From 76b063e8655a43b7e9f09a200366f3fd1fa7facb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Franti=C5=A1ek=20Bu=C4=8D=C3=ADk?=
 <bucik@ics.muni.cz>
Date: Tue, 19 Mar 2024 12:27:34 +0100
Subject: [PATCH] Revert "chore: merge branch 'lsaai_tpl' into 'main'"

This reverts merge request !382
---
 .../db/hsql/hsql_database_tables.sql          |  10 -
 .../src/main/resources/db/hsql/v18.0.0.sql    |  19 --
 .../db/mysql/mysql_database_tables.sql        |  20 --
 .../src/main/resources/db/mysql/v18.0.0.sql   |  19 --
 .../db/psql/psql_database_tables.sql          |  20 --
 .../src/main/resources/db/psql/v18.0.0.sql    |  19 --
 .../webapp/WEB-INF/tags/common/footer.tag     |   4 -
 .../webapp/WEB-INF/tags/common/header.tag     |   4 -
 .../main/webapp/WEB-INF/tags/lsaai/footer.tag |  58 ++---
 .../main/webapp/WEB-INF/tags/lsaai/header.tag |  38 ++-
 .../src/main/webapp/WEB-INF/user-context.xml  |   5 -
 .../webapp/WEB-INF/views/lsaai/approve.jsp    | 236 ++++++++++--------
 .../WEB-INF/views/lsaai/approveDevice.jsp     | 225 ++++++++++-------
 .../main/webapp/WEB-INF/views/lsaai/aup.jsp   |  26 ++
 .../WEB-INF/views/lsaai/device_flow_error.jsp |  13 +
 .../WEB-INF/views/lsaai/isTestSpWarning.jsp   |  23 ++
 .../WEB-INF/views/lsaai/login_failure.jsp     |  23 ++
 .../WEB-INF/views/lsaai/login_success.jsp     |  15 ++
 .../webapp/WEB-INF/views/lsaai/logout.jsp     |  28 +++
 .../views/lsaai/logoutConfirmation.jsp        |  48 ++++
 .../WEB-INF/views/lsaai/logout_denied.jsp     |  15 ++
 .../WEB-INF/views/lsaai/logout_success.jsp    |  15 ++
 .../WEB-INF/views/lsaai/registrationForm.jsp  |  62 +++++
 .../views/lsaai/registrationFormContinue.jsp  |  35 +++
 .../WEB-INF/views/lsaai/requestUserCode.jsp   |  55 ++++
 .../views/lsaai/themedDeviceApproved.jsp      |  33 +++
 .../views/lsaai/themedRequestUserCode.jsp     |  60 +++++
 .../webapp/WEB-INF/views/lsaai/unapproved.jsp |  36 +++
 .../views/lsaai/unapproved_is_eligible.jsp    |  21 ++
 .../WEB-INF/views/lsaai/unapproved_spec.jsp   |  16 ++
 .../ics/oauth2/model/ClientDetailsEntity.java |  12 -
 .../OAuthConfirmationController.java          |   1 -
 .../oauth2/web/endpoint/DeviceEndpoint.java   |   9 +-
 .../ics/oidc/saml/PerunSamlEntryPoint.java    |  86 ++-----
 .../configurations/FacilityAttrsConfig.java   |   2 -
 .../configurations/PerunOidcConfig.java       |   6 -
 .../filters/AuthProcFilterConstants.java      |   3 -
 .../oidc/web/controllers/AupController.java   |   4 +
 .../web/controllers/IsTestSpController.java   |   3 +
 .../oidc/web/controllers/LoginController.java |   6 +
 .../web/controllers/LogoutController.java     |   3 +
 .../PerunUnapprovedController.java            |  32 +++
 ...PerunUnapprovedRegistrationController.java |   8 +
 .../controllers/RegistrationController.java   |   3 +
 .../web/endpoint/EndSessionEndpoint.java      |   8 +
 45 files changed, 915 insertions(+), 472 deletions(-)
 delete mode 100644 perun-oidc-server-webapp/src/main/resources/db/hsql/v18.0.0.sql
 delete mode 100644 perun-oidc-server-webapp/src/main/resources/db/mysql/v18.0.0.sql
 delete mode 100644 perun-oidc-server-webapp/src/main/resources/db/psql/v18.0.0.sql
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/aup.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/isTestSpWarning.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_failure.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_success.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logoutConfirmation.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_denied.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_success.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationForm.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationFormContinue.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/requestUserCode.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedDeviceApproved.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedRequestUserCode.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_is_eligible.jsp
 create mode 100644 perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_spec.jsp

diff --git a/perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql b/perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql
index 388287538..697322c73 100644
--- a/perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql
+++ b/perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql
@@ -302,13 +302,3 @@ CREATE TABLE IF NOT EXISTS device_code_request_parameter (
 	param VARCHAR(2048),
 	val VARCHAR(2048)
 );
-
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
diff --git a/perun-oidc-server-webapp/src/main/resources/db/hsql/v18.0.0.sql b/perun-oidc-server-webapp/src/main/resources/db/hsql/v18.0.0.sql
deleted file mode 100644
index d7634d020..000000000
--- a/perun-oidc-server-webapp/src/main/resources/db/hsql/v18.0.0.sql
+++ /dev/null
@@ -1,19 +0,0 @@
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-alter table client_only_allowed_idps
-    add constraint client_only_allowed_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
-alter table client_blocked_idps
-    add constraint client_blocked_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql b/perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql
index 5c0774dbf..2b0b07728 100644
--- a/perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql
+++ b/perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql
@@ -205,16 +205,6 @@ CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
     redirect_uri VARCHAR(2048) 
 );
 
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
 CREATE TABLE IF NOT EXISTS refresh_token (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
     token_value VARCHAR(4096),
@@ -481,13 +471,3 @@ alter table whitelisted_site_scope
     add constraint whitelisted_site_scope_whitelisted_site_id_fk
         foreign key (owner_id) references whitelisted_site (id)
             on update cascade on delete cascade;
-
-alter table client_only_allowed_idps
-    add constraint client_only_allowed_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
-alter table client_blocked_idps
-    add constraint client_blocked_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/resources/db/mysql/v18.0.0.sql b/perun-oidc-server-webapp/src/main/resources/db/mysql/v18.0.0.sql
deleted file mode 100644
index d7634d020..000000000
--- a/perun-oidc-server-webapp/src/main/resources/db/mysql/v18.0.0.sql
+++ /dev/null
@@ -1,19 +0,0 @@
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-alter table client_only_allowed_idps
-    add constraint client_only_allowed_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
-alter table client_blocked_idps
-    add constraint client_blocked_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql b/perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql
index f3a0e5ee3..44f4e85d2 100644
--- a/perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql
+++ b/perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql
@@ -209,16 +209,6 @@ CREATE TABLE IF NOT EXISTS client_claims_redirect_uri (
     redirect_uri VARCHAR(2048)
 );
 
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
 CREATE TABLE IF NOT EXISTS refresh_token (
     id BIGSERIAL PRIMARY KEY,
     token_value VARCHAR(4096),
@@ -445,16 +435,6 @@ alter table client_scope
         foreign key (owner_id) references client_details (id)
             on update cascade on delete cascade;
 
-alter table client_only_allowed_idps
-    add constraint client_only_allowed_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
-alter table client_blocked_idps
-    add constraint client_blocked_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
 alter table device_code
     add constraint device_code_client_details_id_fk
         foreign key (client_id) references client_details (client_id)
diff --git a/perun-oidc-server-webapp/src/main/resources/db/psql/v18.0.0.sql b/perun-oidc-server-webapp/src/main/resources/db/psql/v18.0.0.sql
deleted file mode 100644
index d7634d020..000000000
--- a/perun-oidc-server-webapp/src/main/resources/db/psql/v18.0.0.sql
+++ /dev/null
@@ -1,19 +0,0 @@
-CREATE TABLE IF NOT EXISTS client_only_allowed_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-CREATE TABLE IF NOT EXISTS client_blocked_idps (
-    owner_id BIGINT,
-    idp_entity_id VARCHAR(512)
-);
-
-alter table client_only_allowed_idps
-    add constraint client_only_allowed_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
-
-alter table client_blocked_idps
-    add constraint client_blocked_idps_client_details_id_fk
-        foreign key (owner_id) references client_details (id)
-            on update cascade on delete cascade;
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag
index a1db11bfd..483533b0a 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/footer.tag
@@ -6,7 +6,6 @@
 <%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
 <%@ taglib prefix="envri" tagdir="/WEB-INF/tags/envri" %>
 <%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
-<%@ taglib prefix="lsaai" tagdir="/WEB-INF/tags/lsaai" %>
 <%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ attribute name="baseURL" required="true" %>
 <%@ attribute name="samlResourcesURL" required="true" %>
@@ -28,9 +27,6 @@
     <c:when test="${theme eq 'muni'}">
         <muni:footer/>
     </c:when>
-    <c:when test="${theme eq 'lsaai'}">
-        <lsaai:footer baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
-    </c:when>
     <c:otherwise>
         <o:footer />
     </c:otherwise>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag
index 76d03546f..8720989dd 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/common/header.tag
@@ -6,7 +6,6 @@
 <%@ taglib prefix="ceitec" tagdir="/WEB-INF/tags/ceitec" %>
 <%@ taglib prefix="envri" tagdir="/WEB-INF/tags/envri" %>
 <%@ taglib prefix="muni" tagdir="/WEB-INF/tags/muni" %>
-<%@ taglib prefix="lsaai" tagdir="/WEB-INF/tags/lsaai" %>
 <%@ attribute name="title" required="true" %>
 <%@ attribute name="reqURL" required="true" %>
 <%@ attribute name="baseURL" required="true" %>
@@ -30,9 +29,6 @@
     <c:when test="${theme eq 'muni'}">
         <muni:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
     </c:when>
-    <c:when test="${theme eq 'lsaai'}">
-        <lsaai:header title="${title}" reqURL="${reqURL}" cssLinks="${cssLinks}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
-    </c:when>
     <c:otherwise>
         <o:header title="${title}"/>
     </c:otherwise>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/footer.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/footer.tag
index 739924128..a4024316b 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/footer.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/footer.tag
@@ -1,47 +1,21 @@
 <%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
-<%@ attribute name="js" required="false"%>
-<%@ attribute name="baseURL" required="true"%>
-<%@ attribute name="samlResourcesURL" required="true"%>
-<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
-<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
-<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
-<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
-<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
-<jsp:useBean id="date" class="java.util.Date" />
 
