diff --git a/AUTHORS b/AUTHORS
index 05f7ab5c5..28e89ca3e 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -54,7 +54,7 @@ Written in 2016 by Qiushi Yan - yanqiushi
 Written in 2017 by Oleg Andrieiev - oandreyev
 Written in 2018 by Zhang Wei - zhangwei1979
 Written in 2018 by Nirendra Singh - nirendra10695
-Written in 2018-2021 by Ayman Abi Abdallah - aabiabdallah
+Written in 2018-2023 by Ayman Abi Abdallah - aabiabdallah
 Written in 2019 by Daniel Taylor - danieltaylor-nz
 Written in 2020 by Jacob Barnes - Tellan
 Written in 2020 by Amir Anjomshoaa - amiranjom
@@ -102,7 +102,7 @@ Written in 2016 by Qiushi Yan - yanqiushi
 Written in 2017 by Oleg Andrieiev - oandreyev
 Written in 2018 by Zhang Wei - zhangwei1979
 Written in 2018 by Nirendra Singh - nirendra10695
-Written in 2018-2020 by Ayman Abi Abdallah - aabiabdallah
+Written in 2018-2023 by Ayman Abi Abdallah - aabiabdallah
 Written in 2019 by Daniel Taylor - danieltaylor-nz
 Written in 2020 by Jacob Barnes - Tellan
 Written in 2020 by Amir Anjomshoaa - amiranjom
diff --git a/framework/build.gradle b/framework/build.gradle
index 65137c15c..8fb85978a 100644
--- a/framework/build.gradle
+++ b/framework/build.gradle
@@ -40,6 +40,7 @@ dependencyUpdates.resolutionStrategy { componentSelection { rules -> rules.all {
 repositories {
     flatDir name: 'localLib', dirs: projectDir.absolutePath + '/lib'
     mavenCentral()
+    maven { url "https://build.shibboleth.net/maven/releases" }
 }
 
 sourceCompatibility = 11
@@ -187,6 +188,20 @@ dependencies {
     // Liquibase (for future reference, not used yet)
     // api 'org.liquibase:liquibase-core:3.4.2' // Apache 2.0
 
+    // pac4j
+    implementation 'org.pac4j:pac4j-core:5.7.1'
+    implementation 'org.pac4j:pac4j-javaee:5.7.1'
+    implementation 'org.pac4j:pac4j-oauth:5.7.1'
+    implementation 'org.pac4j:pac4j-oidc:5.7.1'
+    implementation ('org.pac4j:pac4j-saml:5.7.1') {
+        exclude group: 'org.springframework'
+        exclude group: 'org.bouncycastle'
+    }
+
+    // explicit dependencies to get newer versions
+    implementation 'org.springframework:spring-core:5.3.29'
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.75'
+
     // ========== test dependencies ==========
 
     // junit-platform-launcher is a dependency from spock-core, included explicitly to get more recent version as needed
diff --git a/framework/entity/SecurityEntities.xml b/framework/entity/SecurityEntities.xml
index e5e7f8a26..0091ff865 100644
--- a/framework/entity/SecurityEntities.xml
+++ b/framework/entity/SecurityEntities.xml
@@ -17,6 +17,7 @@ along with this software (see the LICENSE.md file). If not, see
     <!-- ========================================================= -->
     <!-- moqui.security -->
     <!-- moqui.security.user -->
+    <!-- moqui.security.auth -->
     <!-- ========================================================= -->
 
     <!-- ========== Artifact Group ========== -->
@@ -545,4 +546,201 @@ along with this software (see the LICENSE.md file). If not, see
         <alias entity-alias="NMU" name="userSentDate" field="sentDate"/>
         <alias entity-alias="NMU" name="viewedDate"/>
     </view-entity>
+
+    <!-- ========== Authentication Flows ========== -->
+    
+    <entity entity-name="AuthFlow" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="authFlowTypeEnumId" type="id"/>
+        <field name="systemMessageRemoteId" type="id">
+            <description>Used for inbound authentication flows</description>
+        </field>
+        <field name="description" type="text-medium"/>
+        <field name="iconName" type="text-short"/>
+        <field name="defaultUserGroupId" type="id"/>
+        <field name="sequenceNum" type="number-integer"/>
+        <field name="inbound" type="text-indicator"/>
+        <field name="disabled" type="text-indicator" enable-audit-log="true"/>
+
+        <relationship type="one-nofk" related="moqui.security.auth.OauthFlow" short-alias="oauth" mutable="true">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one-nofk" related="moqui.security.auth.OidcFlow" short-alias="oidc" mutable="true">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one-nofk" related="moqui.security.auth.SamlFlow" short-alias="saml" mutable="true">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one" title="AuthFlowType" related="moqui.basic.Enumeration" short-alias="authFlowType">
+            <key-map field-name="authFlowTypeEnumId"/>
+        </relationship>
+        <relationship type="one" related="moqui.service.message.SystemMessageRemote" short-alias="systemMessageRemote">
+            <key-map field-name="systemMessageRemoteId"/>
+        </relationship>
+        <relationship type="one" related="moqui.security.UserGroup" short-alias="defaultUserGroup">
+            <key-map field-name="defaultUserGroupId"/>
+        </relationship>
+        <relationship type="many" related="moqui.security.auth.AuthFlowFieldMap" short-alias="fieldMaps">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="many" related="moqui.security.auth.AuthFlowRoleMap" short-alias="roleMaps">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+
+        <seed-data>
+            <moqui.basic.EnumerationType enumTypeId="AuthFlowType" description="Auth Flow Type"/>
+            <moqui.basic.Enumeration enumTypeId="AuthFlowType" enumId="AftOidc" description="OpenID Connect"/>
+            <moqui.basic.Enumeration enumTypeId="AuthFlowType" enumId="AftOauth" description="OAuth"/>
