diff --git a/classes/GrouperClient.php b/classes/GrouperClient.php
index fb8927bfec3729fd0a6c25c1940544f2c9a07cff..73029c35f2c308fa14cc14ab33aacf4d2db29c97 100644
--- a/classes/GrouperClient.php
+++ b/classes/GrouperClient.php
@@ -85,6 +85,65 @@ class GrouperClient {
         }
     }
 
+    public function getSubjectPrivileges($subjectId) {
+
+        $params = $this->getBaseRequestParams();
+        $params['subjectId'] = $subjectId;
+        $params['subjectSourceId'] = 'RAP';
+
+        $response = $this->client->getGrouperPrivilegesLite($params);
+
+        $privilegesMap = [];
+        if ($this->isSuccess($response)) {
+            if ($response->return->privilegeResults !== null) {
+                foreach ($response->return->privilegeResults as $item) {
+                    $groupName = $item->wsGroup->name;
+                    $privilege = $item->privilegeName;
+
+                    if (!array_key_exists($groupName, $privilegesMap)) {
+                        $groupPrivileges = [];
+                    } else {
+                        $groupPrivileges = $privilegesMap[$groupName];
+                    }
+                    $groupPrivileges[] = $privilege;
+                    $privilegesMap[$groupName] = $groupPrivileges;
+                }
+            }
+        }
+
+        return $privilegesMap;
+    }
+
+    private function getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames) {
+        $params = $this->getBaseRequestParams();
+        $params['wsSubjectLookups'] = array(
+            'subjectId' => $subjectId,
+            'subjectSourceId' => 'RAP'
+        );
+        $params['wsGroupLookup'] = array(
+            'groupName' => $groupName
+        );
+        $params['privilegeNames'] = $privilegeNames;
+
+        return $params;
+    }
+
+    public function assignPrivileges($subjectId, $groupName, $privilegeNames) {
+
+        $params = $this->getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames);
+        $params['allowed'] = 'T'; // true
+
+        return $this->client->assignGrouperPrivileges($params);
+    }
+
+    public function removePrivileges($subjectId, $groupName, $privilegeNames) {
+
+        $params = $this->getBasePrivilegeRequestParams($subjectId, $groupName, $privilegeNames);
+        $params['allowed'] = 'F'; // false
+
+        return $this->client->assignGrouperPrivileges($params);
+    }
+
     public function addMemberships($subjectId, $groups) {
 
         foreach ($groups as $group) {
diff --git a/classes/MySQLDAO.php b/classes/MySQLDAO.php
index c5c5d9f215ba9919e938061f90613925708f39bf..4dc5bccb446e011e9dc8e90605847d5dbf38fc21 100644
--- a/classes/MySQLDAO.php
+++ b/classes/MySQLDAO.php
@@ -246,10 +246,10 @@ class MySQLDAO implements DAO {
 
     public function createJoinRequest($token, $applicantUserId, $targetUserId) {
 
-        if($applicantUserId === $targetUserId) {
+        if ($applicantUserId === $targetUserId) {
             throw new \Exception("Invalid target user id");
         }
-        
+
         $dbh = $this->getDBHandler();
 
         $stmt = $dbh->prepare("INSERT INTO `join_request`(`token`, `applicant_user_id`, `target_user_id`)"
@@ -303,8 +303,9 @@ class MySQLDAO implements DAO {
             $stmt1->execute();
 
             // Deleting user2 join requests
-            $stmt3 = $dbh->prepare("DELETE FROM `join_request` WHERE `target_user_id` = :id2");
-            $stmt3->bindParam(':id2', $userId2);
+            $stmt3 = $dbh->prepare("DELETE FROM `join_request` WHERE `target_user_id` = :tid2 OR `applicant_user_id` = :aid2");
+            $stmt3->bindParam(':tid2', $userId2);
+            $stmt3->bindParam(':aid2', $userId2);
             $stmt3->execute();
 
             // Deleting user2
diff --git a/classes/UserHandler.php b/classes/UserHandler.php
index 47824bbe0810e965cdcc5c25979e03998ccba373..b0b733030d2d134ad39507486424e00c8349d4a7 100644
--- a/classes/UserHandler.php
+++ b/classes/UserHandler.php
@@ -65,9 +65,25 @@ class UserHandler {
         if ($this->grouperConfig !== null) {
             $gc = new GrouperClient($this->grouperConfig);
 