-<div class="container" id="footer">
-    <div class="row mt-1">
-        <div class="col-xs-3 col-md-2">
-            <div class="img-wrap" id="footer-ls-logo">
-                <a href="https://lifescience-ri.eu/ls-login/" target="_blank">
-                    <img src="${samlResourcesURL}/module.php/perun/res/img/lsaai_logo_120.png"
-                         alt="European Life Science Research Infrastructures Logo">
-                </a>
-            </div>
+        </div> <!-- ENDCARD_BODY -->
+    </div> <!-- ENDCARD -->
+</div> <!-- ENDCOL -->
+</div> <!-- ENDROW -->
+<footer>
+    <div class="footer offset-1 col-10 offset-sm-1 col-sm-10 offset-md-2 col-md-8 offset-lg-3 col-lg-6 offset-xl-3 col-xl-6">
+        <div class="footer-contact">
+            <a class="contact-link" href="mailto:support@aai.lifescience-ri.eu">Contact us</a>
         </div>
-        <div class="col-xs-9 col-md-10 mt-xs-1">
-            <p class="text-justify ">LS Login, an authentication service of the European Life Science Research
-                Infrastructures (LS RI), is a community platform established via the EOSC-Life project and operated by
-                Masaryk University, Brno, CZ. Visit our
-                <a href="https://lifescience-ri.eu/ls-login/" target="_blank">homepage</a>
-                or contact us at
-                <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>.</p>
+        <div class="footer-policy">
+            <a class="footer-policy-link" href="https://lifescience-ri.eu/ls-login/ls-aai-aup.html">Privacy Policy</a>
         </div>
     </div>
-    <div class="row mb-2 mt-1">
-        <div class="col-xs-3 col-md-2">
-            <div class="img-wrap">
-                <img src="${samlResourcesURL}/module.php/perun/res/img/eu_logo_120.png"
-                     alt="European Union flag">
-            </div>
-        </div>
-        <div class="col-xs-9 col-md-10 mt-xs-1">
-            <p class="text-justify">
-                <a href="https://lifescience-ri.eu/" target="_blank">The European Life Science Research
-                    Infrastructures</a> has received funding from the European Union’s Horizon 2020 research
-                and innovation programme under grant agreement No 654248 and from the European Union’s Horizon
-                2020 programme under grant agreement number 824087.
-            </p>
-        </div>
-    </div>
-</div>
+</footer>
+<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/jquery.min.js"></script>
+<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/bootstrap.min.js"></script>
+<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/lsaai/cmservice.js"></script>
+</body>
+</html>
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/header.tag b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/header.tag
index 762868717..a6c2eed3f 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/header.tag
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/tags/lsaai/header.tag
@@ -1,27 +1,19 @@
 <%@ tag pageEncoding="UTF-8" trimDirectiveWhitespaces="true" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="o" tagdir="/WEB-INF/tags/common" %>
-<%@ attribute name="title" required="true" %>
-<%@ attribute name="reqURL" required="true" %>
-<%@ attribute name="baseURL" required="true" %>
-<%@ attribute name="samlResourcesURL" required="true" %>
-<%@ attribute name="cssLinks" required="true" type="java.util.ArrayList<java.lang.String>" %>
-
-<c:set var="logoURL" value="${samlResourcesURL}/module.php/perun/res/img/lsaai_logo_200.png"/>
-
-<o:headerInit title="${title}" reqURL="${reqURL}" baseURL="${baseURL}" samlResourcesURL="${samlResourcesURL}"/>
-
-<link rel="icon" href="resources/images/lsaai.ico" />
-<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/perun/res/bootstrap/css/bootstrap.min.css" />
-<link rel="stylesheet" type="text/css" href="${samlResourcesURL}/module.php/perun/res/css/lsaai.css" />
-
-<o:headerCssLinks cssLinks="${cssLinks}"/>
-
-</head>
-
+<html>
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <link href="${config.getIssuer(false)}/resources/css/lsaai/bootstrap.min.css" rel="stylesheet" type="text/css"/>
+    <link href="${config.getIssuer(false)}/resources/css/lsaai/eduteams.css" rel="stylesheet" type="text/css"/>
+    <link href="${config.getIssuer(false)}/resources/css/lsaai/cmservice.css" rel="stylesheet" type="text/css"/>
+    <link rel="icon" href="${config.favicon}">
+    <title>LS Login</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;0,700;0,900;1,100;1,300;1,400;1,500;1,700;1,900&display=swap" rel="stylesheet">
 <body>
-
-    <div id="wrap" style="box-shadow: rgba(0, 0, 0, 0.15) 0 1rem 3rem 0.5rem;">
-        <div id="header">
-            <img src="${logoURL}" alt="logo">
+<div class="row">
+    <div class="offset-1 col-10 offset-sm-1 col-sm-10 offset-md-2 col-md-8 offset-lg-3 col-lg-6 offset-xl-3 col-xl-6">
+        <div class="card">
+            <img class="card-img-top" src="${config.getIssuer(false)}/resources/images/lsaai/lsaai_logo.png" alt="Life Science Login logo">
+            <div class="card-body">
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 7862afc1c..0e7e1ef7c 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -98,8 +98,6 @@
 				<prop key="proxy.extSource.name"/>
 				<prop key="proxy.base.url"/>
 				<prop key="proxy.add_client_id_to_acrs">false</prop>
-				<prop key="proxy.only_allowed_idps_enabled">false</prop>
-				<prop key="proxy.blocked_idps_enabled">false</prop>
 				<!-- OIDC STUFF -->
 				<prop key="jwk">file:///etc/perun/perun-oidc-keystore.jwks</prop>
 				<prop key="id_token.scopes">openid,profile,email,phone,address</prop>
@@ -130,7 +128,6 @@
 				<prop key="filter.stats.spIdColumnName">spId</prop>
 				<prop key="sentry.config.location"/>
 				<prop key="ga4gh.tokenExchange.brokerUrl"/>
-
 			</props>
 		</property>
 	</bean>
@@ -479,8 +476,6 @@
 		<property name="krbTokenExchangeRequiredScopes" value="#{'${token-exchange.kerberos.requiredScopes}'.split('\s*,\s*')}"/>
 		<property name="requesterIdPrefix" value="${saml.requester-id.prefix}"/>
 		<property name="logRequestsEnabled" value="${logRequestsEnabled}"/>
-		<property name="onlyAllowedIdpsEnabled" value="${proxy.only_allowed_idps_enabled}"/>
-		<property name="blockedIdpsEnabled" value="${proxy.blocked_idps_enabled}"/>
 	</bean>
 
 	<bean id="facilityAttrsConfig" class="cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp
index 5df046e97..6f65d157f 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approve.jsp
@@ -1,119 +1,145 @@
-<%@ page import="java.util.ArrayList" %>
-<%@ page import="java.util.List" %>
-<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true"%>
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
 