+            <moqui.basic.Enumeration enumTypeId="AuthFlowType" enumId="AftSaml" description="SAML"/>
+        </seed-data>
+    </entity>
+    <entity entity-name="AuthFlowFieldMap" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="ruleSeqId" type="id" is-pk="true"/>
+        <field name="srcFieldName" type="text-medium"/>
+        <field name="dstFieldName" type="text-medium"/>
+        <field name="dstFieldTypeEnumId" type="id"/>
+        <field name="dstFieldExpression" type="text-medium"/>
+        <field name="mappingServiceRegisterId" type="id"/>
+
+        <relationship type="one" related="moqui.security.auth.AuthFlow">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one" title="DataFieldType" related="moqui.basic.Enumeration" short-alias="destinationFieldType">
+            <key-map field-name="dstFieldTypeEnumId"/>
+        </relationship>
+        <relationship type="one" related="moqui.service.ServiceRegister" short-alias="mappingServiceRegister">
+            <key-map field-name="mappingServiceRegisterId"/>
+        </relationship>
+
+        <seed-data>
+            <moqui.basic.EnumerationType enumTypeId="DataFieldType" description="Data Field Type"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftString" description="String"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftInteger" description="Integer"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftLong" description="Long"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftFloat" description="Float"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftDouble" description="Double"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftBigDecimal" description="BigDecimal"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftBigInteger" description="BigInteger"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftTime" description="Time"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftDate" description="Date"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftTimestamp" description="Timestamp"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftList" description="List"/>
+            <moqui.basic.Enumeration enumTypeId="DataFieldType" enumId="DftMap" description="Map"/>
+        </seed-data>
+    </entity>
+    <entity entity-name="AuthFlowRoleMap" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="roleName" type="text-medium" is-pk="true">
+            <description>Role name in IdP server</description>
+        </field>
+        <field name="userGroupId" type="id"/>
+        <field name="roleTypeId" type="id"/>
+
+        <relationship type="one" related="moqui.security.auth.AuthFlow">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one" related="moqui.security.UserGroup">
+            <key-map field-name="userGroupId"/>
+        </relationship>
+    </entity>
+    <entity entity-name="OauthFlow" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="clientTypeEnumId" type="id"/>
+        <field name="key" type="text-medium"/>
+        <field name="secret" type="text-medium"/>
+
+        <relationship type="one" related="moqui.security.auth.AuthFlow" short-alias="authFlow">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one" title="OauthClientType" related="moqui.basic.Enumeration" short-alias="clientType">
+            <key-map field-name="clientTypeEnumId"/>
+        </relationship>
+
+        <seed-data>
+            <moqui.basic.EnumerationType enumTypeId="OauthClientType" description="OAuth Client Type"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctBitBucket" description="BitBucket"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctDropBox" description="DropBox"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctFacebook" description="Facebook"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctFoursquare" description="Foursquare"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctGitHub" description="GitHub"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctGoogle" description="Google"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctLinkedIn" description="LinkedIn"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctPaypal" description="Paypal"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctTwitter" description="Twitter"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctWordPress" description="Word Press"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctYahoo" description="Yahoo"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctOauth10" description="OAuth v1.0"/>
+            <moqui.basic.Enumeration enumTypeId="OauthClientType" enumId="OctOauth20" description="OAuth v2.0"/>
+        </seed-data>
+    </entity>
+    <entity entity-name="OidcFlow" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="clientTypeEnumId" type="id"/>
+        <field name="clientId" type="text-medium"/>
+        <field name="secret" type="text-medium"/>
+        <field name="realm" type="text-medium">
+            <description>Specific to Keycloak.</description>
+        </field>
+        <field name="baseUri" type="text-medium">
+            <description>Specific to Keycloak.</description>
+        </field>
+        <field name="discoveryUri" type="text-medium"/>
+        <field name="preferredJwsAlgorithmEnumId" type="id"/>
+        <field name="useNonce" type="text-indicator">
+            <description>
+                A nonce is String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
+                Required for implicit flows.