-            $groupsToMove = $gc->getSubjectGroups('RAP:' . $userId2);
-            $gc->addMemberships('RAP:' . $userId1, $groupsToMove);
-            $gc->removeMemberships('RAP:' . $userId2, $groupsToMove);
+            $grouperUser1 = 'RAP:' . $userId1;
+            $grouperUser2 = 'RAP:' . $userId2;
+
+            $groupsToMove = $gc->getSubjectGroups($grouperUser2);
+            $privilegesMap = $gc->getSubjectPrivileges($grouperUser2);
+
+            // Adding memberships
+            $gc->addMemberships($grouperUser1, $groupsToMove);
+            // Adding privileges
+            foreach ($privilegesMap as $groupName => $privileges) {
+                $gc->assignPrivileges($grouperUser1, $groupName, $privileges);
+            }
+
+            // Removing privileges
+            foreach ($privilegesMap as $groupName => $privileges) {
+                $gc->removePrivileges($grouperUser2, $groupName, $privileges);
+            }
+            // Removing memberships
+            $gc->removeMemberships($grouperUser2, $groupsToMove);
         }
 
         $this->dao->joinUsers($userId1, $userId2);
diff --git a/config.php b/config.php
index e13a8c36da0d8c6edeb21eddcd5b5f1a8ca7bbf2..d4cc396672031fad8877f1a34ee71ebb835d5c18 100644
--- a/config.php
+++ b/config.php
@@ -64,6 +64,12 @@ $AUTHENTICATION_METHODS = array(
         'callback' => $BASE_PATH . '/auth/oauth2/linkedin_token.php'
     ),
     'X.509' => array(),
+    'DirectIdP' => array(
+        'url' => 'https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php',
+        'logo' => 'img/ia2-logo-60x60.png',
+        'logo_alt' => 'IA2 logo',
+        'description' => 'Use the IA2 Logo to Login if you have an account provided by IA2 or self registered'
+    )
 );
 
 $GROUPER = array(
diff --git a/img/ia2-logo-60x60.png b/img/ia2-logo-60x60.png
new file mode 100644
index 0000000000000000000000000000000000000000..f93ef2495577ed01ad2a5ac25578607dd9891670
Binary files /dev/null and b/img/ia2-logo-60x60.png differ
diff --git a/include/front-controller.php b/include/front-controller.php
index 2c94ee4e4c1fe1b3161d1109bc6344933830747e..bab647c1125224bfd2e02dddc79999c2bbae88d3 100644
--- a/include/front-controller.php
+++ b/include/front-controller.php
@@ -7,17 +7,19 @@
  */
 //
 
-function setCallback() {
+function setCallback($callback) {
     global $session, $callbackHandler;
 
-    $callback = Flight::request()->data['callback'];
-    $session->setCallbackURL($callbackHandler, isset($callback) ? $callback : null);
+    if (!isset($callback) || $callback === '') {
+        $callback = null;
+    }
+    $session->setCallbackURL($callbackHandler, $callback);
     return $session->getCallbackURL();
 }
 
 Flight::route('/', function() {
     startSession();
-    $callback = setCallback();
+    $callback = setCallback(Flight::request()->data['callback']);
     global $session, $callbackHandler, $AUTHENTICATION_METHODS;
     if ($callback !== null && $session->user !== null) {
         $redirectURL = $callbackHandler->getLoginWithTokenURL($session->user->id, $callback);
@@ -34,29 +36,37 @@ Flight::route('GET /logout', function() {
     Flight::redirect('/');
 });
 
-Flight::route('/google', function() {
+function sendAuthRedirect($url) {
     startSession();
-    Flight::redirect('/auth/oauth2/google_token.php');
+    // reload callback from query to avoid problem with session shared between 
+    // multiple browser tabs
+    setCallback(Flight::request()->query['callback']);
+    Flight::redirect($url);
+}
+
+Flight::route('/google', function() {
+    sendAuthRedirect('/auth/oauth2/google_token.php');
 });
 
 Flight::route('/facebook', function() {
-    startSession();
-    Flight::redirect('/auth/oauth2/facebook_login.php');
+    sendAuthRedirect('/auth/oauth2/facebook_login.php');
 });
 
 Flight::route('/linkedIn', function() {
-    startSession();
-    Flight::redirect('/auth/oauth2/linkedin_login.php');
+    sendAuthRedirect('/auth/oauth2/linkedin_login.php');
 });
 
 Flight::route('/eduGAIN', function() {
-    startSession();
-    Flight::redirect('/auth/saml2/aai.php');
+    sendAuthRedirect('/auth/saml2/aai.php');
 });
 
 Flight::route('/x509', function() {
-    startSession();
-    Flight::redirect('/auth/x509/certlogin.php');
+    sendAuthRedirect('/auth/x509/certlogin.php');
+});
+
+Flight::route('/direct', function() {
+    global $AUTHENTICATION_METHODS;
+    sendAuthRedirect($AUTHENTICATION_METHODS['DirectIdP']['url']);
 });
 
