
-tzlocal==2.0.0
-PyMySQL==0.9.3
-python-swiftclient==3.9.0
-python-keystoneclient==3.22.0
-pycryptodomex==3.9.7
-hvac==0.9.6
-MarkupSafe==1.1.1
-boto3==1.15.6
-python-ldap==3.3.1
\ No newline at end of file
+Flask-Dance==5.1.0
+Flask-Login==0.6.2
+Flask-Mail==0.9.1
+Flask-Migrate==3.1.0
+Flask-SQLAlchemy==2.5.1
+hvac==0.11.2
+MarkupSafe==2.1.1
+packaging==21.3
+pycryptodomex==3.14.1
+PyMySQL==1.0.2
+python-dateutil==2.8.2
+python-keystoneclient==4.4.0
+python-ldap==3.4.0
+python-swiftclient==3.13.1
+PyYAML==6.0
+requests==2.27.1
+SQLAlchemy==1.4.32
+SQLAlchemy-Utils==0.38.2
+tzlocal==4.1
+Werkzeug==2.0.3