+            </description>
+        </field>
+
+        <relationship type="one" related="moqui.security.auth.AuthFlow" short-alias="authFlow">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+        <relationship type="one" title="OidcClientType" related="moqui.basic.Enumeration" short-alias="clientType" fk-name="OIDC_CLIENT_TYPE_FK">
+            <key-map field-name="clientTypeEnumId"/>
+        </relationship>
+        <relationship type="one" title="OidcJwsAlgorithm" related="moqui.basic.Enumeration" short-alias="preferredJwsAlgorithm" fk-name="OIDC_JWS_ALG_FK">
+            <key-map field-name="preferredJwsAlgorithmEnumId"/>
+        </relationship>
+
+        <seed-data>
+            <moqui.basic.EnumerationType enumTypeId="OidcClientType" description="OpenID Connect Client Type"/>
+            <moqui.basic.Enumeration enumTypeId="OidcClientType" enumId="OctApple" description="Apple"/>
+            <moqui.basic.Enumeration enumTypeId="OidcClientType" enumId="OctAzureAd" description="Azure AD"/>
+            <moqui.basic.Enumeration enumTypeId="OidcClientType" enumId="OctGoogle" description="Google"/>
+            <moqui.basic.Enumeration enumTypeId="OidcClientType" enumId="OctKeycloak" description="Keycloak"/>
+            <moqui.basic.Enumeration enumTypeId="OidcClientType" enumId="OctOther" description="Other"/>
+
+            <moqui.basic.EnumerationType enumTypeId="OidcJwsAlgorithm" description="OpenID Connect JWS Algorithm"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaHS256" description="HMAC using SHA-256 (HS256)" optionValue="HS256"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaHS384" description="HMAC using SHA-384 (HS384)" optionValue="HS384"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaHS512" description="HMAC using SHA-512 (HS512)" optionValue="HS512"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaRS256" description="RSASSA-PKCS-v1_5 using SHA-256 (RS256)" optionValue="RS256"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaRS384" description="RSASSA-PKCS-v1_5 using SHA-384 (RS384)" optionValue="RS384"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaRS512" description="RSASSA-PKCS-v1_5 using SHA-512 (RS512)" optionValue="RS512"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaES256" description="ECDSA using P-256 curve and SHA-256 (ES256)" optionValue="ES256"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaES384" description="ECDSA using P-384 curve and SHA-384 (ES384)" optionValue="ES384"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaES512" description="ECDSA using P-521 curve and SHA-512 (ES512)" optionValue="ES512"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaPS256" description="RSASSA-PSS using SHA-256 (PS256)" optionValue="PS256"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaPS384" description="RSASSA-PSS using SHA-384 (PS384)" optionValue="PS384"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaPS512" description="RSASSA-PSS using SHA-512 (PS512)" optionValue="PS512"/>
+            <moqui.basic.Enumeration enumTypeId="OidcJwsAlgorithm" enumId="OjaEdDSA" description="EdDSA" optionValue="EdDSA"/>
+        </seed-data>
+    </entity>
+    <entity entity-name="SamlFlow" package="moqui.security.auth">
+        <field name="authFlowId" type="id" is-pk="true"/>
+        <field name="keystoreLocation" type="text-medium"/>
+        <field name="keystorePassword" type="text-medium"/>
+        <field name="privateKeyPassword" type="text-medium"/>
+        <field name="serviceProviderEntityId" type="text-medium"/>
+        <field name="identityProviderMetadataLocation" type="text-medium"/>
+        <field name="forceAuth" type="text-indicator"/>
+        <field name="passive" type="text-indicator"/>
+
+        <relationship type="one" related="moqui.security.auth.AuthFlow" short-alias="authFlow">
+            <key-map field-name="authFlowId"/>
+        </relationship>
+    </entity>
+    
 </entities>
diff --git a/framework/service/org/moqui/impl/AuthServices.xml b/framework/service/org/moqui/impl/AuthServices.xml
new file mode 100644
index 000000000..0c1ce29ff
--- /dev/null
+++ b/framework/service/org/moqui/impl/AuthServices.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<services xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://moqui.org/xsd/service-definition-3.xsd">
+
+    <!-- SSO -->
+    <service verb="perform" noun="Login" type="java" location="org.moqui.impl.security.AuthenticationFlow" method="performLogin" authenticate="anonymous-all">
+        <description>
+            Performs a login operation on the IdP server.
+        </description>
+        <in-parameters>
+            <parameter name="authFlowId" required="true"/>
+            <parameter name="returnTo"/>
+        </in-parameters>
+    </service>
+    <service verb="handle" noun="Callback" type="java" location="org.moqui.impl.security.AuthenticationFlow" method="handleCallback" authenticate="anonymous-all">
+        <description>
+            Handles the login callback and logs the user in locally.
+        </description>
+    </service>
+    <service verb="perform" noun="Logout" type="java" location="org.moqui.impl.security.AuthenticationFlow" method="performLogout" authenticate="anonymous-all">
+        <description>
+            Performs a logout operation both locally and on the IdP server.