 Flight::route('GET /confirm-join', function() {
diff --git a/include/user-data.php b/include/user-data.php
index ca50bf0e63b38751f079e870ad25ee260b2382f6..e2e7b4a0dec521da9b321f27ba68a0900b618d72 100644
--- a/include/user-data.php
+++ b/include/user-data.php
@@ -1,7 +1,7 @@
 <?php foreach ($user->identities as $identity) { ?>
     <dl class="dl-horizontal">
         <dt>
-            <?php if (!isset($readonly)) { ?>
+            <?php if (!isset($readOnly)) { ?>
                 <?php if ($identity->primary) { ?>
                     <span class="primary-identity-icon" data-toggle="tooltip" data-placement="left" title="This is your primary identity. You will receive email messages on the address related to this identity.">
                         <span class="glyphicon glyphicon-star"></span>
diff --git a/views/confirm-join.php b/views/confirm-join.php
index 15372a68b3f3a44521ad776bd127cde16db60a2a..1c22d6a683abd64fedaf0bd8a2b9b5933d8585f7 100644
--- a/views/confirm-join.php
+++ b/views/confirm-join.php
@@ -38,7 +38,7 @@ include 'include/header.php';
 <div class="row">
     <div class="col-xs-12 text-center">
         <p>Pressing the following button the identities listed above will be joined.</p>
-        <form action="confirm-join" method="POST">
+        <form action="confirm-join" method="POST" onsubmit="showWaiting()">
             <input type="hidden" name="token" value="<?php echo $token; ?>" />
             <input type="submit" class="btn btn-success btn-lg" value="Join users" />
         </form>
diff --git a/views/index.php b/views/index.php
index 053d47880c349b4137c5589ffe66d432c075d3c0..bd9a127e7af00b46a0cfe85721a18348fa75b134 100644
--- a/views/index.php
+++ b/views/index.php
@@ -9,12 +9,12 @@ include 'include/header.php';
             <h1 class="text-center page-title"><?php echo $session->getCallbackTitle(); ?></h1>
         </div>
     </div>
-    <div class="row">
+    <div class="row" id="auth-panel">
         <div class="col-xs-12 text-center">
             <?php if (isset($auth['eduGAIN'])) { ?>
                 <div class="home-box">
                     <div class="img-wrapper">
-                        <a href="edugain">
+                        <a href="edugain?callback=<?php echo $session->getCallbackURL(); ?>">
                             <img src="img/eduGain-200.png" alt="eduGAIN Logo" />
                         </a>
                     </div>
@@ -25,17 +25,17 @@ include 'include/header.php';
                 <div class="home-box">
                     <div class="img-wrapper">
                         <?php if (isset($auth['Google'])) { ?>
-                            <a href="google" class="animated pulse">
+                            <a href="google?callback=<?php echo $session->getCallbackURL(); ?>" class="animated pulse">
                                 <img src="img/google-60.png" alt="Google Logo" />
                             </a>
                         <?php } ?>
                         <?php if (isset($auth['Facebook'])) { ?>
-                            <a href="facebook">
+                            <a href="facebook?callback=<?php echo $session->getCallbackURL(); ?>">
                                 <img src="img/facebook-60.png" alt="Facebook Logo" />
                             </a>
                         <?php } ?>
                         <?php if (isset($auth['LinkedIn'])) { ?>
-                            <a href="linkedin">
+                            <a href="linkedin?callback=<?php echo $session->getCallbackURL(); ?>">
                                 <img src="img/linkedin-60.png" alt="LinkedIn Logo" />
                             </a>
                         <?php } ?>
@@ -46,13 +46,23 @@ include 'include/header.php';
             <?php if (isset($auth['X.509'])) { ?>
                 <div class="home-box">
                     <div class="img-wrapper">
-                        <a href="x509">
+                        <a href="x509?callback=<?php echo $session->getCallbackURL(); ?>">
                             <img src="img/x509-200.png" alt="X.509 Logo" />
                         </a>
                     </div>
                     Use the X.509 Logo to Login with your personal certificate (IGTF and TERENA-TACAR, are allowed).
                 </div>
             <?php } ?>
+            <?php if (isset($auth['DirectIdP'])) { ?>
+                <div class="home-box">
+                    <div class="img-wrapper">
+                        <a href="direct?callback=<?php echo $session->getCallbackURL(); ?>">
+                            <img src="<?php echo $auth['DirectIdP']['logo']; ?>" alt="<?php echo $auth['DirectIdP']['logo_alt']; ?>" />
+                        </a>
+                    </div>
+                    <?php echo $auth['DirectIdP']['description']; ?>
+                </div>
+            <?php } ?>
         </div>
     </div>
 <?php } else { ?>
@@ -124,6 +134,10 @@ include 'include/header.php';
     </div>
 <?php } ?>
 
+<script>
+    $(document).on('click', '#auth-panel a', showWaiting);
+</script>
+
 <?php
 include 'include/footer.php';