diff --git a/x-pack/qa/saml-idp-tests/build.gradle b/x-pack/qa/saml-idp-tests/build.gradle
index 4ae99a1a02253..1229965cf159d 100644
--- a/x-pack/qa/saml-idp-tests/build.gradle
+++ b/x-pack/qa/saml-idp-tests/build.gradle
@@ -1,5 +1,3 @@
-import org.elasticsearch.gradle.Architecture
-
 Project idpFixtureProject = xpackProject("test:idp-fixture")
 
 apply plugin: 'elasticsearch.internal-java-rest-test'
@@ -13,17 +11,17 @@ dependencies {
 testFixtures.useFixture ":x-pack:test:idp-fixture"
 
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
-def copyIdpFiles = tasks.register("copyIdpFiles", Copy) {
+def copyIdpFiles = tasks.register("copyIdpFiles", Sync) {
   from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml',
     'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt');
   into outputDir
+  outputs.upToDateWhen { false } //ensure this copy is always done to prevent stale configuration
 }
 
 def setupPorts = tasks.register("setupPorts") {
   dependsOn copyIdpFiles, idpFixtureProject.postProcessFixture
   // Don't attempt to get ephemeral ports when Docker is not available
-  // Also, shibboleth fixture is not available on aarch64
-  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false && Architecture.current() == Architecture.X64 }
+  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false }
   doLast {
     String portString = idpFixtureProject.postProcessFixture.ext."test.fixtures.shibboleth-idp.tcp.4443"
     int ephemeralPort = Integer.valueOf(portString)
@@ -43,7 +41,7 @@ project.sourceSets.javaRestTest.output.dir(outputDir, builtBy: [copyIdpFiles])
 
 tasks.named("javaRestTest").configure {
   dependsOn setupPorts
-  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false && Architecture.current() == Architecture.X64 }
+  onlyIf { idpFixtureProject.postProcessFixture.state.skipped == false }
 }
 
 testClusters.matching { it.name == "javaRestTest" }.configureEach {
diff --git a/x-pack/test/idp-fixture/docker-compose.yml b/x-pack/test/idp-fixture/docker-compose.yml
index 4a3af17a673ba..60a58ceaa9ea6 100644
--- a/x-pack/test/idp-fixture/docker-compose.yml
+++ b/x-pack/test/idp-fixture/docker-compose.yml
@@ -137,22 +137,20 @@ services:
       - ./openldap/certs:/container/service/slapd/assets/certs
 
   shibboleth-idp:
-    image: "unicon/shibboleth-idp:3.4.2"
+    build:
+      context: .
+      dockerfile: ./idp/Dockerfile
     depends_on:
       - openldap
     environment:
       - JETTY_MAX_HEAP=64m
-      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret
-      - JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
     ports:
-      - "4443"
+      - 4443
+    expose:
+      - 4443
     links:
       - openldap:openldap
-    volumes:
-      - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
-      - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
-      - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
-      - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini
+    restart: always #ensure ephemeral port mappings are properly updated
 
   oidc-provider:
     image: "c2id/c2id-server-demo:12.16.1"
diff --git a/x-pack/test/idp-fixture/idp/Dockerfile b/x-pack/test/idp-fixture/idp/Dockerfile
new file mode 100644
index 0000000000000..ea7b6880fb42b
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/Dockerfile
@@ -0,0 +1,92 @@
+FROM openjdk:11.0.16-jre AS javabase
+
+ENV JAVA_HOME=/usr/local/openjdk-11
+
+# below is mostly a fork from https://github.com/Unicon/shibboleth-idp-dockerized/blob/master/Dockerfile
+# building entire image to allow for easier upgrades since published image has not been updated for years
+ENV jetty_version=9.3.27.v20190418 \
+    jetty_hash=7c7c80dd1c9f921771e2b1a05deeeec652d5fcaa \
+    idp_version=3.4.3 \
+    idp_hash=eb86bc7b6366ce2a44f97cae1b014d307b84257e3149469b22b2d091007309db \
+    dta_hash=2f547074b06952b94c35631398f36746820a7697 \
+    slf4j_version=1.7.25 \
+    slf4j_hash=da76ca59f6a57ee3102f8f9bd9cee742973efa8a \
+    logback_version=1.2.3 \
+    logback_classic_hash=7c4f3c474fb2c041d8028740440937705ebb473a \
+    logback_core_hash=864344400c3d4d92dfeb0a305dc87d953677c03c \
+    logback_access_hash=e8a841cb796f6423c7afd8738df6e0e4052bf24a