+        </description>
+        <in-parameters>
+            <parameter name="returnTo"/>
+        </in-parameters>
+    </service>
+
+</services>
diff --git a/framework/service/org/moqui/impl/UserServices.xml b/framework/service/org/moqui/impl/UserServices.xml
index 6b433bba6..7ae1bd2a0 100644
--- a/framework/service/org/moqui/impl/UserServices.xml
+++ b/framework/service/org/moqui/impl/UserServices.xml
@@ -30,8 +30,8 @@ along with this software (see the LICENSE.md file). If not, see
                 <exclude field-name="disabledDateTime"/><exclude field-name="successiveFailedLogins"/>
             </auto-parameters>
             <parameter name="username" required="true"/>
-            <parameter name="newPassword" required="true"/>
-            <parameter name="newPasswordVerify" required="true"/>
+            <parameter name="newPassword"/>
+            <parameter name="newPasswordVerify"/>
             <parameter name="requirePasswordChange" default-value="N"/>
             <parameter name="disabled" default-value="N"/>
             <parameter name="emailAddress"><text-email/></parameter>
@@ -51,15 +51,17 @@ along with this software (see the LICENSE.md file). If not, see
             </if>
 
             <service-call name="create#moqui.security.UserAccount" out-map="context" in-map="context"/>
-            <service-call name="org.moqui.impl.UserServices.update#PasswordInternal" out-map="updateOut"
-                in-map="[userId:userId, newPassword:newPassword, newPasswordVerify:newPasswordVerify,
+            <if condition="newPassword || newPasswordVerify">
+                <service-call name="org.moqui.impl.UserServices.update#PasswordInternal" out-map="updateOut"
+                              in-map="[userId:userId, newPassword:newPassword, newPasswordVerify:newPasswordVerify,
                     requirePasswordChange:requirePasswordChange]"/>
-            <if condition="updateOut.updateSuccessful &amp;&amp; !ec.message.hasError()"><then>
-                <message public="true" type="success">Account created with username ${username}</message>
-            </then><else-if condition="updateOut.passwordIssues">
-                <message public="true" type="danger">Because of password issues not creating account with username ${username}</message>
-                <return error="true" message="Removed temporary account with username ${username} for password issues"/>
-            </else-if></if>
+                <if condition="updateOut.updateSuccessful &amp;&amp; !ec.message.hasError()"><then>
+                    <message public="true" type="success">Account created with username ${username}</message>
+                </then><else-if condition="updateOut.passwordIssues">
+                    <message public="true" type="danger">Because of password issues not creating account with username ${username}</message>
+                    <return error="true" message="Removed temporary account with username ${username} for password issues"/>
+                </else-if></if>
+            </if>
         </actions>
     </service>
     <service verb="update" noun="UserAccount">
diff --git a/framework/src/main/groovy/org/moqui/impl/security/AuthenticationClientFactory.groovy b/framework/src/main/groovy/org/moqui/impl/security/AuthenticationClientFactory.groovy
new file mode 100644
index 000000000..f40e6dea0
--- /dev/null
+++ b/framework/src/main/groovy/org/moqui/impl/security/AuthenticationClientFactory.groovy
@@ -0,0 +1,238 @@
+package org.moqui.impl.security
+
+import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod
+import org.moqui.context.ExecutionContext
+import org.moqui.entity.EntityList
+import org.moqui.entity.EntityValue
+import org.moqui.resource.ResourceReference
+import org.pac4j.core.client.Client
+import org.pac4j.oauth.client.*
+import org.pac4j.oidc.client.*
+import org.pac4j.oidc.config.AppleOidcConfiguration
+import org.pac4j.oidc.config.AzureAd2OidcConfiguration
+import org.pac4j.oidc.config.KeycloakOidcConfiguration
+import org.pac4j.oidc.config.OidcConfiguration
+import org.pac4j.saml.client.SAML2Client
+import org.pac4j.saml.config.SAML2Configuration
+import org.springframework.core.io.FileSystemResource
+
+/**
+ * Builds clients for desired authentication flows.
+ */
+final class AuthenticationClientFactory {
+
+    /**
+     * Execution context used to access facades.
+     */
+    private ExecutionContext ec
+
+    /**
+     * Initializes a new {@code AuthenticationClientFactory}.
+     */
+    AuthenticationClientFactory(ExecutionContext ec) {
+        this.ec = ec
+    }
+
+    /**
+     * Builds a client specific to the specified flow.
+     */
+    Client build(String authFlowId) {
+
+        // find auth flow
+        EntityValue authFlow = ec.entity.find("moqui.security.auth.AuthFlow")
+                .condition("authFlowId", authFlowId)
+                .one()
+
+        // build client
+        if ("AftOidc" == authFlow.authFlowTypeEnumId) {
+            return buildOidcClient(authFlowId)
+        } else if ("AftOauth" == authFlow.authFlowTypeEnumId) {
+            return buildOauthClient(authFlowId)
+        } else if ("AftSaml" == authFlow.authFlowTypeEnumId) {
+            return buildSamlClient(authFlowId)
+        } else {
+            return null
+        }
+    }
+
+    /**
+     * Builds a client specific to the specified auth flow.