-<%
-
-  String samlCssUrl = (String) request.getAttribute("samlResourcesURL");
-  List<String> cssLinks = new ArrayList<>();
-
-  cssLinks.add(samlCssUrl + "/module.php/consent/assets/css/consent.css");
-  cssLinks.add(samlCssUrl + "/module.php/perun/res/css/consent.css");
-
-  request.setAttribute("cssLinks", cssLinks);
-
-%>
-
-<spring:message code="consent_title" var="title"/>
-<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}"
-          cssLinks="${cssLinks}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
-
-<h1 class="h3"><spring:message code="consent_header"/>${" "}${fn:escapeXml(client.clientName)}</h1>
-
-</div> <%-- header --%>
-
-<div id="content">
-  <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
-  <c:if test="${getsOfflineAccess}">
-    <div class="alert alert-warning text-justify" role="alert">
-      <h4>Continuous data access.</h4>
-      <p>This service requests continuous access to your data. That means that the service might continuously fetch the
-        information you allow to be released via the form below without further interaction needed.</p>
-    </div>
-  </c:if>
-  <c:if test="${not empty(jurisdiction)}">
-    <div class="alert alert-warning text-justify" role="alert">
-      <c:choose>
-        <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)} or ${'INT'.equalsIgnoreCase(jurisdiction)}">
-          <h4>This service is provided by an international organization.</h4>
-        </c:when>
-        <c:otherwise>
-          <h4>This service is in ${jurisdiction}/></h4>
-        </c:otherwise>
-      </c:choose>
-      <c:choose>
-        <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)}">
-          <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
-            an international organization outside EU/EEA jurisdictions.</p>
-          <p>Please be aware that upon transfer your personal data will be protected by
-            <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/"
-               target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</p>;
-        </c:when>
-        <c:otherwise>
-          <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
-            a country outside EU/EEA. We cannot guarantee that this country offers an adequately high level of personal
-            data protection as EU/EEA countries.</p>
-        </c:otherwise>
-      </c:choose>
+<ls:header />
+<!-- block container -->
+<div class="aas-message">
+    <p>
+        The service <strong><c:out value="${client.clientName}" /></strong> requires access to your personal data.
+        <c:if test="${not empty(client.policyUri)}">
+        Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service to learn more about its commitments to protect your data.
+        </c:if>
+    </p>
+</div>
+<c:if test="${empty(client.policyUri)}">
+<div class="alert alert-warning" role="alert">
+    <h6>This service is missing a Privacy Policy document.</h6>
+</div>
+</c:if>
+<c:if test="${getsOfflineAccess}">
+<div class="alert alert-warning" role="alert">
+    <div><h6>This service requests continuous access to your personal data.</h6>
+        <p>
+            Normally when you close your browser the service stops fetching your personal data from Life Science Login.
+            However, in this case, fetching your personal data continues as it is required for the service to work.
+        </p>
     </div>
-  </c:if>
-  <c:if test="${not acceptedTos}">
+</div>
+</c:if>
+<c:if test="${isTestSp or (not client.acceptedTos)}">
     <div class="alert alert-warning" role="alert">
-      <h4>Terms of Use for Service Providers not accepted</h4>
-      <p class="text-justify">You are entering a service which has not yet accepted the
-        <a href="https://lifescience-ri.eu/ls-login/terms-of-use-for-service-providers.html"
-           target="_blank">Terms of Use for Service Providers</a>.
-        <c:if test="${isTestSp}">
-          This might be due to the service being registered in the test environment, which does not force the service to
-          do so. To get more information about the different environments of the LS Login, please visit
-          <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
-        </c:if>
-      </p>
+        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
+        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
     </div>
-  </c:if>
-  <form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
-    pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
-    <c:choose>
-      <c:when test="${not empty client.policyUri}">
-        <p>Document with the privacy policy for this service can be found
-          <a target="_blank" href="${fn:escapeXml(client.policyUri)}">here</a>.</p>
-      </c:when>
-      <c:otherwise>
-        <div class="alert alert-warning" role="alert">
-          <h4>Missing Privacy Policy document.</h4>
-          <p class="text-justify">This servise has not yet provided link to the Privacy Policy document.
-            <c:if test="${isTestSp}">
-              This might be due to the service being registered in the test environment, which does not force the
-              service to do so. To get more information about the different environments of the LS Login, please visit
-              <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
+</c:if>
+<form name="confirmationForm" id="allow_consent_form" class="form-group"
+          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
+    <div id="accordion">
+        <div class="section">
+            <div class="card-header" id="headingOne">
+                <h5 class="mb-0">
+                    <button class="btn btn-link" type="button" data-toggle="collapse" data-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
+                        User Information
+                    </button>
+                </h5>
+            </div>
+            <c:if test="${not empty scopes}">
+                <c:forEach var="scope" items="${scopes}">
+                    <c:set var="singleClaim" value="${fn:length(claims[scope.value]) eq 1}" />
+                    <c:set var="emptyClaim" value="${fn:length(claims[scope.value]) eq 0}" />
+                    <div class="card-body <c:if test="${emptyClaim}">d-none</c:if>">
+                        <div class="attribute-row">
+                            <div class="attribute">
+                                <div class="attribute-name form-check">
+                                    <input class="form-check-input" type="checkbox" name="scope_${ fn:escapeXml(scope.value) }" checked="checked"
+                                           id="scope_${fn:escapeXml(scope.value)}" value="${fn:escapeXml(scope.value)}">
+                                    <label class="form-check-label" for="scope_${fn:escapeXml(scope.value)}">
+                                        <spring:message code="${scope.value}"/>
+                                    </label>
+                                </div>
+                            </div>
+                            <div class="attribute-values">
+                                <c:forEach var="claim" items="${claims[scope.value]}">
+                                <div class="attribute-choose">
+                                    <div class="attribute-value">
+                                        <c:if test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
+                                            <c:forEach var="subValue" items="${claim.value}">
+                                                <div>
+                                                    <code>${subValue}</code>
+                                                </div>
+                                            </c:forEach>
+                                        </c:if>
+                                        <c:if test="${not(claim.value.getClass().name eq 'java.util.ArrayList')}">
+                                            <c:if test="${not(singleClaim)}">
+                                                <strong><spring:message code="${claim.key}"/>:${' '}</strong>
+                                            </c:if>
+                                            <code>${claim.value}</code>
+                                        </c:if>
+                                    </div>
+                                </div>
+                                </c:forEach>
+                            </div>
+                        </div>
+                    </div>
+                </c:forEach>
             </c:if>
-          </p>
         </div>
-      </c:otherwise>
-    </c:choose>
-    <t:attributesConsent />
-    <c:if test="${rememberEnabled}">
-      <div class="row" id="saveconsentcontainer">
-        <div class="col-xs-12">
-          <div class="checkbox">
-            <input type="checkbox" name="remember" id="saveconsent" value="until-revoked"/>
-            <label for="saveconsent"><spring:message code="remember"/></label>
-          </div>
+    </div>
+
+    <c:if test="${not empty jurisdiction}">
+    <div class="alert alert-danger" role="alert">
+        <h6>
+            This service is${' '}
+            <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
+            <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
+        </h6>
+        <p>
+            <c:if test="${jurisdiction eq 'EMBL'}">
+                In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
+                <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
+            </c:if>
+            <c:if test="${jurisdiction ne 'EMBL'}">
+                In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
+                We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
+            </c:if>
+        </p>
+        <c:if test="${not empty(client.policyUri)}">
+            <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
+        </c:if>
+        <div class="form-check">
+            <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
+            <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
         </div>
-      </div>
+    </div>
     </c:if>
+    <div class="outro">
+        <p>
+            For withdrawing consent, contact <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>
+        </p>
+    </div>
+    <div class="footer-buttons">
+        <div class="remember">
+            <label>Remember:</label>
+            <div id="select-amount">
+                <select name="remember" id="month" class="btn btn-sm btn-secondary amount">
+                    <option value="none">Just this time</option>
+                    <option value="until-revoked">Forever</option>
+                </select>
+            </div>
+        </div>
+        <div class="consent-button">
+            <a id="abort" class="btn btn-danger" href="https://lifescience-ri.eu/index.php?id=409">Abort</a>
+            <input type="submit" class="btn btn-primary" value="Consent" id="submit" name="authorize"
+                   <c:if test="${not empty jurisdiction}">disabled=""</c:if>
+                   onclick="$('#user_oauth_approval').attr('value',true)">
+        </div>
+    </div>
     <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
     <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
-    <t:consentButtons />
-    <p class='mt-1'>
-      For withdrawing consent, contact <a href='mailto:support@aai.lifescience-ri.eu'>support@aai.lifescience-ri.eu</a>
-    </p>
-  </form>
-</div>
-</div><!-- wrap -->
+</form>
 
-<t:footer baseURL="${baseURL}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp
index 2261d5ebb..f51b50802 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/approveDevice.jsp
@@ -1,98 +1,149 @@
-<%@ page import="java.util.ArrayList" %>
-<%@ page import="java.util.List" %>
-<%@ page contentType="text/html; charset=UTF-8" pageEncoding="UTF-8" trimDirectiveWhitespaces="true"%>
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
-<%@ taglib prefix="t" tagdir="/WEB-INF/tags/common" %>
 <%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
 