+
+ENV JETTY_HOME=/opt/jetty-home \
+    JETTY_BASE=/opt/shib-jetty-base \
+    PATH=$PATH:$JAVA_HOME/bin \
+    JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=secret \
+    JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret
+
+# Manually override the jetty keystore otherwise it will attempt to download and fail
+RUN mkdir -p /opt/shib-jetty-base/modules
+COPY ./idp/jetty-custom/ssl.mod /opt/shib-jetty-base/modules/ssl.mod
+COPY ./idp/jetty-custom/keystore /opt/shib-jetty-base/etc/keystore
+
+# Download Jetty, verify the hash, and install, initialize a new base
+RUN wget -q https://repo.maven.apache.org/maven2/org/eclipse/jetty/jetty-distribution/$jetty_version/jetty-distribution-$jetty_version.tar.gz \
+    && echo "$jetty_hash  jetty-distribution-$jetty_version.tar.gz" | sha1sum -c - \
+    && tar -zxvf jetty-distribution-$jetty_version.tar.gz -C /opt \
+    && ln -s /opt/jetty-distribution-$jetty_version/ /opt/jetty-home
+
+# Config Jetty
+RUN mkdir -p /opt/shib-jetty-base/modules /opt/shib-jetty-base/lib/ext  /opt/shib-jetty-base/lib/logging /opt/shib-jetty-base/resources \
+    && cd /opt/shib-jetty-base \
+    && touch start.ini \
+    && java -jar ../jetty-home/start.jar --add-to-startd=http,https,deploy,ext,annotations,jstl,rewrite
+
+# Download Shibboleth IdP, verify the hash, and install
+RUN wget -q https://shibboleth.net/downloads/identity-provider/archive/$idp_version/shibboleth-identity-provider-$idp_version.tar.gz \
+    && echo "$idp_hash  shibboleth-identity-provider-$idp_version.tar.gz" | sha256sum -c - \
+    && tar -zxvf  shibboleth-identity-provider-$idp_version.tar.gz -C /opt \
+    && ln -s /opt/shibboleth-identity-provider-$idp_version/ /opt/shibboleth-idp
+
+# Download the library to allow SOAP Endpoints, verify the hash, and place
+RUN wget -q https://build.shibboleth.net/nexus/content/repositories/releases/net/shibboleth/utilities/jetty9/jetty9-dta-ssl/1.0.0/jetty9-dta-ssl-1.0.0.jar \
+    && echo "$dta_hash  jetty9-dta-ssl-1.0.0.jar" | sha1sum -c - \
+    && mv jetty9-dta-ssl-1.0.0.jar /opt/shib-jetty-base/lib/ext/
+
+# Download the slf4j library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/org/slf4j/slf4j-api/$slf4j_version/slf4j-api-$slf4j_version.jar \
+    && echo "$slf4j_hash  slf4j-api-$slf4j_version.jar" | sha1sum -c - \
+    && mv slf4j-api-$slf4j_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback_classic library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-classic/$logback_version/logback-classic-$logback_version.jar \
+    && echo "$logback_classic_hash  logback-classic-$logback_version.jar" | sha1sum -c - \
+    && mv logback-classic-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-core library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-core/$logback_version/logback-core-$logback_version.jar \
+    && echo "$logback_core_hash logback-core-$logback_version.jar" | sha1sum -c - \
+    && mv logback-core-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+# Download the logback-access library for Jetty logging, verify the hash, and place
+RUN wget -q https://repo.maven.apache.org/maven2/ch/qos/logback/logback-access/$logback_version/logback-access-$logback_version.jar \
+    && echo "$logback_access_hash logback-access-$logback_version.jar" | sha1sum -c - \
+    && mv logback-access-$logback_version.jar /opt/shib-jetty-base/lib/logging/
+
+## Copy local files
+COPY idp/shib-jetty-base/ /opt/shib-jetty-base/
+COPY idp/shibboleth-idp/ /opt/shibboleth-idp/
+COPY idp/bin/ /usr/local/bin/
+
+# Setting owner ownership and permissions
+RUN useradd jetty -U -s /bin/false \
+    && chown -R root:jetty /opt \
+    && chmod -R 640 /opt \
+    && chown -R root:jetty /opt/shib-jetty-base \
+    && chmod -R 640 /opt/shib-jetty-base \
+    && chmod -R 750 /opt/shibboleth-idp/bin
+
+RUN chmod 750 /usr/local/bin/run-jetty.sh /usr/local/bin/init-idp.sh
+RUN chmod +x /opt/jetty-home/bin/jetty.sh
+
+# Opening 4443 (browser TLS), 8443 (mutual auth TLS)
+EXPOSE 4443 8443
+
+CMD ["run-jetty.sh"]
diff --git a/x-pack/test/idp-fixture/idp/bin/init-idp.sh b/x-pack/test/idp-fixture/idp/bin/init-idp.sh
new file mode 100644
index 0000000000000..55c50251cb436