+     */
+    List<Client> buildAll() {
+        EntityList authFlowList = ec.entity.find("moqui.security.auth.AuthFlow").list()
+        List clientList = []
+        for (EntityValue authFlow : authFlowList) {
+            if ("Y" != authFlow.disabled && "Y" != authFlow.inbound) {
+                clientList.add(build((String) authFlow.authFlowId))
+            }
+        }
+        return clientList
+    }
+
+    private Client buildOidcClient(String authFlowId) {
+
+        // find auth flow
+        EntityValue authFlow = ec.entity.find("moqui.security.auth.OidcFlow")
+                .condition("authFlowId", authFlowId)
+                .one()
+
+        // init client
+        OidcConfiguration config
+        OidcClient client
+        if ("OctApple" == authFlow.clientTypeEnumId) {
+            config = new AppleOidcConfiguration()
+            client = new AppleClient(config)
+        } else if ("OctAzureAd" == authFlow.clientTypeEnumId) {
+            config = new AzureAd2OidcConfiguration()
+            client = new AzureAd2Client(config)
+        } else if ("OctGoogle" == authFlow.clientTypeEnumId) {
+            config = new OidcConfiguration()
+            client = new GoogleOidcClient(config)
+        } else if ("OctKeycloak" == authFlow.clientTypeEnumId) {
+            config = new KeycloakOidcConfiguration()
+            config.setRealm(authFlow.realm as String)
+            config.setBaseUri(authFlow.baseUri as String)
+            client = new KeycloakOidcClient(config)
+        } else {
+            config = new OidcConfiguration()
+            client = new OidcClient(config)
+        }
+
+        // common configuration settings
+        config.setClientId(authFlow.clientId as String)
+        config.setSecret(authFlow.secret as String)
+        config.setDiscoveryURI(authFlow.discoveryUri as String)
+        config.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+        config.setPreferredJwsAlgorithmAsString(authFlow.preferredJwsAlgorithm.optionValue as String)
+        config.setUseNonce("Y" == authFlow.useNonce)
+
+        // common client settings
+        client.setName(authFlowId)
+
+        return client
+    }
+
+    private Client buildOauthClient(String authFlowId) {
+
+        // find auth flow
+        EntityValue authFlow = ec.entity.find("moqui.security.auth.OauthFlow")
+                .condition("authFlowId", authFlowId)
+                .one()
+
+        // init client
+        if ("OctBitBucket" == authFlow.clientTypeEnumId) {
+            BitbucketClient client = new BitbucketClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctDropBox" == authFlow.clientTypeEnumId) {
+            DropBoxClient client = new DropBoxClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctFacebook" == authFlow.clientTypeEnumId) {
+            FacebookClient client = new FacebookClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctFoursquare" == authFlow.clientTypeEnumId) {
+            FoursquareClient client = new FoursquareClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctGitHub" == authFlow.clientTypeEnumId) {
+            GitHubClient client = new GitHubClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctGoogle" == authFlow.clientTypeEnumId) {
+            Google2Client client = new Google2Client()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctLinkedIn" == authFlow.clientTypeEnumId) {
+            LinkedIn2Client client = new LinkedIn2Client()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctPaypal" == authFlow.clientTypeEnumId) {
+            PayPalClient client = new PayPalClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctTwitter" == authFlow.clientTypeEnumId) {
+            TwitterClient client = new TwitterClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctWordPress" == authFlow.clientTypeEnumId) {
+            WordPressClient client = new WordPressClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctYahoo" == authFlow.clientTypeEnumId) {
+            YahooClient client = new YahooClient()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctOauth10" == authFlow.clientTypeEnumId) {
+            OAuth10Client client = new OAuth10Client()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        } else if ("OctOauth20" == authFlow.clientTypeEnumId) {
+            OAuth20Client client = new OAuth20Client()
+            client.setKey(authFlow.key as String)
+            client.setSecret(authFlow.secret as String)
+            client.setName(authFlowId)
+            return client
+        }
+
+        return null
+    }
+
+    private Client buildSamlClient(String authFlowId) {
+
+        // find auth flow
+        EntityValue authFlow = ec.entity.find("moqui.security.auth.SamlFlow")
+                .condition("authFlowId", authFlowId)
+                .one()
+
+        // copy keystore to tmp directory
+        ResourceReference keystoreLocationRef = ec.resource.getLocationReference(authFlow.keystoreLocation as String)
+        ResourceReference keystoreTempRef = ec.resource.getLocationReference(ec.factory.runtimePath + "/tmp/" + keystoreLocationRef.getFileName())
+        keystoreTempRef.putStream(keystoreLocationRef.openStream())
+
+        // copy metadata to tmp directory
+        ResourceReference metadataLocationRef = ec.resource.getLocationReference(authFlow.identityProviderMetadataLocation as String)
+        ResourceReference metadataTempRef = ec.resource.getLocationReference(ec.factory.runtimePath + "/tmp/" + metadataLocationRef.getFileName())
+        metadataTempRef.putStream(metadataLocationRef.openStream())
+
+        // init client
+        SAML2Configuration config = new SAML2Configuration(
+                new FileSystemResource(new File(keystoreTempRef.getUri())),
+                authFlow.keystorePassword as String,
+                authFlow.privateKeyPassword as String,
+                new FileSystemResource(new File(metadataTempRef.getUri()))
+        )
+        config.setServiceProviderEntityId(authFlow.serviceProviderEntityId as String)
+        config.setForceAuth("Y" == authFlow.forceAuth)
+        config.setPassive("Y" == authFlow.passive)
+        SAML2Client client = new SAML2Client(config)
+        client.setName(authFlowId)
+
+        return client
+    }
+}
diff --git a/framework/src/main/groovy/org/moqui/impl/security/AuthenticationFlow.groovy b/framework/src/main/groovy/org/moqui/impl/security/AuthenticationFlow.groovy
new file mode 100644
index 000000000..e01a34158
--- /dev/null
+++ b/framework/src/main/groovy/org/moqui/impl/security/AuthenticationFlow.groovy
@@ -0,0 +1,154 @@
+package org.moqui.impl.security
+
+import org.moqui.context.ExecutionContext
+import org.moqui.impl.context.UserFacadeImpl
+import org.pac4j.core.authorization.authorizer.DefaultAuthorizers
+import org.pac4j.core.client.Client
+import org.pac4j.core.config.Config
+import org.pac4j.core.engine.DefaultCallbackLogic
+import org.pac4j.core.engine.DefaultLogoutLogic
+import org.pac4j.core.engine.DefaultSecurityLogic
+import org.pac4j.core.profile.ProfileManager
+import org.pac4j.core.profile.UserProfile
+import org.pac4j.jee.context.JEEContext
+import org.pac4j.jee.context.session.JEESessionStore
+import org.pac4j.jee.http.adapter.JEEHttpActionAdapter
+import org.pac4j.saml.state.SAML2StateGenerator
+
+class AuthenticationFlow {
+
+    /**
+     * Performs a login operation.