-
-<c:set var="reqURL" value="${reqURL}"/>
-
-
-<%
-
-	String samlCssUrl = (String) request.getAttribute("samlResourcesURL");
-	List<String> cssLinks = new ArrayList<>();
-
-	cssLinks.add(samlCssUrl + "/module.php/consent/assets/css/consent.css");
-	cssLinks.add(samlCssUrl + "/module.php/perun/res/css/consent.css");
-
-	request.setAttribute("cssLinks", cssLinks);
-
-%>
-
-<spring:message code="device_approve_title" var="title"/>
-<t:header title="${title}" reqURL="${reqURL}" baseURL="${baseURL}"
-          cssLinks="${cssLinks}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
-
-<h1 class="h3"><spring:message code="device_approve_header"/> ${" "} ${fn:escapeXml(client.clientName)}</h1>
-
-</div> <%-- header --%>
-
-<div id="content">
-    <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
-    <c:if test="${getsOfflineAccess}">
-        <div class="alert alert-warning text-justify" role="alert">
-            <h4>Continuous data access.</h4>
-            <p>This service requests continuous access to your data. That means that the service might continuously fetch the
-                information you allow to be released via the form below without further interaction needed.</p>
-        </div>
-    </c:if>
-    <c:if test="${not empty(jurisdiction)}">
-        <div class="alert alert-warning text-justify" role="alert">
-            <c:choose>
-                <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)} or ${'INT'.equalsIgnoreCase(jurisdiction)}">
-                    <h4>This service is provided by an international organization.</h4>
-                </c:when>
-                <c:otherwise>
-                    <h4>This service is in ${jurisdiction}/></h4>
-                </c:otherwise>
-            </c:choose>
-            <c:choose>
-                <c:when test="${'EMBL'.equalsIgnoreCase(jurisdiction)}">
-                    <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
-                        an international organization outside EU/EEA jurisdictions.</p>
-                    <p>Please be aware that upon transfer your personal data will be protected by
-                        <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/"
-                           target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</p>;
-                </c:when>
-                <c:otherwise>
-                    <p>In order to access the requested services, the Life Science Login needs to transfer your personal data to
-                        a country outside EU/EEA. We cannot guarantee that this country offers an adequately high level of personal
-                        data protection as EU/EEA countries.</p>
-                </c:otherwise>
-            </c:choose>
-        </div>
-    </c:if>
-    <c:if test="${not acceptedTos}">
-        <div class="alert alert-warning" role="alert">
-            <h4>Terms of Use for Service Providers not accepted</h4>
-            <p class="text-justify">You are entering a service which has not yet accepted the
-                <a href="https://lifescience-ri.eu/ls-login/terms-of-use-for-service-providers.html"
-                   target="_blank">Terms of Use for Service Providers</a>.
-                <c:if test="${isTestSp}">
-                    This might be due to the service being registered in the test environment, which does not force the service to
-                    do so. To get more information about the different environments of the LS Login, please visit
-                    <a href="https://lifescience-ri.eu/ls-login/relying-parties/environments.html" target="_blank">this page</a>.
+<ls:header />
+<!-- block container -->
+<div class="aas-message">
+    <p>
+        The service <strong><c:out value="${client.clientName}" /></strong> requires access to your personal data.
+        <c:if test="${not empty(client.policyUri)}">
+        Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service to learn more about its commitments to protect your data.
+        </c:if>
+    </p>
+</div>
+<c:if test="${empty(client.policyUri)}">
+<div class="alert alert-warning" role="alert">
+    <h6>This service is missing a Privacy Policy document.</h6>
+</div>
+</c:if>
+<c:if test="${getsOfflineAccess}">
+<div class="alert alert-warning" role="alert">
+    <div><h6>This service requests continuous access to your personal data.</h6>
+        <p>
+            Normally when you close your browser the service stops fetching your personal data from Life Science Login.
+            However, in this case, fetching your personal data continues as it is required for the service to work.
+        </p>
+    </div>
+</div>
+</c:if>
+<c:if test="${isTestSp or (not client.acceptedTos)}">
+    <div class="alert alert-warning" role="alert">
+        <p>You are entering a service that is in the test environment of Life Science Login. The test environment is for service developers to test their relying service’s AAI integration before requesting to move them to the Life Science Login production environment.</p>
+        <p>The test environment is not intended for common users. You are able to access the service because you have opted in as a test user. You need to refresh your registration every 30 days.</p>
+    </div>
+</c:if>
+<form name="confirmationForm" id="allow_consent_form" class="form-group"
+          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
+    <div id="accordion">
+        <div class="section">
+            <div class="card-header" id="headingOne">
+                <h5 class="mb-0">
+                    <button class="btn btn-link" type="button" data-toggle="collapse" data-target="#collapseOne" aria-expanded="true" aria-controls="collapseOne">
+                        User Information
+                    </button>
+                </h5>
+            </div>
+            <div id="collapseOne" class="collapse show" aria-labelledby="headingOne" data-parent="#accordion">
+                <c:if test="${not empty scopes}">
+                    <c:forEach var="scope" items="${scopes}">
+                        <c:set var="singleClaim" value="${fn:length(claims[scope.value]) eq 1}" />
+                        <c:set var="emptyClaim" value="${fn:length(claims[scope.value]) eq 0}" />
+                        <div class="card-body <c:if test="${emptyClaim}">d-none</c:if>">
+                            <div class="attribute-row">
+                                <div class="attribute">
+                                    <div class="attribute-name form-check">
+                                        <input class="form-check-input" type="checkbox" name="scope_${ fn:escapeXml(scope.value) }" checked="checked"
+                                               id="scope_${fn:escapeXml(scope.value)}" value="${fn:escapeXml(scope.value)}">
+                                        <label class="form-check-label" for="scope_${fn:escapeXml(scope.value)}">
+                                            <spring:message code="${scope.value}"/>
+                                        </label>
+                                    </div>
+                                </div>
+                                <div class="attribute-values">
+                                    <c:forEach var="claim" items="${claims[scope.value]}">
+                                    <div class="attribute-choose">
+                                        <div class="attribute-value">
+                                            <c:if test="${claim.value.getClass().name eq 'java.util.ArrayList'}">
+                                                <c:forEach var="subValue" items="${claim.value}">
+                                                    <div>
+                                                        <code>${subValue}</code>
+                                                    </div>
+                                                </c:forEach>
+                                            </c:if>
+                                            <c:if test="${not(claim.value.getClass().name eq 'java.util.ArrayList')}">
+                                                <c:if test="${not(singleClaim)}">
+                                                    <strong><spring:message code="${claim.key}"/>:${' '}</strong>
+                                                </c:if>
+                                                <code>${claim.value}</code>
+                                            </c:if>
+                                        </div>
+                                    </div>
+                                    </c:forEach>
+                                </div>
+                            </div>
+                        </div>
+                    </c:forEach>
                 </c:if>
-            </p>
+            </div>
         </div>
-    </c:if>
-        <form name="confirmationForm"
-              action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
+    </div>
+
+    <c:if test="${not empty jurisdiction}">
+        <div class="alert alert-danger" role="alert">
+            <h6>
+                This service is${' '}
+                <c:if test="${jurisdiction eq 'INT' or jurisdiction eq 'EMBL'}">provided by an international organization. </c:if>
+                <c:if test="${jurisdiction ne 'INT' and jurisdiction ne 'EMBL'}">in ${jurisdiction}</c:if>
+            </h6>
             <p>
-                <c:if test="${not empty client.policyUri}">
-                    <spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>
+                <c:if test="${jurisdiction eq 'EMBL'}">
+                    In order to access the requested services, the Life Science Login needs to transfer your personal data to an international organization outside EU/EEA jurisdictions.<br/>
+                    <i>Please be aware that upon transfer your personal data will be protected by <a href="https://www.embl.org/documents/document/internal-policy-no-68-on-general-data-protection/" target="_blank">EMBL’s Internal Policy 68 on General Data Protection</a>.</i>
+                </c:if>
+                <c:if test="${jurisdiction ne 'EMBL'}">
+                    In order to access the requested services, the Life Science Login needs to transfer your personal data to a country outside EU/EEA.
+                    We cannot guarantee that this country offers an adequately high level of personal data protection as EU/EEA countries.
                 </c:if>
             </p>
-            <t:attributesConsent/>
-            <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
-            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
-            <input type="hidden" name="user_code" value="${ dc.userCode }" />
-            <t:consentButtons/>
-        </form>
+            <c:if test="${not empty(client.policyUri)}">
+                <h6>Please, read the <a target="_blank" href="<c:out value="${client.policyUri}" />">Privacy Policy</a> of the service provider to learn more about its commitments to protect your data.</h6>
+            </c:if>
+            <div class="form-check">
+                <input class="form-check-input" type="checkbox" name="transfer" id="transfer" data-np-checked="1">
+                <label class="form-check-label" for="transfer">To continue, consent to the transfer of your personal data.</label>
+            </div>
+        </div>
+    </c:if>
+    <div class="outro">
+        <p>
+            For withdrawing consent, contact
+            <a href="mailto:support@aai.lifescience-ri.eu">support@aai.lifescience-ri.eu</a>
+        </p>
+    </div>
+    <div class="footer-buttons">
+        <div class="remember">
+            <label>Remember:</label>
+            <div id="select-amount">
+                <select name="remember" id="month" class="btn btn-sm btn-secondary amount">
+                    <option value="none">Just this time</option>
+                    <option value="until-revoked">Forever</option>
+                </select>
+            </div>
+        </div>
+        <div class="consent-button">
+            <a id="abort" class="btn btn-danger" href="https://lifescience-ri.eu/index.php?id=409">Abort</a>
+            <input type="submit" class="btn btn-primary" value="Consent" id="submit" name="authorize"
+                   <c:if test="${not empty jurisdiction}">disabled=""</c:if>
+                   onclick="$('#user_oauth_approval').attr('value',true)">
+        </div>
     </div>
-</div><!-- wrap -->
+    <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" />
+    <input type="hidden" name="user_code" value="${ dc.userCode }" />
+    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+</form>
 