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/bin/init-idp.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+cd /opt/shibboleth-idp/bin
+
+echo "Please complete the following for your IdP environment:"
+./ant.sh -Didp.target.dir=/opt/shibboleth-idp-tmp -Didp.src.dir=/opt/shibboleth-idp/ install
+
+find /opt/shibboleth-idp-tmp/ -type d -exec chmod 750 {} \;
+
+mkdir -p /ext-mount/customized-shibboleth-idp/conf/
+chmod -R 750 /ext-mount/customized-shibboleth-idp/
+
+# Copy the essential and routinely customized config to out Docker mount.
+cd /opt/shibboleth-idp-tmp
+cp -r credentials/ /ext-mount/customized-shibboleth-idp/
+cp -r metadata/ /ext-mount/customized-shibboleth-idp/
+cp conf/{attribute-resolver*.xml,attribute-filter.xml,cas-protocol.xml,idp.properties,ldap.properties,metadata-providers.xml,relying-party.xml,saml-nameid.*} /ext-mount/customized-shibboleth-idp/conf/
+
+# Copy the basic UI components, which are routinely customized
+cp -r views/ /ext-mount/customized-shibboleth-idp/
+mkdir /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/css/ /ext-mount/customized-shibboleth-idp/webapp/
+cp -r edit-webapp/images/ /ext-mount/customized-shibboleth-idp/webapp/
+rm -r /ext-mount/customized-shibboleth-idp/views/user-prefs.js
+
+echo "A basic Shibboleth IdP config and UI has been copied to ./customized-shibboleth-idp/ (assuming the default volume mapping was used)."
+echo "Most files, if not being customized can be removed from what was exported/the local Docker image and baseline files will be used."
diff --git a/x-pack/test/idp-fixture/idp/bin/run-jetty.sh b/x-pack/test/idp-fixture/idp/bin/run-jetty.sh
new file mode 100644
index 0000000000000..af795963b9712
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/bin/run-jetty.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#set -x
+
+if [ -e "/opt/shibboleth-idp/ext-conf/idp-secrets.properties" ]; then
+  export JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty.backchannel.sslContext.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+  export JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=`gawk 'match($0,/^jetty\.sslContext\.keyStorePassword=\s?(.*)\s?$/, a) {print a[1]}' /opt/shibboleth-idp/ext-conf/idp-secrets.properties`
+fi
+
+export JETTY_ARGS="jetty.sslContext.keyStorePassword=$JETTY_BROWSER_SSL_KEYSTORE_PASSWORD jetty.backchannel.sslContext.keyStorePassword=$JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD"
+sed -i "s/^-Xmx.*$/-Xmx$JETTY_MAX_HEAP/g" /opt/shib-jetty-base/start.ini
+
+exec /opt/jetty-home/bin/jetty.sh run
diff --git a/x-pack/test/idp-fixture/idp/jetty-custom/keystore b/x-pack/test/idp-fixture/idp/jetty-custom/keystore
new file mode 100644
index 0000000000000..d6592f95ee935
Binary files /dev/null and b/x-pack/test/idp-fixture/idp/jetty-custom/keystore differ
diff --git a/x-pack/test/idp-fixture/idp/jetty-custom/ssl.mod b/x-pack/test/idp-fixture/idp/jetty-custom/ssl.mod
new file mode 100644
index 0000000000000..460af556676ca
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/jetty-custom/ssl.mod
@@ -0,0 +1,102 @@
+#
+# SSL Keystore module
+#
+
+[name]
+ssl
+
+[depend]
+server
+
+[xml]
+etc/jetty-ssl.xml
+etc/jetty-ssl-context.xml
+
+[files]
+# keystore originally sourced from https://github.com/eclipse/jetty.project/raw/jetty-9.3.x/jetty-server/src/main/config/etc/keystore
+/opt/shib-jetty-base/etc/keystore
+
+[ini-template]
+### TLS(SSL) Connector Configuration
+
+## Connector host/address to bind to
+# jetty.ssl.host=0.0.0.0
+
+## Connector port to listen on
+# jetty.ssl.port=8443
+
+## Connector idle timeout in milliseconds
+# jetty.ssl.idleTimeout=30000
+
+## Connector socket linger time in seconds (-1 to disable)
+# jetty.ssl.soLingerTime=-1
+
+## Number of acceptors (-1 picks default based on number of cores)
+# jetty.ssl.acceptors=-1
+
+## Number of selectors (-1 picks default based on number of cores)
+# jetty.ssl.selectors=-1
+
+## ServerSocketChannel backlog (0 picks platform default)
+# jetty.ssl.acceptorQueueSize=0
+
+## Thread priority delta to give to acceptor threads
+# jetty.ssl.acceptorPriorityDelta=0
+
+## Whether request host names are checked to match any SNI names
+# jetty.ssl.sniHostCheck=true