+     */
+    static void performLogin(ExecutionContext ec) {
+
+        // parameters
+        String authFlowId = ec.context.get("authFlowId") as String
+        String returnTo = ec.context.get("returnTo") as String
+        String baseUrl = ec.web.getWebappRootUrl(true, false)
+        String callbackUrl = baseUrl + "/sso/callback"
+
+        // init fields required for logic
+        JEEContext context = new JEEContext(ec.web.request, ec.web.response)
+        JEESessionStore sessionStore = JEESessionStore.INSTANCE
+        MoquiSecurityGrantedAccessAdapter securityGrantedAccessAdapter = new MoquiSecurityGrantedAccessAdapter(ec)
+        JEEHttpActionAdapter actionAdapter = JEEHttpActionAdapter.INSTANCE
+
+        // store return URL
+        if (returnTo) {
+            ec.web.sessionAttributes.put("moquiAuthFlowReturnTo", returnTo)
+            sessionStore.set(context, SAML2StateGenerator.SAML_RELAY_STATE_ATTRIBUTE, returnTo)
+        }
+
+        // init config
+        Client client = new AuthenticationClientFactory(ec).build(authFlowId)
+        Config config = new Config(callbackUrl, client)
+
+        // perform logic
+        try {
+            DefaultSecurityLogic.INSTANCE.perform(
+                    context,
+                    sessionStore,
+                    config,
+                    securityGrantedAccessAdapter,
+                    actionAdapter,
+                    authFlowId,
+                    DefaultAuthorizers.IS_AUTHENTICATED,
+                    null
+            )
+        } catch (RuntimeException e) {
+            ec.logger.error("An error occurred while performing login action", e)
+            ec.web.response.sendRedirect(baseUrl + "/Login")
+        }
+    }
+
+    /**
+     * Handles the login callback.
+     */
+    static void handleCallback(ExecutionContext ec) {
+
+        // parameters
+        String baseUrl = ec.web.getWebappRootUrl(true, false)
+
+        // init fields required for logic
+        JEEContext context = new JEEContext(ec.web.request, ec.web.response)
+        JEESessionStore sessionStore = JEESessionStore.INSTANCE
+        MoquiSecurityGrantedAccessAdapter securityGrantedAccessAdapter = new MoquiSecurityGrantedAccessAdapter(ec)
+        JEEHttpActionAdapter actionAdapter = JEEHttpActionAdapter.INSTANCE
+
+        // init config
+        Config config = new Config(ec.web.getWebappRootUrl(true, false) + "/sso/callback", new AuthenticationClientFactory(ec).buildAll())
+
+        // retrieve return URL from "RelayState" parameter (SAML only), or from session attribute
+        String redirectTo = context.getRequestParameter("RelayState").orElse(ec.web.sessionAttributes.moquiAuthFlowReturnTo as String)
+
+        // perform logic
+        try {
+            DefaultCallbackLogic.INSTANCE.perform(
+                    context,
+                    sessionStore,
+                    config,
+                    actionAdapter,
+                    null,
+                    false,
+                    null
+            )
+
+            // handle incoming profiles
+            ProfileManager profileManager = new ProfileManager(context, sessionStore)
+            securityGrantedAccessAdapter.adapt(context, sessionStore, profileManager.getProfiles())
+
+            // login user
+            Optional<UserProfile> optionalProfile = profileManager.getProfile()
+            if (optionalProfile.isPresent()) {
+                UserProfile profile = optionalProfile.get()
+                ((UserFacadeImpl) ec.user).internalLoginUser(profile.username)
+                ec.web.sessionAttributes.put("moquiAuthFlowExternalLogout", true)
+                ec.web.sessionAttributes.put("moquiAuthFlowReturnTo", redirectTo)
+            }
+        } catch (RuntimeException e) {
+            ec.logger.error("An error occurred while handling callback", e)
+            ec.web.response.sendRedirect(baseUrl + "/Login")
+        }
+    }
+
+    /**
+     * Performs a logout operation.
