diff --git a/Client-configuration.md b/Client-configuration.md
index 9e0c298..9a23df2 100644
--- a/Client-configuration.md
+++ b/Client-configuration.md
@@ -2,57 +2,244 @@ The client portion of MITREid Connect is usable as a Spring Security filter. The
 
 # Auth Provider
 
+The `OIDCAuthenticationProvider` class implements a Spring Security Authentication Provider that can be used with a standard Authentication Manager. This Authentication Provider handles fetching UserInfo from the server's UserInfo endpoint which is stored on the `OIDCAuthenticationToken` object that is returned from the authentication process. 
+
+```
+<security:authentication-manager alias="authenticationManager">
+  <security:authentication-provider ref="openIdConnectAuthenticationProvider" />
+</security:authentication-manager>
+
+<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
+  ...
+</bean>
+```
+
+The Principal object is an immutable map of the issuer and subject, a pairing which is guaranteed to be globally unique.
+
 ## Named administrator configuration
 
+By default all valid users get a special Spring Security GrantedAuthority that is based on the issuer and subject of the user, such as **OIDC_2398ufe23u_https://example-idp.com/openid-connect-server/**.
+
+To map these authorities into more useful ones like **ROLE_USER** and **ROLE_ADMIN**, you need to wire in an authorities mapper, such as the one included in the client library:
+
+```
+		<property name="authoritiesMapper">
+			<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
+				<property name="admins">
+					<set>
+					<!-- This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER -->
+						<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
+							<constructor-arg name="subject" value="${admin.sub}" />
+							<constructor-arg name="issuer" value="${admin.iss}" />
+						</bean>
+					</set>
+				</property>
+			</bean>
+		</property>
+```
+
 # Filter
 
-There is one filter class `org.mitre.openid.connect.client.OIDCAuthenticationFilter` that handles all client (or "Relying Party") functions. It is configurable for use in different modes through the use of four different properties that can be wired through different beans as described below:
+There is one filter class `org.mitre.openid.connect.client.OIDCAuthenticationFilter` that handles all core client (or "Relying Party") functions. It is set to listen on `/openid-connect-login` at the root of the application. The filter bean is configured like this:
+
+```
+<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
+  <property name="authenticationManager" ref="authenticationManager" />
+  <property name="serverConfigurationService">
+    ...
+  </property>
+  <property name="clientConfigurationService">
+    ...
+  </property>
+  <property name="issuerService">
+    ...
+  </property>
+  <property name="authRequestUrlBuilder">
+    ...
+  </property>
+</bean>
+```
+
+It is configurable for use in different modes through the use of four different properties that can be wired through different beans as described below:
 
 * `issuerService`: Determines which OpenID Connect Issuer (server) to connect to
 * `serverConfigurationService`: Provides the configuration parameters of each OpenID Connect Issuer
 * `clientConfigurationService`: Provides the configuration parameters for this client to connect to each OpenID Connect Issuer
 * `authRequestUrlBuilder`: Crafts the URL used to redirect the user to the OpenID Connect server
 
+### Validator
+
+To validate ID token signatures, the client will need access to a validator for each issuer's key set. This service bean will automatically fetch the keys and set up a validator:
+
+```
+<bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService" /> 
+```
+
 ## Issuer Service
 
 ### Static Issuer Service
 
-Always sends the user to the same issuer, very useful for tightly-coupled deployments.
+Always returns the same issuer, very useful for tightly-coupled deployments.
+
+```
+<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService">
+  <property name="issuer" value="${idp.url}" />
+</bean>
+```
 
 ### Third-Party Issuer Service
 
-Defers to an Account Chooser to determine the issuer, expects callbacks to follow the format of the OpenID Connect [third party client login initiation protocol](http://openid.net/specs/openid-connect-standard-1_0.html#client_Initiate_login).
+Allows an issuer to be passed in following the format of the OpenID Connect [third party client login initiation protocol](http://openid.net/specs/openid-connect-standard-1_0.html#client_Initiate_login). If the issuer is not passed in the `iss` parameter, it will redirect the user to an [Account Chooser](https://github.com/mitreid-connect/account-chooser) URL and listen for the callback.
+
+```
+<bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
+  <property name="accountChooserUrl" value="http://login.example.net/account-chooser/" />
+</bean>
+```
 
 ### Webfinger Discovery Issuer Service
 
-Takes in input from a user form and does discovery based on the Webfinger protocol.
+Takes in input from a user form and does discovery based on the Webfinger protocol, redirects the user to a login page (to be supplied by the client application) if no value is passed in for the `identifier` parameter to the filter.
+
+```
+<bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService">
+  <property name="loginPageUrl" value="login" />
+</bean>
+```
 