+
+## max age in seconds for a Strict-Transport-Security response header (default -1)
+# jetty.ssl.stsMaxAgeSeconds=31536000
+
+## include subdomain property in any Strict-Transport-Security header (default false)
+# jetty.ssl.stsIncludeSubdomains=true
+
+### SslContextFactory Configuration
+## Note that OBF passwords are not secure, just protected from casual observation
+## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
+
+## Keystore file path (relative to $jetty.base)
+# jetty.sslContext.keyStorePath=etc/keystore
+
+## Truststore file path (relative to $jetty.base)
+# jetty.sslContext.trustStorePath=etc/keystore
+
+## Keystore password
+# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Keystore type and provider
+# jetty.sslContext.keyStoreType=JKS
+# jetty.sslContext.keyStoreProvider=
+
+## KeyManager password
+# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g
+
+## Truststore password
+# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
+
+## Truststore type and provider
+# jetty.sslContext.trustStoreType=JKS
+# jetty.sslContext.trustStoreProvider=
+
+## whether client certificate authentication is required
+# jetty.sslContext.needClientAuth=false
+
+## Whether client certificate authentication is desired
+# jetty.sslContext.wantClientAuth=false
+
+## Whether cipher order is significant (since java 8 only)
+# jetty.sslContext.useCipherSuitesOrder=true
+
+## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at
+## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
+
+## Set the size of the SslSession cache
+# jetty.sslContext.sslSessionCacheSize=-1
+
+## Set the timeout (in seconds) of the SslSession cache timeout
+# jetty.sslContext.sslSessionTimeout=-1
+
+## Allow SSL renegotiation
+# jetty.sslContext.renegotiationAllowed=true
+# jetty.sslContext.renegotiationLimit=5
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-backchannel.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-backchannel.xml
new file mode 100644
index 0000000000000..7b07b5116adfe
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-backchannel.xml
@@ -0,0 +1,90 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+ 
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  
+ <!-- ============================================================= -->
+  <!-- TLS context factory with optional client auth                 -->
+  <!-- and no container trust (delegate to application)              -->
+  <!-- for backchannel (SOAP) communication to IdP                   -->
+  <!-- ============================================================= -->
+  <New id="shibContextFactory" class="net.shibboleth.utilities.jetty9.DelegateToApplicationSslContextFactory">
+    <Set name="KeyStorePath"><Property name="jetty.backchannel.sslContext.keyStorePath" /></Set>
+    <Set name="KeyStoreType"><Property name="jetty.backchannel.sslContext.keyStoreType" /></Set>
+    <Set name="KeyStorePassword"><Property name="jetty.backchannel.sslContext.keyStorePassword" /></Set>
+    <!-- This is a tweak to work around a bug in Jetty when using the PKCS12 keystore type. -->
+    <Set name="TrustStoreType"><Property name="jetty.backchannel.sslContext.keyStoreType" /></Set>
+    <Set name="EndpointIdentificationAlgorithm"></Set>
+    <Set name="renegotiationAllowed">false</Set>
+    <Set name="useCipherSuitesOrder">true</Set>
+    <Set name="excludeProtocols">
+      <Array type="String">
+        <Item>SSL</Item>
+        <Item>SSLv2</Item>
+        <Item>SSLv3</Item>
+      </Array>
+    </Set>
+    <Set name="IncludeCipherSuites">
+      <Array type="String">
+        <Item>TLS_ECDHE.*</Item>
+        <Item>TLS_RSA.*</Item>
+      </Array>
+    </Set>
+    <Set name="ExcludeCipherSuites">
+      <Array type="String">
+        <Item>.*NULL.*</Item>
+        <Item>.*RC4.*</Item>
+        <Item>.*MD5.*</Item>
+        <Item>.*DES.*</Item>
+        <Item>.*DSS.*</Item>
+      </Array>
+    </Set>
+  </New>
+ 
+  <New id="shibHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+    <Arg><Ref refid="httpConfig"/></Arg>
+    <Call name="addCustomizer">
+      <Arg>
+        <New class="org.eclipse.jetty.server.SecureRequestCustomizer">