+     */
+    static void performLogout(ExecutionContext ec) {
+
+        // parameters
+        String returnTo = ec.context.get("returnTo") as String
+        String baseUrl = ec.web.getWebappRootUrl(true, false)
+        String callbackUrl = returnTo ?: baseUrl + "/Login"
+
+        // init fields required for logic
+        JEEContext context = new JEEContext(ec.web.request, ec.web.response)
+        JEESessionStore sessionStore = JEESessionStore.INSTANCE
+        JEEHttpActionAdapter actionAdapter = JEEHttpActionAdapter.INSTANCE
+
+        // init config
+        Config config = new Config(baseUrl + "/sso/callback", new AuthenticationClientFactory(ec).buildAll())
+
+        // perform logic
+        try {
+            DefaultLogoutLogic.INSTANCE.perform(
+                    context,
+                    sessionStore,
+                    config,
+                    actionAdapter,
+                    callbackUrl,
+                    null,
+                    false,
+                    false,
+                    true
+            )
+
+            // logout user
+            ec.user.logoutUser()
+        } catch (RuntimeException e) {
+            ec.logger.error("An error occurred while performing logout action", e)
+            ec.web.response.sendRedirect(returnTo ?: baseUrl + "/Login")
+        }
+    }
+}
diff --git a/framework/src/main/groovy/org/moqui/impl/security/MoquiSecurityGrantedAccessAdapter.groovy b/framework/src/main/groovy/org/moqui/impl/security/MoquiSecurityGrantedAccessAdapter.groovy
new file mode 100644
index 000000000..355a9d539
--- /dev/null
+++ b/framework/src/main/groovy/org/moqui/impl/security/MoquiSecurityGrantedAccessAdapter.groovy
@@ -0,0 +1,176 @@
+package org.moqui.impl.security
+
+import org.moqui.context.ExecutionContext
+import org.moqui.entity.EntityList
+import org.moqui.entity.EntityValue
+import org.pac4j.core.context.WebContext
+import org.pac4j.core.context.session.SessionStore
+import org.pac4j.core.engine.SecurityGrantedAccessAdapter
+import org.pac4j.core.profile.UserProfile
+
+/**
+ * Handles creation of Moqui user accounts.
+ */
+class MoquiSecurityGrantedAccessAdapter implements SecurityGrantedAccessAdapter {
+
+    /**
+     * Execution context used to access facades.
+     */
+    private ExecutionContext ec
+
+    /**
+     * Initializes a new {@code MoquiSecurityGrantedAccessAdapter}.
+     */
+    MoquiSecurityGrantedAccessAdapter(ExecutionContext ec) {
+        this.ec = ec
+    }
+
+    private Map<String, Object> mapProfileFields(EntityList fieldMaps, Map attributeMap) {
+        Map<String, Object> destinationMap = new HashMap<>()
+
+        fieldMaps.forEach {
+            Object srcFieldValue = ec.resource.expression(it.dstFieldExpression as String ?: it.srcFieldName as String, null, attributeMap)
+            if (srcFieldValue) {
+                if (it.mappingServiceRegisterId) {
+                    Map<String, Object> mapFieldOut = ec.service.sync().name(it.mappingServiceRegister.serviceName as String)
+                        .parameter("srcFieldValue", srcFieldValue)
+                        .parameter("dstFieldName", it.dstFieldName as String)
+                        .call()
+                    if (mapFieldOut.destinationMap) {
+                        destinationMap.putAll(mapFieldOut.destinationMap as Map)
+                    }
+                    if (mapFieldOut.sourceMap) {
+                        destinationMap.putAll(mapFieldOut.sourceMap as Map)
+                    }
+                } else {
+                    Object dstFieldValue
+                    if (it.dstFieldTypeEnumId == null || "DftString" == it.dstFieldTypeEnumId || "DftList" == it.dstFieldTypeEnumId || "DftMap" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = srcFieldValue
+                    } else if ("DftInteger" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)?.intValue()
+                    } else if ("DftLong" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)?.longValue()
+                    } else if ("DftFloat" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)?.floatValue()
+                    } else if ("DftDouble" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)?.doubleValue()
+                    } else if ("DftBigDecimal" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)
+                    } else if ("DftBigInteger" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseNumber(srcFieldValue as String, null)?.toBigInteger()
+                    } else if ("DftTime" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseTime(srcFieldValue as String, null)
+                    } else if ("DftDate" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseDate(srcFieldValue as String, null)
+                    } else if ("DftTimestamp" == it.dstFieldTypeEnumId) {
+                        dstFieldValue = ec.l10n.parseTimestamp(srcFieldValue as String, null)
+                    }
+
+                    if (dstFieldValue) {
+                        destinationMap.put(it.dstFieldName as String, dstFieldValue)
+                    }
+                }
+            }
+        }
+
+        return destinationMap
+    }
+
+    @Override
+    Object adapt(WebContext context, SessionStore sessionStore, Collection<UserProfile> profiles, Object... parameters) throws Exception {
+        if (profiles) {
+            for (UserProfile profile : profiles) {
+                if (profile.username) {
+
+                    // map profile attributes
+                    EntityValue authFlow = ec.entity.find("moqui.security.auth.AuthFlow")
+                            .condition("authFlowId", profile.clientName)
+                            .one()
+                    Map<String, Object> attributeMap = mapProfileFields(authFlow.fieldMaps as EntityList, profile.attributes)
+
+                    // sync user account
+                    String userId
+                    EntityValue userAccount = ec.entity.find("moqui.security.UserAccount")
+                            .condition("username", profile.username)
