diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/FakeSelfEditingIdentifierFactory.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/FakeSelfEditingIdentifierFactory.java
index 3e0951729..de53351e2 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/FakeSelfEditingIdentifierFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/FakeSelfEditingIdentifierFactory.java
@@ -35,7 +35,7 @@ public class FakeSelfEditingIdentifierFactory implements IdentifierBundleFactory
             NetId netIdToken = new NetId(netid);
             ib.add(netIdToken);
             
-        	ExternalAuthHelper helper = ExternalAuthHelper.getBean(request);
+        	ExternalAuthHelper helper = ExternalAuthHelper.getHelper(request);
 			String uri = helper.getIndividualUriFromNetId(wdf.getIndividualDao(), netid);
             if( uri != null ){        
                 Individual ind = wdf.getIndividualDao().getIndividualByURI(uri);
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/SelfEditingIdentifierFactory.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/SelfEditingIdentifierFactory.java
index bc229445d..903072b60 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/SelfEditingIdentifierFactory.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/identifier/SelfEditingIdentifierFactory.java
@@ -115,7 +115,7 @@ public class SelfEditingIdentifierFactory implements IdentifierBundleFactory {
 
 		IndividualDao indDao = wdf.getIndividualDao();
 		
-		ExternalAuthHelper helper = ExternalAuthHelper.getBean(request);
+		ExternalAuthHelper helper = ExternalAuthHelper.getHelper(request);
 		String uri = helper.getIndividualUriFromNetId(indDao, username);
 		if (uri == null) {
 			log.debug("could not find an Individual with a netId of "
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/EntityController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/EntityController.java
index b06915a8e..999401170 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/EntityController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/EntityController.java
@@ -389,7 +389,7 @@ public class EntityController extends VitroHttpServlet {
         if (netIdStr==null || netIdStr.equals(""))
             netIdStr = vreq.getParameter("netid");
         if ( netIdStr != null ){
-        	uri = ExternalAuthHelper.getBean(vreq).getIndividualUriFromNetId(iwDao, netIdStr);
+        	uri = ExternalAuthHelper.getHelper(vreq).getIndividualUriFromNetId(iwDao, netIdStr);
         	return iwDao.getIndividualByURI(uri);
         }
 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BaseLoginServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BaseLoginServlet.java
index a376a4c33..22698eda5 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BaseLoginServlet.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BaseLoginServlet.java
@@ -20,6 +20,10 @@ import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.Messag
 public class BaseLoginServlet extends HttpServlet {
 	private static final Log log = LogFactory.getLog(BaseLoginServlet.class);
 
+	/** A general purpose error message for the user to see. */
+	protected static final Message MESSAGE_LOGIN_FAILED = new LoginProcessBean.Message(
+			"External login failed.", LoginProcessBean.MLevel.ERROR);
+
 	protected Authenticator getAuthenticator(HttpServletRequest req) {
 		return Authenticator.getInstance(req);
 	}
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java
index d2a63bef4..10b308aea 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ExternalAuthHelper.java
@@ -2,6 +2,9 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+
 import javax.servlet.ServletRequest;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -14,7 +17,7 @@ import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 
 /**
  * Capture the properties used by the External Authorization system, and use
- * them in common ways.
+ * them to assist in the process.
  * 
  * The first time this bean is requested, it is created from the configuration
  * properties and cached in the session. After that, the cached version is used.
@@ -23,16 +26,19 @@ public class ExternalAuthHelper {
 	private static final Log log = LogFactory.getLog(ExternalAuthHelper.class);
 
 	private static final ExternalAuthHelper DUMMY_HELPER = new ExternalAuthHelper(
-			null);
+			null, null, null);
 
 	private static final String BEAN_ATTRIBUTE = ExternalAuthHelper.class
 			.getName();
 