+          <Arg type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
+        </New>
+      </Arg>
+    </Call>
+  </New>
+ 
+  <!-- ============================================================= -->
+  <!-- IdP SOAP protocol connector                                   -->
+  <!-- ============================================================= -->
+  <Call id="shibConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server"><Ref refid="Server" /></Arg>
+        <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" default="-1"/></Arg>
+        <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" default="-1"/></Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory"><Ref refid="shibContextFactory"/></Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config"><Ref refid="shibHttpConfig"/></Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="host"><Property name="jetty.backchannel.host" default="0.0.0.0" /></Set>
+        <Set name="port"><Property name="jetty.backchannel.port" default="8443"/></Set>
+        <Set name="idleTimeout"><Property name="jetty.ssl.timeout" default="30000"/></Set>
+        <Set name="soLingerTime"><Property name="jetty.ssl.soLingerTime" default="-1"/></Set>
+        <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" default="0"/></Set>
+        <Set name="selectorPriorityDelta"><Property name="jetty.ssl.selectorPriorityDelta" default="0"/></Set>
+        <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" default="0"/></Set>
+      </New>
+    </Arg>
+  </Call>
+ 
+</Configure>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-logging.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-logging.xml
new file mode 100644
index 0000000000000..2348f9938705f
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-logging.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+
+<!-- =============================================================== -->
+<!-- Configure stderr and stdout to a Jetty rollover log file        -->
+<!-- this configuration file should be used in combination with      -->
+<!-- other configuration files.  e.g.                                -->
+<!--    java -jar start.jar etc/jetty-logging.xml                    -->
+<!-- =============================================================== -->
+<Configure id="logging" class="org.eclipse.jetty.util.log.Log">
+<!-- Logging sent to Console for "docker logs" processing
+    <New id="ServerLog" class="java.io.PrintStream">
+      <Arg>
+        <New class="org.eclipse.jetty.util.RolloverFileOutputStream">
+          <Arg><Property name="jetty.logging.dir" deprecated="jetty.logs" default="./logs"/>/yyyy_mm_dd.stderrout.log</Arg>
+          <Arg type="boolean"><Property name="jetty.logging.append" default="false"/></Arg>
+          <Arg type="int"><Property name="jetty.logging.retainDays" default="90"/></Arg>
+          <Arg>
+              <Call class="java.util.TimeZone" name="getTimeZone"><Arg><Property name="jetty.logging.timezone" default="GMT"/></Arg></Call>
+          </Arg>
+          <Get id="ServerLogName" name="datedFilename"/>
+        </New>
+      </Arg>
+    </New>
+
+    <Get name="rootLogger">
+      <Call name="info"><Arg>Redirecting stderr/stdout to <Ref refid="ServerLogName"/></Arg></Call>
+    </Get>
+    <Call class="java.lang.System" name="setErr"><Arg><Ref refid="ServerLog"/></Arg></Call>
+    <Call class="java.lang.System" name="setOut"><Arg><Ref refid="ServerLog"/></Arg></Call>
+-->
+</Configure>
+
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-requestlog.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-requestlog.xml
new file mode 100644
index 0000000000000..69d899a533dee
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-requestlog.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<!-- =============================================================== -->
+<!-- Configure the Jetty Request Log                                 -->
+<!-- =============================================================== -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <Set name="RequestLog">
+    <New id="RequestLog" class="ch.qos.logback.access.jetty.RequestLogImpl">