-<t:footer baseURL="${baseURL}" theme="${theme}" samlResourcesURL="${samlResourcesURL}"/>
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/aup.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/aup.jsp
new file mode 100644
index 000000000..460cf1cb4
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/aup.jsp
@@ -0,0 +1,26 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <h3><spring:message code="must_agree_aup"/></h3>
+    <form method="POST" action="">
+        <c:forEach var="aup" items="${newAups}">
+            <div>
+                <p style="font-size: 16px; padding: 0; margin: 0;"><spring:message code="org_vo"/>${" "}<strong>${aup.key}</strong></p>
+                <p><spring:message code="see_aup"/>${" "}${aup.value.version}${" "}
+                    <a href="${aup.value.link}"><spring:message code="here"/></a></p>
+            </div>
+        </c:forEach>
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
+        <div class="form-group">
+            <spring:message code="agree_aup" var="submit_value"/>
+            <input type="submit" value="${submit_value}" class="btn btn-lg btn-primary btn-block">
+        </div>
+    </form>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp
new file mode 100644
index 000000000..1f814927e
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/device_flow_error.jsp
@@ -0,0 +1,13 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <h3><spring:message code="device_flow_error_header"/></h3>
+    <p><spring:message code="device_flow_error_message"/></p>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/isTestSpWarning.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/isTestSpWarning.jsp
new file mode 100644
index 000000000..900cf4f6c
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/isTestSpWarning.jsp
@@ -0,0 +1,23 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="is_test_sp_warning_header"/></h1>
+    </div>
+    <p><spring:message code="is_test_sp_warning_text"/></p>
+
+    <form method="GET" action="${action}">
+        <hr/>
+        <br/>
+        <input type="hidden" name="target" value="${fn:escapeXml(target)}">
+        <input type="hidden" name="accepted" value="true">
+        <spring:message code="is_test_sp_warning_continue" var="submit_value"/>
+        <input type="submit" name="continue" value="${submit_value}" class="btn btn-lg btn-primary btn-block">
+    </form>
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_failure.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_failure.jsp
new file mode 100644
index 000000000..db02f2305
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_failure.jsp
@@ -0,0 +1,23 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="login_failure_header"/></h1>
+    </div>
+    <div class="msg"><spring:message code="login_failure_msg"/></div>
+    <c:if test="${not empty('error_msg')}">
+        <div class="mgs">
+            <spring:message code="${error_msg}"/>
+        </div>
+    </c:if>
+    <div class="msg"><spring:message code="login_failure_contact_us"/>${" "}
+        <a href="mailto:${contactMail}">${contactMail}</a>.
+    </div>
+
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_success.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_success.jsp
new file mode 100644
index 000000000..a6c545567
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/login_success.jsp
@@ -0,0 +1,15 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="login_success_header"/></h1>
+    </div>
+    <div class="msg"><spring:message code="login_success_msg"/></div>
+
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout.jsp
new file mode 100644
index 000000000..dc036c78e
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout.jsp
@@ -0,0 +1,28 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <h1><spring:message code="logout.confirmation.header"/></h1>
+    <form action="${config.issuer}${config.issuer.endsWith('/') ? '' : '/'}endsession" method="POST">
+        <p><spring:message code="logout.confirmation.explanation"/></p>
+        <div class="row">
+            <div class="col-md-6 mb-4">
+                <spring:message code="logout.confirmation.submit" var="submit_value_approve"/>
+                <input name="approve" value="${submit_value_approve}"
+                       type="submit" class="btn btn-lg btn-block btn-primary" />
+            </div>
+            <div class="col-md-6 mb-4">
+                <spring:message code="logout.confirmation.deny" var="submit_value_deny"/>
+                <input name="deny" value="${submit_value_deny}"
+                       type="submit" class="btn btn-lg btn-block" />
+            </div>
+        </div>
+        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+    </form>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logoutConfirmation.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logoutConfirmation.jsp
new file mode 100644
index 000000000..106635b25
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logoutConfirmation.jsp
@@ -0,0 +1,48 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+	<div class="well" style="text-align: center">
+
+		<h1><spring:message code="logout.confirmation.header"/></h1>
+
+		<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }endsession" method="POST">
+
+			<div class="row-fluid">
+				<div class="span12">
+	                <spring:message code="logout.confirmation.submit" var="authorize_label"/>
+	                <spring:message code="logout.confirmation.deny" var="deny_label"/>
+	                <div>
+						<c:if test="${ not empty client }">
+							<!-- display some client information -->
+							<spring:message code="logout.confirmation.requested"/>&nbsp;
+							<c:choose>
+								<c:when test="${empty client.clientName}">
+									<em><c:out value="${client.clientId}" /></em>
+								</c:when>
+								<c:otherwise>
+									<em><c:out value="${client.clientName}" /></em>
+								</c:otherwise>
+							</c:choose>
+						</c:if>
+	                </div>
+	                <div>
+	                	<spring:message code="logout.confirmation.explanation" />
+	                </div>
+					<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+					<input name="approve" value="${authorize_label}" type="submit" class="btn btn-info btn-large" /> 
+					&nbsp; 
+					<input name="deny" value="${deny_label}" type="submit" class="btn btn-large" />
+				</div>
+			</div>
+
+		</form>
+
+	</div>
+
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_denied.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_denied.jsp
new file mode 100644
index 000000000..7d9e6e582
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_denied.jsp
@@ -0,0 +1,15 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="logout_denied_header"/></h1>
+    </div>
+    <div class="msg"><spring:message code="logout_denied_msg"/></div>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_success.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_success.jsp
new file mode 100644
index 000000000..deebb7fd4
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/logout_success.jsp
@@ -0,0 +1,15 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="logout_success_header"/></h1>
+    </div>
+    <div class="msg"><spring:message code="logout_success_msg"/></div>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationForm.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationForm.jsp
new file mode 100644
index 000000000..4aa91e010
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationForm.jsp
@@ -0,0 +1,62 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="registration_header1"/>
+            <c:choose>
+                <c:when test="${not empty client.clientName and not empty client.clientUri}">
+                    &#32;<a href="${fn:escapeXml(client.clientUri)}">${fn:escapeXml(client.clientName)}</a>
+                </c:when>
+                <c:when test="${not empty client.clientName}">
+                    &#32;${fn:escapeXml(client.clientName)}
+                </c:when>
+            </c:choose>
+            ${" "}<spring:message code="registration_header2"/>
+        </h1>
+    </div>
+    <div class="msg mt-3"><spring:message code="registration_message"/></div>
+
+    <div class="list-group">
+        <form action="${action}" method="get">
+            <c:choose>
+                <c:when test="${not empty groupsForRegistration and groupsForRegistration.size() > 1}">
+                    <h4 class="mb-2"><spring:message code="registration_select_vo"/></h4>
+                    <select id="selectVo mb-4" class="form-control" name="selectedVo" onchange="filter()" required>
+                        <c:forEach var="voGroupPair" items="${groupsForRegistration}">
+                            <option value="${fn:escapeXml(voGroupPair.key.shortName)}">
+                                    ${fn:escapeXml(voGroupPair.key.name)}
+                            </option>
+                        </c:forEach>
+                    </select>
+                </c:when>
+                <c:when test="${not empty groupsForRegistration and groupsForRegistration.size() == 1}">
+                    <c:forEach var="voGroupPair" items="${groupsForRegistration}">
+                        <input type="hidden" name="selectedVo" value="${fn:escapeXml(voGroupPair.key.shortName)}">
+                    </c:forEach>
+                </c:when>
+            </c:choose>
+
+            <h4 class="mb-2 selectGroup"><spring:message code="registration_select_group"/></h4>
+            <select class="selectGroup mb-4 form-control" name="selectedGroup" class="form-control" required>
+                <c:forEach var="voGroupPair" items="${groupsForRegistration}">
+                    <c:forEach var="group" items="${voGroupPair.value}">
+                        <option class="groupOption" value="${fn:escapeXml(voGroupPair.key.shortName)}:${fn:escapeXml(group.name)}">
+                                ${fn:escapeXml(group.description)}
+                        </option>
+                    </c:forEach>
+                </c:forEach>
+            </select>
+
+            <spring:message code="registration_continue" var="submit_value"/>
+            <input type="submit" value="${submit_value}" class="btn btn-lg btn-primary btn-block">
+        </form>
+    </div>
+
+<ls:footer/>
+<script type="text/javascript" src="${config.getIssuer(false)}/resources/js/reg_form_select.js"></script>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationFormContinue.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationFormContinue.jsp
new file mode 100644
index 000000000..29b06219b
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/registrationFormContinue.jsp
@@ -0,0 +1,35 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div id="head">
