diff --git a/www/aselect/handler.php b/www/aselect/handler.php
index 55c0c9fe756f1308679bb77397083ee5e6546fe8..2c270eeabf521e096fbb335772cceb098c585d98 100644
--- a/www/aselect/handler.php
+++ b/www/aselect/handler.php
@@ -21,21 +21,21 @@
  *
  * Connect "local" A-Select Server:
  *   configure simpleSAMLphp as a "remote" aselect server as follows (example):
- *			<organization id="simplSAMLphp"
- *				server="localhost"
+ *			<organization id="simpleSAMLphp"
+ *				server="default.aselect.org"
  *				friendly_name="simpleSAMLphp (TEST)"
- *				resourcegroup="remote_simplsamlphp_resources" />
+ *				resourcegroup="remote_simplesamlphp_resources" />
  *
- *			<resourcegroup id="remote_simplsamlphp_resources"
+ *			<resourcegroup id="remote_simplesamlphp_resources"
  *				interval="30">
  *				<resource id="simpleSAMLphp1">
- *					<url>https: *localhost/simplesaml/aselect/handler.php</url>
+ *					<url>https://localhost/simplesaml/aselect/handler.php</url>
  *				</resource>
  *			</resourcegroup>
  *
  * Bridge to "remote" A-Select Server:
  *   configure simpleSAMLphp as a "local" aselect server as follows (example):
- *			<organization id="simplSAMLphp" server="localhost">
+ *			<organization id="simpleSAMLphp" server="default.aselect.org">
  *				<level>1</level>
  *				<forced_authenticate>false</forced_authenticate>
  *				<attribute_policy>policyA</attribute_policy>
@@ -46,21 +46,20 @@
  *
  * TODO:
  * - separate metadata configuration into metadata/aselect-*-*.php
+ * - remote IDP discovery handling (similar to saml2: with optional default)
  * - add robustness/error-handling/error-reporting
- * - generic bridging
- *
  * - factor out common, app/local server and remote server code
+ * 
+ * - dynamic bridging after IDP discovery across all protocols (core feature)
  */
 
 require_once('../../www/_include.php');
 require_once('xmlseclibs.php');
 require_once('SimpleSAML/Logger.php');
 require_once('SimpleSAML/Configuration.php');
-require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php');
 
 $logger = new SimpleSAML_Logger();
 $config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 
 $as_metadata = array(
 	'idp' => array(
@@ -73,14 +72,21 @@ $as_metadata = array(
 			'authsp' => 'simpleSAMLphp',
 			'app_level' => '10',
 			'tgt_exp_time' => '1194590521000',
-			'logout_url' => '/' . $config->getValue('baseurlpath') . 'logout.html',
+#			'auth' => '/' . $config->getValue('baseurlpath') . '/auth/login.php',
+#			'logout' => '/' . $config->getValue('baseurlpath') . 'logout.html',
+			'auth' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSSO.php',
+			'logout' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSLO.php',
+			'loggedout_url' => '/' . $config->getValue('baseurlpath') . 'logout.html',
 		),
 		'remote' => array(
+			// so far the IDP bridging is statically configured to the first one in
+			// this list; IDP discovery should be implemented
 			'testorg' => array(
 				'server_id' => 'default.aselect.org',
 				'server_url' => 'https://localhost/aselectserver/server',
 				'sign_requests' => true,
-				// TODO: this one is actually requestor related
+				// fixed required authentication level per remote IDP, because this
+				// requestor concept cannot be mapped from the other protocols
 				'app_level' => '10',
 			),
 		),
@@ -107,12 +113,10 @@ $as_metadata = array(
 			'cert' => $config->getBaseDir() . '/cert/app.crt',
 		),
 	),
-	'saml20' => array(
-		'sp_url_sso' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSSO.php',
-		'sp_url_slo' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSLO.php',
-	),
 );
 
+// some work to put a browser request into the corresponding session that was
+// started by the original "authenticate" request of the agent or local server 
 if ($_GET['local_rid']) session_id($_GET['local_rid']); else if ($_GET['rid']) session_id($_GET['rid']);
 
 session_start();
@@ -195,14 +199,14 @@ function as_request_authenticate() {
 function as_request_login() {
 	global $as_metadata;
 	
-	$return_url = $_SERVER['PHP_SELF'] . '?request=return';
+	$return_url = $_SERVER['PHP_SELF'] . '?request=login_return';
 	header('Location: ' .
-		$as_metadata['saml20']['sp_url_sso'] .
+		$as_metadata['idp']['hosted']['auth'] .
 		'?RelayState=' . $return_url);
 }
 
 // handle browser return redirect from a bridged IDP
-function as_request_return() {
+function as_request_login_return() {
 	global $as_metadata;
 
 	$rid = session_id();	
@@ -297,8 +301,8 @@ function as_request_logout() {
 	global $as_metadata;
 
 	header('Location: ' .
-		$as_metadata['saml20']['sp_url_slo'] .
-		'?RelayState=' . $as_metadata['idp']['hosted']['logout_url']);
+		$as_metadata['idp']['hosted']['logout'] .
+		'?RelayState=' . urlencode($as_metadata['idp']['hosted']['loggedout_url']));
 }
 
 // helper function for sending a non-browser request to a remote server
@@ -314,9 +318,9 @@ function as_call($url) {
 		as_error_exception('Request on remote server failed: ' . $error);
 	}
 	$parms = array();
-	foreach (explode('&', $result) as $p) {
-		$a = explode('=', $p);
-		$parms[$a[0]] = urldecode($a[1]);
+	foreach (explode('&', $result) as $parm) {
+		$tuple = explode('=', $parm);
+		$parms[urldecode($tuple[0])] = urldecode($tuple[1]);
 	}
 	if ($parms['result_code'] != '0000') {
 		as_error_exception('Request on remote server returned error: ' . $result);
@@ -418,14 +422,15 @@ function as_request_bridge_return() {
 	$session->setAuthenticated(true, 'aselect');
 	
 	if (array_key_exists('attributes', $parms)) {
-		$parm = base64_decode($parms['attributes']);
+		$decoded = base64_decode($parms['attributes']);
 		$attributes = array();
-		foreach (explode('&', $parm) as $p) {
-			$a = explode('=', $p);
-			if (array_key_exists($a[0], $attributes)) {
-				$attributes[$a[0]] = array();
+		foreach (explode('&', $decoded) as $parm) {
+			$tuple = explode('=', $parm);
+			$name = urldecode($tuple[0]);
+			if (array_key_exists($name, $attributes)) {
+				$attributes[$name] = array();
 			}
-			$attributes[$a[0]][] = urldecode($a[1]);
+			$attributes[$name][] = urldecode($tuple[1]);
 		}
 		$session->setAttributes($attributes);
 	}