+      <Set name="fileName"><Property name="jetty.base" default="." />/resources/logback-access.xml</Set>
+    </New>
+  </Set>
+  <Ref refid="RequestLog">
+    <Call name="start" />
+  </Ref>
+</Configure>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-rewrite.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-rewrite.xml
new file mode 100644
index 0000000000000..6af7394b37266
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-rewrite.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
+ 
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+ 
+  <!-- =========================================================== -->
+  <!-- configure rewrite handler                                   -->
+  <!-- =========================================================== -->
+  <Call name="insertHandler">
+    <Arg>
+      <New class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
+        <Set name="rewriteRequestURI"><Property name="jetty.rewrite.rewriteRequestURI" deprecated="rewrite.rewriteRequestURI" default="true"/></Set>
+        <Set name="rewritePathInfo"><Property name="jetty.rewrite.rewritePathInfo" deprecated="rewrite.rewritePathInfo" default="false"/></Set>
+        <Set name="originalPathAttribute"><Property name="jetty.rewrite.originalPathAttribute" deprecated="rewrite.originalPathAttribute" default="requestedPath"/></Set>
+ 
+ 
+        <!-- Set DispatcherTypes  -->
+        <Set name="dispatcherTypes">
+          <Array type="javax.servlet.DispatcherType">
+            <Item><Call class="javax.servlet.DispatcherType" name="valueOf"><Arg>REQUEST</Arg></Call></Item>
+            <Item><Call class="javax.servlet.DispatcherType" name="valueOf"><Arg>ASYNC</Arg></Call></Item>
+          </Array>
+        </Set>
+ 
+ 
+        <Call name="addRule">
+          <Arg>
+            <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+              <Set name="pattern">*</Set>
+              <Set name="name">Content-Security-Policy</Set>
+              <Set name="value">frame-ancestors 'none';</Set>
+            </New>
+          </Arg>
+        </Call>
+ 
+        <Call name="addRule">
+          <Arg>
+            <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+              <Set name="pattern">*</Set>
+              <Set name="name">X-Frame-Options</Set>
+              <Set name="value">DENY</Set>
+            </New>
+          </Arg>
+        </Call>
+ 
+      </New>
+    </Arg>
+  </Call>
+</Configure>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-ssl-context.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-ssl-context.xml
new file mode 100644
index 0000000000000..08a72852ab438
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/etc/jetty-ssl-context.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+  <!-- ============================================================= -->
+  <!-- TLS context factory without client auth                       -->
+  <!-- ============================================================= -->
+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+    <Set name="KeyStorePath"><Property name="jetty.sslContext.keyStorePath" /></Set>
+    <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" /></Set>
+    <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" /></Set>
+    <!-- This is a tweak to work around a bug in Jetty when using the PKCS12 keystore type. -->
+    <Set name="TrustStoreType"><Property name="jetty.sslContext.keyStoreType" /></Set>
+    <Set name="EndpointIdentificationAlgorithm"></Set>
+    <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" default="false"/></Set>
+    <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" default="false"/></Set>
+    <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
+    <Set name="renegotiationAllowed">false</Set>
+    <Set name="excludeProtocols">
+      <Array type="String">
+        <Item>SSL</Item>
+        <Item>SSLv2</Item>
+        <Item>SSLv3</Item>
+      </Array>
+    </Set>
+    <Set name="IncludeCipherSuites">
+      <Array type="String">
+        <Item>TLS_ECDHE.*</Item>
+        <Item>TLS_RSA.*</Item>
+      </Array>
+    </Set>
+    <Set name="ExcludeCipherSuites">
+      <Array type="String">
+        <Item>.*NULL.*</Item>