+        <h1><spring:message code="go_to_registration_header1"/>
+            <c:choose>
+                <c:when test="${not empty client.clientName and not empty client.clientUri}">
+                    ${" "}<a href="${fn:escapeXml(client.uri)}">${fn:escapeXml(client.clientName)}</a>
+                </c:when>
+                <c:when test="${not empty client.clientName}">
+                    ${" "}${fn:escapeXml(client.clientName)}
+                </c:when>
+            </c:choose>
+            ${" "}<spring:message code="go_to_registration_header2"/>
+        </h1>
+    </div>
+    <form method="GET" action="${action}">
+        <hr/>
+        <br/>
+        <input type="hidden" name="client_id" value="${fn:escapeXml(client_id)}" />
+        <input type="hidden" name="facility_id" value="${fn:escapeXml(facility_id)}" />
+        <input type="hidden" name="user_id" value="${fn:escapeXml(user_id)}" />
+        <spring:message code="go_to_registration_continue" var="submit_value"/>
+        <input type="submit" name="continueToRegistration" value="${submit_value}"
+               class="btn btn-lg btn-primary btn-block">
+    </form>
+
+
+<ls:footer/>
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/requestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/requestUserCode.jsp
new file mode 100644
index 000000000..1e1e878da
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/requestUserCode.jsp
@@ -0,0 +1,55 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+	<div class="well" style="text-align: center">
+
+		<h1><spring:message code="device.request_code.header"/></h1>
+
+	<c:if test="${ error != null }">
+		<c:choose>
+			<c:when test="${ error == 'noUserCode' }">
+				<div class="alert alert-error"><spring:message code="device.error.noUserCode"/></div>
+			</c:when>
+			<c:when test="${ error == 'expiredUserCode' }">
+				<div class="alert alert-error"><spring:message code="device.error.expiredUserCode"/></div>
+			</c:when>
+			<c:when test="${ error == 'userCodeAlreadyApproved' }">
+				<div class="alert alert-error"><spring:message code="device.error.userCodeAlreadyApproved"/></div>
+			</c:when>
+			<c:when test="${ error == 'userCodeMismatch' }">
+				<div class="alert alert-error"><spring:message code="device.error.userCodeMismatch"/></div>
+			</c:when>
+			<c:otherwise>
+				<div class="alert alert-error"><spring:message code="device.error.error"/></div>	
+			</c:otherwise>
+		</c:choose>				
+	</c:if>
+
+
+		<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device" method="POST">
+
+			<div class="row-fluid">
+				<div class="span12">
+	                <spring:message code="device.request_code.submit" var="authorize_label"/>
+	                <div>
+		                <div class="input-block-level input-xlarge">
+			                <input type="text" name="user_code" placeholder="code" autocorrect="off"
+								   autocapitalize="off" autocomplete="off" spellcheck="false" value="${user_code}" />
+		                </div>
+	                </div>
+					<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+					<input name="approve" value="${authorize_label}" type="submit" class="btn btn-info btn-large" /> 
+				</div>
+			</div>
+
+		</form>
+
+	</div>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedDeviceApproved.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedDeviceApproved.jsp
new file mode 100644
index 000000000..2bbf141c3
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedDeviceApproved.jsp
@@ -0,0 +1,33 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <h1>
+        <c:if test="${ approved }"><p>&#x2714; <spring:message code="device_approved_approved"/></p></c:if>
+        <c:if test="${ not approved }"><p>&#x2717; <spring:message code="device_approved_rejected"/></p></c:if>
+    </h1>
+    <p class="mt-2">
+        <c:if test="${ approved }">
+            <spring:message code="device_approved_text_approved_start"/>${" "}
+            <c:if test="${empty client.clientName}"><em><c:out value="${client.clientId}" /></em></c:if>
+            <c:if test="${not empty client.clientName}"><em><c:out value="${client.clientName}" /></em></c:if>
+            ${" "}<spring:message code="device_approved_text_approved_end"/>
+        </c:if>
+        <c:if test="${not approved}">
+            <spring:message code="device_approved_text_rejected_start"/>
+            <c:if test="${empty client.clientName}">
+                <em>${" "}<c:out value="${client.clientId}"/></em>
+            </c:if>
+            <c:if test="${not empty client.clientName}">
+                <em>${" "}<c:out value="${client.clientName}"/></em>
+            </c:if>
+            ${". "}<spring:message code="device_approved_text_rejected_end"/>
+        </c:if>
+    </p>
+
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedRequestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedRequestUserCode.jsp
new file mode 100644
index 000000000..1f86cfbf6
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/themedRequestUserCode.jsp
@@ -0,0 +1,60 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header/>
+
+    <h1><spring:message code="request_code_header"/></h1>
+    <c:choose>
+        <c:when test="${ not empty error }">
+            <p class="alert alert-danger mt-2">
+            <c:choose>
+                <c:when test="${ error == 'noUserCode' }">
+                    <spring:message code="user_code_empty_or_not_found"/>
+                </c:when>
+                <c:when test="${ error == 'expiredUserCode' }">
+                    <spring:message code="user_code_expired"/>
+                </c:when>
+                <c:when test="${ error == 'userCodeAlreadyApproved' }">
+                    <spring:message code="user_code_already_approved"/>
+                </c:when>
+                <c:when test="${ error == 'userCodeMismatch' }">
+                    <spring:message code="user_code_mismatch"/>
+                </c:when>
+                <c:otherwise>
+                    <spring:message code="user_code_error"/>
+                </c:otherwise>
+            </c:choose>
+            </p>
+        </c:when>
+        <c:otherwise>
+            <p class="mt-2"><spring:message code="user_code_info"/></p>
+        </c:otherwise>
+    </c:choose>
+
+    <form name="confirmationForm" class="mt-2"  method="POST"
+          action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device-verify">
+        <div class="row-fluid">
+            <div class="span12">
+                <div>
+                    <div class="input-block-level input-xlarge">
+                        <spring:message code="code" var="code_placeholder"/>
+                        <input type="text" name="user_code" placeholder="${code_placeholder}"
+                               autocapitalize="off" autocomplete="off" spellcheck="false" value="${user_code}" />
+                    </div>
+                </div>
+            </div>
+        </div>
+        <div class="row-fluid mt-2">
+            <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+            <spring:message code="user_code_submit" var="submit_value"/>
+            <input name="approve" value="${submit_value}" type="submit"
+                   class="btn btn-success btn-block btn-large" />
+        </div>
+
+    </form>
+
+<ls:footer/>
\ No newline at end of file
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved.jsp
new file mode 100644
index 000000000..e2d1d3ecc
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved.jsp
@@ -0,0 +1,36 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div class="error_message" style="word-wrap: break-word;">
+        <c:forEach var="contactIter" items="${client.contacts}" end="0">
+            <c:set var="contact" value="${contactIter}" />
+        </c:forEach>
+        <c:if test="${empty contact}">
+            <c:set var="contact" value="${contactMail}"/>
+        </c:if>
+        <h1><spring:message code="403_header"/></h1>
+        <p><spring:message code="403_text"/>${' '}${fn:escapeXml(client.clientName)}
+            <c:if test="${not empty client.clientUri}">
+                <br/>
+                <spring:message code="403_informationPage"/>${' '}
+                <a href="${fn:escapeXml(client.clientUri)}">
+                    ${fn:escapeXml(client.clientUri)}
+                </a>
+            </c:if>
+        </p>
+
+        <spring:message code="403_subject" var="subject"/>
+        <p><spring:message code="403_contactSupport"/>${' '}
+           <a href="mailto:${contact}?subject=${subject} ${fn:escapeXml(client.clientName)}">
+               ${fn:escapeXml(contact)}
+           </a>
+        </p>
+    </div>
+
+<ls:footer />
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_is_eligible.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_is_eligible.jsp
new file mode 100644
index 000000000..e44920617
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_is_eligible.jsp
@@ -0,0 +1,21 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+<div class="error_message" style="word-wrap: break-word;">
+    <h1><spring:message code="${outHeader}"/></h1>
+    <p><spring:message code="${outMessage}"/></p>
+    <c:if test="${hasTarget}">
+        <form method="POST" action="" class="mb-4">
+            <button class="btn btn-primary btn-block"><spring:message code="${outButton}"/></button>
+        </form>
+    </c:if>
+    <p><spring:message code="${outContactP}"/>${" "}<a href="mailto:${contactMail}">${contactMail}</a></p>
+</div>
+
+<ls:footer/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_spec.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_spec.jsp
new file mode 100644
index 000000000..6bdd59a7c
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/lsaai/unapproved_spec.jsp
@@ -0,0 +1,16 @@
+<%@ page contentType="text/html; charset=utf-8" pageEncoding="utf-8"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt"%>
+<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
+<%@ taglib prefix="ls" tagdir="/WEB-INF/tags/lsaai" %>
+
+<ls:header />
+
+    <div class="error_message" style="word-wrap: break-word;">
+        <h1><spring:message code="${outHeader}"/></h1>
+        <p><spring:message code="${outMessage}"/></p>
+        <p><spring:message code="contact_p"/>${" "}<a href="mailto:${contactMail}">${contactMail}</a></p>
+    </div>
+
+<ls:footer />
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/ClientDetailsEntity.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/ClientDetailsEntity.java
index 8d26683e3..06be4156d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/ClientDetailsEntity.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/ClientDetailsEntity.java
@@ -338,18 +338,6 @@ public class ClientDetailsEntity implements ClientDetails {
 	@Column(name = "parent_client_id")
 	private Long parentClientId;
 