 ## Server Configuration
 
+The client must know things about the server such as its authorization endpoint URL and token endpoint URL. Since these will vary from issuer to issuer, the server configuration objects are indexed by issuer URL.
+
 ### Static Server Configuration
 
-Provides server information such as authorization endpoint url, issuer, and other parameters for each configured issuer.
+Provides server information such as authorization endpoint url, issuer, and other parameters for each configured issuer configured as in-memory objects inside a map.
+
+```
+			<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
+				<property name="servers">
+					<map>
+						<entry key="${idp.url}">
+							<bean class="org.mitre.openid.connect.config.ServerConfiguration">
+								<property name="issuer" value="${idp.url}" />
+								<property name="authorizationEndpointUri"	value="${idp.url}authorize" />
+								<property name="tokenEndpointUri"	value="${idp.url}token" />
+								<property name="userInfoUri" value="${idp.url}userinfo" />
+								<property name="jwksUri" value="${idp.url}jwk" />
+							</bean>
+						</entry>
+					</map>
+				</property>
+			</bean>
+```
 
 ### Dynamically Discovered Server Configuration
 
 Dynamically discovers server information for an issuer based on the [OpenID Connect Discovery protocol](http://openid.net/specs/openid-connect-discovery-1_0.html).
 
+```
+<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" />
+```
+
+Server information is stored in an in-memory cache after discovery.
+
 ## Client Configuration
 
+The client must know certain things like its `client_id` and `client_secret` in order to request tokens. These are likely to vary from issuer to issuer, so the client configuration objects are indexed by the server configuration object in this service.
+
 ### Static Client Configuration
 
 Provides information for a pre-registered client to connect to a server.
 
+```
+			<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService">
+				<property name="clients">
+					<map>
+						<entry key="${idp.url}">
+							<bean class="org.mitre.oauth2.model.ClientDetailsEntity">
+								<property name="clientId" value="client" />
+								<property name="clientSecret" value="secret" />
+								<property name="scope">
+									<set value-type="java.lang.String">
+										<value>openid</value>
+										<value>email</value>
+										<value>address</value>
+										<value>profile</value>
+										<value>phone</value>
+									</set>
+								</property>
+							</bean>
+						</entry>
+					</map>
+  </property>
+</bean>
+```
+
 ### Dynamically Registered Client Configuration
 
 Dynamically registers the client for each issuer based on the template of client information.
 
+```
+			<bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService">
+				<property name="template">
+					<bean class="org.mitre.oauth2.model.ClientDetailsEntity">
+						<property name="clientName" value="Simple Web App" />
+						<property name="scope">
+							<set value-type="java.lang.String">
+								<value>openid</value>
+								<value>email</value>
+								<value>address</value>
+								<value>profile</value>
+								<value>phone</value>
+							</set>
+						</property>
+					</bean>
+ 				</property>
+ 			</bean>
+```
+
+All properties set in the template object are passed in to the dynamic registration endpoint's input and the dynamically registered client information is held in an in-memory cache.
+
 ## Authorization Request URL Builder
 
 ### Plain Authorization Request
 
 Builds the URL using normal HTTP parameters.
 
+```
+<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" />
+```
+
 ### Signed Authorization Request
 
-Builds the URL using a signed Request Object. This also requires configuration (and generation) of a [json web key set](wiki/Keys).
\ No newline at end of file
+Builds the URL using a signed Request Object. 
+
+```
+<bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder">
+  <property name="signingAndValidationService" ref="defaultsignerService" />
+</bean>
+```
+
+This also requires configuration (and generation) of a [json web key set](wiki/Keys) and several support components such as a signing and validation service and a keystore:
+
+```
+	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
+		<constructor-arg name="keyStore">
+			<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+				<property name="location" value="classpath:keystore.jwks" />
+			</bean>
+		</constructor-arg>
+		<property name="defaultSignerKeyId" value="rsa1" />
+ 		<property name="defaultSigningAlgorithmName" value="RS256" />
+	</bean>
+```
+
+Furthermore, the client must be configured to publish its public key at a URL that the server can fetch in order to validate the request object's signature. This bean will publish whatever keys are configured in the signing and validation service that's used in the auth request builder:
+
+```
+	<bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
+ 		<property name="jwkPublishUrl" value="jwk" />
+ 		<property name="signingAndValidationService" ref="defaultsignerService" />
+ 	</bean>
+```
+