+        <Item>.*RC4.*</Item>
+        <Item>.*MD5.*</Item>
+        <Item>.*DES.*</Item>
+        <Item>.*DSS.*</Item>
+      </Array>
+    </Set>
+ </New>
+</Configure>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/modules/backchannel.mod b/x-pack/test/idp-fixture/idp/shib-jetty-base/modules/backchannel.mod
new file mode 100644
index 0000000000000..1215b1096aa73
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/modules/backchannel.mod
@@ -0,0 +1,8 @@
+[name]
+backchannel
+
+[depend]
+server
+
+[xml]
+etc/jetty-backchannel.xml
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback-access.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback-access.xml
new file mode 100644
index 0000000000000..6c5c2232e66a7
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback-access.xml
@@ -0,0 +1,10 @@
+<configuration>
+  <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" /> 
+  <appender name="FILE" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>combined</pattern>
+    </encoder>
+  </appender>
+  
+  <appender-ref ref="FILE" />
+</configuration>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback.xml
new file mode 100644
index 0000000000000..641dc41a39879
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/resources/logback.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration scan="true">
+    <appender name="jetty" class="ch.qos.logback.core.ConsoleAppender">
+        
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
+        </encoder>
+    </appender>
+   
+    <root level="INFO">
+        <appender-ref ref="jetty" />
+    </root>
+    <logger name="org.springframework" level="OFF" />
+    <logger name="ch.qos.logback" level="WARN" />
+</configuration>
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/start.d/backchannel.ini b/x-pack/test/idp-fixture/idp/shib-jetty-base/start.d/backchannel.ini
new file mode 100644
index 0000000000000..afa19ed4d4cda
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/start.d/backchannel.ini
@@ -0,0 +1,8 @@
+--module=backchannel
+
+jetty.backchannel.port=8443
+jetty.backchannel.sslContext.keyStorePath=/opt/shibboleth-idp/credentials/idp-backchannel.p12
+jetty.backchannel.sslContext.keyStoreType=PKCS12
+
+# specified by $IDP_HOME/ext-conf/idp-secrets.properties or the 'docker run' command line
+# jetty.backchannel.sslContext.keyStorePassword=CHANGEME
\ No newline at end of file
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/start.ini b/x-pack/test/idp-fixture/idp/shib-jetty-base/start.ini
new file mode 100644
index 0000000000000..91a674c8820bd
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/start.ini
@@ -0,0 +1,33 @@
+# Required Jetty modules
+--module=server
+--module=deploy
+--module=annotations
+--module=resources
+--module=logging
+--module=requestlog
+--module=servlets
+--module=jsp
+--module=jstl
+--module=ext
+--module=plus
+--module=rewrite
+
+# Allows setting Java system properties (-Dname=value)
+# and JVM flags (-X, -XX) in this file
+# NOTE: spawns child Java process
+--exec
+
+# Bypass file validation for the SSL module, to work around a bug in Jetty 9.3.X
+--skip-file-validation=ssl
+
+# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
+-Didp.home=/opt/shibboleth-idp
+
+# Alternate garbage collector that reduces memory needed for larger metadata files
+-XX:+UseG1GC
+
+# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
+# for handling larger (> 25M) metadata files but you will need to test on
+# your particular metadata configuration.
+# This value will be replaced at runtime using the env JAVA_MAX_MEMORY setting.
+-XmxJETTY_MAX_HEAP
diff --git a/x-pack/test/idp-fixture/idp/shib-jetty-base/webapps/idp.xml b/x-pack/test/idp-fixture/idp/shib-jetty-base/webapps/idp.xml
new file mode 100644
index 0000000000000..ed62630d6dd8a
--- /dev/null
+++ b/x-pack/test/idp-fixture/idp/shib-jetty-base/webapps/idp.xml
@@ -0,0 +1,7 @@
+<Configure class="org.eclipse.jetty.webapp.WebAppContext">
+  <Set name="war"><SystemProperty name="idp.home"/>/webapp/</Set>
+  <Set name="contextPath">/idp</Set>
+  <Set name="extractWAR">false</Set>
+  <Set name="copyWebDir">false</Set>
+  <Set name="copyWebInf">true</Set>
+</Configure>
\ No newline at end of file