-	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(name = "client_only_allowed_idps", joinColumns = @JoinColumn(name = "owner_id"))
-	@Column(name = "idp_entity_id")
-	@CascadeOnDelete
-	private Set<String> onlyAllowedIdps;
-
-	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(name = "client_blocked_idps", joinColumns = @JoinColumn(name = "owner_id"))
-	@Column(name = "idp_entity_id")
-	@CascadeOnDelete
-	private Set<String> blockedIdps;
-
 	@Transient
 	private Map<String, Object> additionalInformation = new HashMap<>();
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
index 38b5d37d8..5505e255c 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
@@ -205,7 +205,6 @@ public class OAuthConfirmationController {
 			model.put("getsOfflineAccess", authRequest.getScope().contains("offline_access"));
 			model.put("jurisdiction", AuthenticationUtilities.getJurisdiction(client));
 			model.put("isTestSp", AuthenticationUtilities.isTestSp(client, perunAdapter, facilityAttrsConfig.getTestSpAttr()));
-			model.put("acceptedTos", client.isAcceptedTos());
 			return "lsaai/approve";
 		}
 		return THEMED_APPROVE;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
index d379f94f7..a8c0e219c 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
@@ -441,6 +441,9 @@ public class DeviceEndpoint {
 
 		ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
 		model.put(PAGE, viewName);
+		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+			return "lsaai/" + themedViewName;
+		}
 		return themedViewName;
 	}
 
@@ -471,8 +474,7 @@ public class DeviceEndpoint {
 			model.put("getsOfflineAccess", dc.getScope().contains("offline_access"));
 			model.put("jurisdiction", AuthenticationUtilities.getJurisdiction(client));
 			model.put("isTestSp", AuthenticationUtilities.isTestSp(client, perunAdapter, facilityAttrsConfig.getTestSpAttr()));
-			model.put("acceptedTos", client.isAcceptedTos());
-			return "lsaai/approveDevice";
+			return "lsaai/" + APPROVE_DEVICE;
 		}
 		return THEMED_APPROVE_DEVICE;
 	}
@@ -512,6 +514,9 @@ public class DeviceEndpoint {
 	{
 		deviceCodeService.addErrorToCode(userCode, exception);
 		ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+			return "lsaai/" + DEVICE_FLOW_ERROR_VIEW;
+		}
 		return DEVICE_FLOW_ERROR_VIEW;
 	}
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
index 013cd6e65..4fd96fe19 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
@@ -1,9 +1,7 @@
 package cz.muni.ics.oidc.saml;
 
-import cz.muni.ics.oauth2.model.ClientDetailsEntity;
 import cz.muni.ics.oauth2.model.DeviceCode;
 import cz.muni.ics.oauth2.repository.impl.DeviceCodeRepository;
-import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
 import cz.muni.ics.oidc.models.Facility;
 import cz.muni.ics.oidc.models.PerunAttributeValue;
 import cz.muni.ics.oidc.server.adapters.PerunAdapter;
@@ -41,12 +39,10 @@ import java.util.Set;
 import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.PATH_DEVICE_AUTHORIZE;
 import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.USER_CODE;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.AARC_IDP_HINT;
-import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.BLOCKED_IDPS_ACR_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.CLIENT_ID_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.EFILTER_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.FILTER_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.IDP_ENTITY_ID_PREFIX;
-import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.ONLY_ALLOWED_IDPS_ACR_PREFIX;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_CLIENT_ID;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_MAX_AGE;
 import static cz.muni.ics.oidc.server.filters.AuthProcFilterConstants.PARAM_PROMPT;
@@ -59,21 +55,18 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
     private final FacilityAttrsConfig facilityAttrsConfig;
     private final SamlProperties samlProperties;
     private final DeviceCodeRepository deviceCodeRepository;
-    private final ClientDetailsEntityService clientDetailsEntityService;
 
     public PerunSamlEntryPoint(PerunAdapter perunAdapter,
                                PerunOidcConfig config,
                                FacilityAttrsConfig facilityAttrsConfig,
                                SamlProperties samlProperties,
-                               DeviceCodeRepository deviceCodeRepository,
-                               ClientDetailsEntityService clientDetailsEntityService
-    ) {
+                               DeviceCodeRepository deviceCodeRepository)
+    {
         this.perunAdapter = perunAdapter;
         this.config = config;
         this.facilityAttrsConfig = facilityAttrsConfig;
         this.samlProperties = samlProperties;
         this.deviceCodeRepository = deviceCodeRepository;
-        this.clientDetailsEntityService = clientDetailsEntityService;
     }
 
     @Override
@@ -183,12 +176,12 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
     }
 
     private void processPrompt(Map<String, String> requestParameters, WebSSOProfileOptions options) {
-        String prompt = requestParameters.getOrDefault(PARAM_PROMPT, "");
-        if (PerunSamlUtils.needsReAuthByPrompt(prompt)) {
-            log.debug("Transformed prompt parameter ({}) to SAML forceAuthn=true", prompt);
+        if (PerunSamlUtils.needsReAuthByPrompt(requestParameters.getOrDefault(PARAM_PROMPT, null))) {
+            log.debug("Transformed prompt parameter ({}) to SAML forceAuthn=true",
+                    requestParameters.get(PARAM_PROMPT));
             options.setForceAuthN(true);
         }
-        if ("none".equalsIgnoreCase(prompt)) {
+        if ("none".equalsIgnoreCase(requestParameters.getOrDefault(PARAM_PROMPT, ""))) {
             log.debug("Detected prompt=none, translating to 'isPassive=true' in SAML");
             options.setPassive(true);
         }
@@ -210,48 +203,25 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
             acrs = convertAcrValuesToList(acrValues);
         }
 
-        String clientId = requestParameters.getOrDefault(AuthProcFilterConstants.PARAM_CLIENT_ID, null);
-        if (StringUtils.hasText(clientId)) {
-            // ADD FILTER AND E-FILTER
-            if (config.isAskPerunForIdpFiltersEnabled() && !hasAcrForcingIdp(acrs)) {
+        if (!hasAcrForcingIdp(acrs)) {
+            String clientId = requestParameters.getOrDefault(AuthProcFilterConstants.PARAM_CLIENT_ID, null);
+            if (clientId != null) {
                 String idpFilter = extractIdpFilterForRp(clientId);
                 if (idpFilter != null) {
                     log.debug("Added IdP filter as SAML AuthnContextClassRef ({})", idpFilter);
                     acrs.add(idpFilter);
                 }
             }
+        }
 
-            ClientDetailsEntity client = clientDetailsEntityService.loadClientByClientId(clientId);
-            if (client != null) {
-                // ADD BLOCKED IdPs
-                String blockedIdps = getBlockedIdpsAcr(client);
-                log.debug("blockedIdps ({})", blockedIdps);
-                if (StringUtils.hasText(blockedIdps)) {
-                    String acr = BLOCKED_IDPS_ACR_PREFIX + blockedIdps;
-                    log.debug("Added blockedIdps as SAML AuthnContextClassRef ({})", acr);
-                    acrs.add(acr);
-                }
-
-                // ADD ONLY ALLOWED IdPs
-                String onlyAllowedIdps = getOnlyAllowedIdpsAcr(client);
-                log.debug("allowedIdps ({})", onlyAllowedIdps);
-                if (StringUtils.hasText(onlyAllowedIdps)) {
-                    String acr = ONLY_ALLOWED_IDPS_ACR_PREFIX + onlyAllowedIdps;
-                    log.debug("Added onlyAllowedIdps as SAML AuthnContextClassRef ({})", acr);
-                    acrs.add(acr);
-                }
-            }
-
-            // ADD CLIENT_ID
-            if (config.isAddClientIdToAcrs()) {
-                String clientIdAcr = CLIENT_ID_PREFIX + requestParameters.get(PARAM_CLIENT_ID);
-                log.debug("Adding client_id ACR ({}) to list of AuthnContextClassRefs for purposes" +
-                        " of displaying service name on the wayf", clientIdAcr);
-                acrs.add(clientIdAcr);
-            }
+        if (StringUtils.hasText(requestParameters.getOrDefault(PARAM_CLIENT_ID, "")) && config.isAddClientIdToAcrs()) {
+            String clientIdAcr = CLIENT_ID_PREFIX + requestParameters.get(PARAM_CLIENT_ID);
+            log.debug("Adding client_id ACR ({}) to list of AuthnContextClassRefs for purposes" +
+                    " of displaying service name on the wayf", clientIdAcr);
+            acrs.add(clientIdAcr);
         }
 