+                            .useCache(false)
+                            .one()
+                    if (userAccount) {
+                        userId = userAccount.userId
+                        ec.service.sync().name("org.moqui.impl.UserServices.update#UserAccount")
+                                .parameter("userId", userId)
+                                .parameter("externalUserId", profile.id)
+                                .parameter("username", profile.username)
+                                .parameters(attributeMap)
+                                .call()
+                    } else {
+                        Map createAccountOut = ec.service.sync().name("org.moqui.impl.UserServices.create#UserAccount")
+                                .parameter("externalUserId", profile.id)
+                                .parameter("username", profile.username)
+                                .parameters(attributeMap)
+                                .call()
+                        userId = createAccountOut.userId
+                    }
+
+                    // find user groups
+                    EntityList userGroupMemberList = ec.entity.find("moqui.security.UserGroupMember")
+                            .condition("userId", userId)
+                            .conditionDate("fromDate", "thruDate", ec.user.nowTimestamp)
+                            .list()
+                    Set obsoleteUserGroupIdSet = new HashSet<>(userGroupMemberList*.userGroupId)
+
+                    // sync user groups
+                    HashSet<String> roleSet = new HashSet<>()
+                    if (profile.roles) {
+                        roleSet.addAll(profile.roles)
+                    } else if (profile.attributes.containsKey("roles")) {
+                        Object rolesObj = profile.attributes.get("roles")
+                        if (rolesObj instanceof List) {
+                            roleSet.addAll(rolesObj as List)
+                        } else if (rolesObj instanceof Set) {
+                            roleSet.addAll(rolesObj as Set)
+                        }
+                    }
+                    for (String role : roleSet) {
+                        EntityValue roleMap = ec.entity.find("moqui.security.auth.AuthFlowRoleMap")
+                                .condition("authFlowId", profile.clientName)
+                                .condition("roleName", role)
+                                .one()
+                        if (roleMap?.userGroupId && !obsoleteUserGroupIdSet.remove(roleMap.userGroupId)) {
+                            ec.service.sync().name("create#moqui.security.UserGroupMember")
+                                    .parameter("userGroupId", roleMap.userGroupId)
+                                    .parameter("userId", userId)
+                                    .parameter("fromDate", ec.user.nowTimestamp)
+                                    .call()
+                        }
+                    }
+                    for (EntityValue userGroupMember : userGroupMemberList) {
+                        String userGroupId = userGroupMember.userGroupId
+                        if (obsoleteUserGroupIdSet.contains(userGroupId) && userGroupId != authFlow.defaultUserGroupId) {
+                            ec.service.sync().name("update#moqui.security.UserGroupMember")
+                                    .parameter("userGroupId", userGroupId)
+                                    .parameter("userId", userId)
+                                    .parameter("fromDate", userGroupMember.fromDate)
+                                    .parameter("thruDate", ec.user.nowTimestamp)
+                                    .call()
+                        }
+                    }
+
+                    // add default user group if needed
+                    long userGroupCount = ec.entity.find("moqui.security.UserGroupMember")
+                            .condition("userId", userId)
+                            .conditionDate("fromDate", "thruDate", ec.user.nowTimestamp)
+                            .count()
+                    if (userGroupCount == 0) {
+                        ec.service.sync().name("create#moqui.security.UserGroupMember")
+                                .parameter("userGroupId", authFlow.defaultUserGroupId)
+                                .parameter("userId", userId)
+                                .parameter("fromDate", ec.user.nowTimestamp)
+                                .call()
+                    }
+                }
+            }
+        }
+
+        return null
+    }
+}
diff --git a/framework/src/main/resources/MoquiDefaultConf.xml b/framework/src/main/resources/MoquiDefaultConf.xml
index cb515655f..19afdd02b 100644
--- a/framework/src/main/resources/MoquiDefaultConf.xml
+++ b/framework/src/main/resources/MoquiDefaultConf.xml
@@ -401,6 +401,7 @@
         <service-file location="classpath://service/org/moqui/EmailServices.xml"/>
         <service-file location="classpath://service/org/moqui/EntityServices.xml"/>
         <service-file location="classpath://service/org/moqui/SmsServices.xml"/>
+        <service-file location="classpath://service/org/moqui/impl/AuthServices.xml"/>
         <service-file location="classpath://service/org/moqui/impl/BasicServices.xml"/>
         <service-file location="classpath://service/org/moqui/impl/ElFinderServices.xml"/>
         <service-file location="classpath://service/org/moqui/impl/EmailServices.xml"/>
@@ -640,6 +641,7 @@
                 default-start-server-args="-tcpPort 9092 -ifExists -baseDir ${moqui_runtime}/db/h2">
             <!-- 'VALUE' is a reserved word in H2 starting with version 2.0.202 -->
             <name-replace original="VALUE" replace="THE_VALUE"/>
+            <name-replace original="KEY" replace="THE_KEY"/>
             <inline-jdbc><xa-properties url="${entity_ds_url}" user="${entity_ds_user}" password="${entity_ds_password}"/></inline-jdbc>
         </database>
         <!-- TODO: add configuration examples -->