-	/**
-	 * The configuration property that tells us what property associates an
-	 * Individual with a NetID
-	 */
-	private static final String PROPERTY_NETID_MATCHING_PROPERTY = "externalAuth.netidMatchingProperty";
+	/** This configuration property points to the external authorization server. */
+	private static final String PROPERTY_EXTERNAL_AUTH_SERVER_URL = "externalAuth.serverUrl";
+
+	/** This configuration property says what ties an Individual to a NetID */
+	private static final String PROPERTY_NETID_MATCHING_RELATION = "externalAuth.netidMatchingProperty";
+
+	/** This configuration property says which HTTP header holds the username. */
+	public static final String PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER = "externalAuth.headerName";
 
 	// ----------------------------------------------------------------------
 	// static methods
@@ -44,7 +50,7 @@ public class ExternalAuthHelper {
 	 * 
 	 * Never returns null.
 	 */
-	public static ExternalAuthHelper getBean(ServletRequest request) {
+	public static ExternalAuthHelper getHelper(ServletRequest request) {
 		if (!(request instanceof HttpServletRequest)) {
 			log.trace("Not an HttpServletRequest: " + request);
 			return DUMMY_HELPER;
@@ -69,11 +75,15 @@ public class ExternalAuthHelper {
 	}
 
 	private static ExternalAuthHelper buildBean() {
-		// TODO the ConfigurationProperties should be attached to the
-		// ServletContext.
 		String netidMatchingPropertyUri = ConfigurationProperties
-				.getProperty(PROPERTY_NETID_MATCHING_PROPERTY);
-		return new ExternalAuthHelper(netidMatchingPropertyUri);
+				.getProperty(PROPERTY_NETID_MATCHING_RELATION);
+		String externalAuthServerUrl = ConfigurationProperties
+				.getProperty(PROPERTY_EXTERNAL_AUTH_SERVER_URL);
+		String externalAuthHeaderName = ConfigurationProperties
+				.getProperty(PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER);
+
+		return new ExternalAuthHelper(netidMatchingPropertyUri,
+				externalAuthServerUrl, externalAuthHeaderName);
 	}
 
 	// ----------------------------------------------------------------------
@@ -81,12 +91,21 @@ public class ExternalAuthHelper {
 	// ----------------------------------------------------------------------
 
 	private final String netidMatchingPropertyUri;
+	private final String externalAuthServerUrl;
+	private final String externalAuthHeaderName;
 
-	public ExternalAuthHelper(String netidMatchingPropertyUri) {
-		if (netidMatchingPropertyUri == null) {
-			this.netidMatchingPropertyUri = null;
+	private ExternalAuthHelper(String netidMatchingPropertyUri,
+			String externalAuthServerUrl, String externalAuthHeaderName) {
+		this.netidMatchingPropertyUri = trimThis(netidMatchingPropertyUri);
+		this.externalAuthServerUrl = trimThis(externalAuthServerUrl);
+		this.externalAuthHeaderName = trimThis(externalAuthHeaderName);
+	}
+
+	private String trimThis(String string) {
+		if (string == null) {
+			return null;
 		} else {
-			this.netidMatchingPropertyUri = netidMatchingPropertyUri.trim();
+			return string.trim();
 		}
 	}
 
@@ -100,17 +119,61 @@ public class ExternalAuthHelper {
 		if (netidMatchingPropertyUri == null) {
 			return null;
 		}
-		
+
 		String uri = indDao.getIndividualURIFromNetId(netId,
 				netidMatchingPropertyUri);
-		log.debug("Netid =" + netId + ", individual URI=" + uri);
+		log.debug("Netid=" + netId + ", individual URI=" + uri);
 		return uri;
 	}
 