-        if (!acrs.isEmpty()) {
+        if (acrs.size() > 0) {
             processAcrs(acrs);
             options.setAuthnContexts(acrs);
             log.debug("Transformed acr_values ({}) to SAML AuthnContextClassRef ({})",
@@ -267,7 +237,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
         }
         String clientId = requestParameters.getOrDefault(PARAM_CLIENT_ID, null);
         if (StringUtils.hasText(clientId)) {
-            log.debug("Adding ClientID ({}) to SAML RequesterIDs", clientId);
+            log.debug("Adding ClientID ({}) to SAML RequesterIDs", requestParameters.get(PARAM_CLIENT_ID));
             Set<String> requesterIds = options.getRequesterIds();
             if (requesterIds == null) {
                 requesterIds = new HashSet<>();
@@ -386,26 +356,4 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
         return result;
     }
 
-    private String getOnlyAllowedIdpsAcr(ClientDetailsEntity client) {
-        String result = null;
-        if (config.isOnlyAllowedIdpsEnabled()) {
-            Set<String> idps = client.getOnlyAllowedIdps();
-            if (idps != null && !idps.isEmpty()) {
-                result = String.join(";", idps);
-            }
-        }
-        return result;
-    }
-
-    private String getBlockedIdpsAcr(ClientDetailsEntity client) {
-        String result = null;
-        if (config.isBlockedIdpsEnabled()) {
-            Set<String> idps = client.getBlockedIdps();
-            if (idps != null && !idps.isEmpty()) {
-                result = String.join(";", idps);
-            }
-        }
-        return result;
-    }
-
 }
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/FacilityAttrsConfig.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/FacilityAttrsConfig.java
index d0d826185..1af124f9d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/FacilityAttrsConfig.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/FacilityAttrsConfig.java
@@ -1,7 +1,5 @@
 package cz.muni.ics.oidc.server.configurations;
 
-import lombok.Getter;
-import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.InitializingBean;
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/PerunOidcConfig.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/PerunOidcConfig.java
index 7051aa736..d4f072cd8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/PerunOidcConfig.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/configurations/PerunOidcConfig.java
@@ -86,10 +86,6 @@ public class PerunOidcConfig implements InitializingBean {
 
 	private Set<String> krbTokenExchangeRequiredScopes;
 
-	private boolean onlyAllowedIdpsEnabled = false;
-
-	private boolean blockedIdpsEnabled = false;
-
 	@Autowired
 	private ServletContext servletContext;
 
@@ -173,8 +169,6 @@ public class PerunOidcConfig implements InitializingBean {
 			log.info("Localization files path: {}", localizationFilesPath);
 			log.info("Email contact: {}", emailContact);
 			log.info("Sentry enabled: {}", StringUtils.hasText(sentryConfigFileLocation));
-			log.info("OnlyAllowedIdPs ACR enabled: {}", onlyAllowedIdpsEnabled);
-			log.info("BlockedIdPs ACR enabled: {}", blockedIdpsEnabled);
 			log.info("Perun OIDC version: {}", getPerunOIDCVersion());
 		}
 	}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java
index 2baf755d7..63f6eae94 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterConstants.java
@@ -32,9 +32,6 @@ public interface AuthProcFilterConstants {
     String FILTER_PREFIX = "urn:cesnet:proxyidp:filter:";
     String EFILTER_PREFIX = "urn:cesnet:proxyidp:efilter:";
 
-    String ONLY_ALLOWED_IDPS_ACR_PREFIX = "urn:cesnet:proxyidp:only_allowed_idps:";
-    String BLOCKED_IDPS_ACR_PREFIX = "urn:cesnet:proxyidp:blocked_idps:";
-
     String SAML_EPUID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.13";
     String SAML_EPPN = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6";
     String SAML_EPTID = "urn:oid:1.3.6.1.4.1.5923.1.1.1.10";
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
index 4367f0d35..031968243 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/AupController.java
@@ -71,6 +71,10 @@ public class AupController {
 
         model.put(NEW_AUPS, newAups);
         ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/aup";
+        }
         return "aup";
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
index 5c1dc2bb6..4eee32d74 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/IsTestSpController.java
@@ -47,6 +47,9 @@ public class IsTestSpController {
         model.put(TARGET, returnUrl);
         model.put(ACTION, req.getRequestURL().toString());
         ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/isTestSpWarning";
+        }
         return "isTestSpWarning";
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LoginController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LoginController.java
index 536214c27..6ae0e3f12 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LoginController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LoginController.java
@@ -37,6 +37,9 @@ public class LoginController {
 	@RequestMapping(value = MAPPING_SUCCESS)
 	public String loginSuccess(HttpServletRequest req, Map<String, Object> model) {
 		ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+			return "lsaai/login_success";
+		}
 		return "login_success";
 	}
 
@@ -66,6 +69,9 @@ public class LoginController {
 		}
 
 		ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+			return "lsaai/login_failure";
+		}
 		return "login_failure";
 	}
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LogoutController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LogoutController.java
index 2d06053eb..b34398a89 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LogoutController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/LogoutController.java
@@ -28,6 +28,9 @@ public class LogoutController {
 	@RequestMapping(value = MAPPING_SUCCESS)
 	public String logoutSuccess(HttpServletRequest req, Map<String, Object> model) {
 		ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+		if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+			return "lsaai/logout_success";
+		}
 		return "logout_success";
 	}
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
index b9817c968..5347358cf 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedController.java
@@ -123,6 +123,10 @@ public class PerunUnapprovedController {
 
         ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
         model.put("client", client);
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved";
+        }
         return "unapproved";
     }
 
@@ -137,6 +141,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, message);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
@@ -160,6 +168,10 @@ public class PerunUnapprovedController {
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
         model.put(HAS_TARGET, StringUtils.hasText(target));
         req.getSession(true).setAttribute(TARGET, target);
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_is_eligible";
+        }
         return "unapproved_is_eligible";
     }
 
@@ -197,6 +209,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, AUTHORIZATION_MSG);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
@@ -208,6 +224,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, NOT_IN_TEST_VOS_GROUPS_MSG);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
@@ -219,6 +239,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, NOT_IN_PROD_VOS_GROUPS_MSG);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
@@ -230,6 +254,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, NOT_IN_MANDATORY_VOS_GROUPS_MSG);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
@@ -241,6 +269,10 @@ public class PerunUnapprovedController {
         model.put(OUT_MESSAGE, NOT_LOGGED_IN_MSG);
         model.put(OUT_CONTACT_P, CONTACT_LANG_PROP_KEY);
         model.put(CONTACT_MAIL, perunOidcConfig.getEmailContact());
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/unapproved_spec";
+        }
         return "unapproved_spec";
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedRegistrationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedRegistrationController.java
index 3fab8a35b..edf30d2bd 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedRegistrationController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/PerunUnapprovedRegistrationController.java
@@ -119,6 +119,10 @@ public class PerunUnapprovedRegistrationController {
         model.put("action", buildActionUrl(request));
         model.put("groupsForRegistration", groupsForRegistration);
         model.put("page", "regForm");
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/registrationForm";
+        }
         return "registrationForm";
     }
 
@@ -150,6 +154,10 @@ public class PerunUnapprovedRegistrationController {
         model.put("action", request.getRequestURL().toString()
                 .replace(REGISTRATION_CONTINUE_MAPPING, REGISTRATION_FORM_MAPPING));
         ControllerUtils.setPageOptions(model, request, htmlClasses, perunOidcConfig);
+
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/registrationFormContinue";
+        }
         return "registrationFormContinue";
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/RegistrationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/RegistrationController.java
index 68bedde97..bb699dbd7 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/RegistrationController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/RegistrationController.java
@@ -36,6 +36,9 @@ public class RegistrationController {
     {
         model.put(PARAM_TARGET, target);
         ControllerUtils.setPageOptions(model, req, htmlClasses, perunOidcConfig);
+        if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+            return "lsaai/registrationFormContinue";
+        }
         return "registrationFormContinue";
     }
 
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
index 399306123..8b7f14f29 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
@@ -145,6 +145,11 @@ public class EndSessionEndpoint {
 			model.put("idToken", idTokenClaims);
 
 			ControllerUtils.setPageOptions(model, request, htmlClasses, perunOidcConfig);
+
+			// display the log out confirmation page
+			if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+				return "lsaai/logout";
+			}
 			return "logout";
 		}
 	}
@@ -186,6 +191,9 @@ public class EndSessionEndpoint {
 				log.trace("redirecting to logout SAML only");
 				return "redirect:" + getLogoutUrl(null);
 			} else {
+				if (perunOidcConfig.getTheme().equalsIgnoreCase("lsaai")) {
+					return "lsaai/logout_denied";
+				}
 				return "logout_denied";
 			}
 		}
-- 
GitLab