+	public String buildExternalAuthRedirectUrl(String returnUrl) {
+		if (returnUrl == null) {
+			log.error("returnUrl is null.");
+			return null;
+		}
+
+		if (externalAuthServerUrl == null) {
+			log.error("User asked for external authentication, "
+					+ "but deploy.properties doesn't contain a value for '"
+					+ PROPERTY_EXTERNAL_AUTH_SERVER_URL + "'");
+			return null;
+		}
+
+		try {
+			String encodedReturnUrl = URLEncoder.encode(returnUrl, "UTF-8");
+			String externalAuthUrl = externalAuthServerUrl + "?target="
+					+ encodedReturnUrl;
+			log.debug("externalAuthUrl is '" + externalAuthUrl + "'");
+			return externalAuthUrl;
+		} catch (UnsupportedEncodingException e) {
+			throw new RuntimeException(e); // No UTF-8? Really?
+		}
+	}
+
+	public String getExternalUsername(HttpServletRequest request) {
+		if (request == null) {
+			log.error("request is null.");
+			return null;
+		}
+
+		if (externalAuthHeaderName == null) {
+			log.error("User asked for external authentication, "
+					+ "but deploy.properties doesn't contain a value for '"
+					+ PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER + "'");
+			return null;
+		}
+
+		String username = request.getHeader(externalAuthHeaderName);
+		log.debug("username=" + username);
+		return username;
+	}
+
 	@Override
 	public String toString() {
 		return "ExternalAuthHelper[netidMatchingPropertyUri="
-				+ netidMatchingPropertyUri + "]";
+				+ netidMatchingPropertyUri + ", externalAuthServerUrl="
+				+ externalAuthServerUrl + ", externalAuthHeaderName="
+				+ externalAuthHeaderName + "]";
 	}
 
 }
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
index a22611fd1..e0237a253 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthReturn.java
@@ -13,10 +13,8 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
-import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.Message;
 import edu.cornell.mannlib.vitro.webapp.dao.IndividualDao;
 
 /**
@@ -27,27 +25,7 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 	private static final Log log = LogFactory
 			.getLog(LoginExternalAuthReturn.class);
 
-	/* This configuration property tells us what header contains the username. */
-	public static final String PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER = "externalAuth.headerName";
-
-	/** The complaint we make if there is no such property. */
-	private static final Message MESSAGE_NO_EXTERNAL_AUTH_USERNAME = new LoginProcessBean.Message(
-			"deploy.properties doesn't contain a value for '"
-					+ PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER + "'",
-			LoginProcessBean.MLevel.ERROR);
-
-	private static final Message MESSAGE_LOGIN_FAILED = new LoginProcessBean.Message(
-			"External login failed.", LoginProcessBean.MLevel.ERROR);
-
 	private final LoginRedirector loginRedirector = new LoginRedirector();
-	private String externalAuthUsernameHeader;
-
-	/** Get the configuration properties. */
-	@Override
-	public void init() throws ServletException {
-		externalAuthUsernameHeader = ConfigurationProperties
-				.getProperty(PROPERTY_EXTERNAL_AUTH_USERNAME_HEADER);
-	}
 
 	/**
 	 * <pre>
@@ -65,13 +43,7 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 	@Override
 	protected void doPost(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
-		if (externalAuthUsernameHeader == null) {
-			complainAndReturnToReferrer(req, resp, ATTRIBUTE_REFERRER,
-					MESSAGE_NO_EXTERNAL_AUTH_USERNAME);
-			return;
-		}
-
-		String username = req.getHeader(externalAuthUsernameHeader);
+		String username = ExternalAuthHelper.getHelper(req).getExternalUsername(req);
 		String uri = getAssociatedIndividualUri(username, req);
 
 		if (username == null) {
@@ -101,7 +73,7 @@ public class LoginExternalAuthReturn extends BaseLoginServlet {
 		}
 		IndividualDao indDao = new VitroRequest(req).getWebappDaoFactory()
 				.getIndividualDao();
-		return ExternalAuthHelper.getBean(req).getIndividualUriFromNetId(
+		return ExternalAuthHelper.getHelper(req).getIndividualUriFromNetId(
 				indDao, username);
 	}
 
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthSetup.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthSetup.java
index 624a281e0..a3c8bdfb7 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthSetup.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/authenticate/LoginExternalAuthSetup.java
@@ -3,8 +3,6 @@
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
 import java.util.Enumeration;
 
 import javax.servlet.ServletException;
@@ -14,9 +12,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
-import edu.cornell.mannlib.vitro.webapp.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean;
-import edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.Message;
 
 /**
  * Set up the external authorization process.
@@ -39,30 +35,6 @@ public class LoginExternalAuthSetup extends BaseLoginServlet {
 	/** This http header holds the referring page. */
 	private static final String HEADING_REFERRER = "referer";
 
-	/**
-	 * The configuration property that points to the external authorization
-	 * server.
-	 */
-	private static final String PROPERTY_EXTERNAL_AUTH_SERVER_URL = "externalAuth.serverUrl";
-
-	/**
-	 * The complaint we make if there is no external authorization server
-	 * property.
-	 */
-	private static final Message MESSAGE_NO_EXTERNAL_AUTH_SERVER = new LoginProcessBean.Message(
-			"deploy.properties doesn't contain a value for '"
-					+ PROPERTY_EXTERNAL_AUTH_SERVER_URL + "'",
-			LoginProcessBean.MLevel.ERROR);
-
-	private String extrnalAuthServerUrl;
-
-	/** Get the configuration property. */
-	@Override
-	public void init() throws ServletException {
-		extrnalAuthServerUrl = ConfigurationProperties
-				.getProperty(PROPERTY_EXTERNAL_AUTH_SERVER_URL);
-	}
-
 	/**
 	 * Write down the referring page, record that we are logging in, and
 	 * redirect to the external authorization server URL.
@@ -72,18 +44,19 @@ public class LoginExternalAuthSetup extends BaseLoginServlet {
 			throws ServletException, IOException {
 		storeTheReferringPage(req);
 
-		if (extrnalAuthServerUrl == null) {
-			log.debug("No external authorization server in deploy.properties");
-			complainAndReturnToReferrer(req, resp, ATTRIBUTE_REFERRER,
-					MESSAGE_NO_EXTERNAL_AUTH_SERVER);
-			return;
-		}
-
 		LoginProcessBean.getBean(req).setState(
 				LoginProcessBean.State.LOGGING_IN);
 
-		log.debug("Sending to external authorization server.");
-		resp.sendRedirect(buildExternalAuthRedirectUrl(req));
+		String returnUrl = buildReturnUrl(req);
+		ExternalAuthHelper helper = ExternalAuthHelper.getHelper(req);
+		String redirectUrl = helper.buildExternalAuthRedirectUrl(returnUrl);
+
+		if (redirectUrl == null) {
+			complainAndReturnToReferrer(req, resp, ATTRIBUTE_REFERRER,
+					MESSAGE_LOGIN_FAILED);
+		}
+		
+		resp.sendRedirect(redirectUrl);
 	}
 
 	/** Remember where we came from - we'll need to go back there. */
@@ -97,18 +70,9 @@ public class LoginExternalAuthSetup extends BaseLoginServlet {
 		req.getSession().setAttribute(ATTRIBUTE_REFERRER, referrer);
 	}
 
-	/** How do we get to the external authorization server and back? */
-	private String buildExternalAuthRedirectUrl(HttpServletRequest req) {
-		try {
-			String returnUrl = figureHomePageUrl(req) + RETURN_SERVLET_URL;
-			String encodedReturnUrl = URLEncoder.encode(returnUrl, "UTF-8");
-			String externalAuthUrl = extrnalAuthServerUrl + "?target="
-					+ encodedReturnUrl;
-			log.debug("externalAuthUrl is '" + externalAuthUrl + "'");
-			return externalAuthUrl;
-		} catch (UnsupportedEncodingException e) {
-			throw new RuntimeException(e); // No UTF-8? Really?
-		}
+	/** What is the URL of the LoginExternalAuthReturn servlet? */
+	private String buildReturnUrl(HttpServletRequest req) {
+		return figureHomePageUrl(req) + RETURN_SERVLET_URL;
 	}
 
 	private void dumpRequestHeaders(HttpServletRequest req) {
diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
index 0bcebd962..5e513a967 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/IndividualController.java
@@ -366,7 +366,7 @@ public class IndividualController extends FreemarkerHttpServlet {
         if (netIdStr==null || netIdStr.equals(""))
             netIdStr = vreq.getParameter("netid");
         if ( netIdStr != null ){
-        	uri = ExternalAuthHelper.getBean(vreq).getIndividualUriFromNetId(iwDao, netIdStr);
+        	uri = ExternalAuthHelper.getHelper(vreq).getIndividualUriFromNetId(iwDao, netIdStr);
             return iwDao.getIndividualByURI(uri);
         }