diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml
index 000202d..9d1a508 100644
--- a/group_vars/all/all.yml
+++ b/group_vars/all/all.yml
@@ -131,6 +131,9 @@ ckan_googleanalytics_credentials: |-
     "universe_domain": ""
   }
 
+# SAML
+ckan_saml_idp_cert: ""
+
 # who.ini
 who_authenticators: |-
   [authenticators]
@@ -139,3 +142,4 @@ who_authenticators: |-
       ckan.lib.authenticator:UsernamePasswordAuthenticator
 
 storage_class_name: "efs-client"
+ckan_login_form_url: "/user/login"
diff --git a/roles/ckan/templates/ckan/ckan_who.ini b/roles/ckan/templates/ckan/ckan_who.ini
index b72b009..41b0149 100644
--- a/roles/ckan/templates/ckan/ckan_who.ini
+++ b/roles/ckan/templates/ckan/ckan_who.ini
@@ -4,7 +4,7 @@ use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
 #secret = somesecret
 [plugin:friendlyform]
 use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
-login_form_url= /user/login
+login_form_url={{ ckan_login_form_url }}
 login_handler_path = /login_generic
 logout_handler_path = /user/logout
 rememberer_name = auth_tkt
diff --git a/roles/ckan/templates/kubernetes/ckan.yaml b/roles/ckan/templates/kubernetes/ckan.yaml
index 7e91733..a6e9337 100644
--- a/roles/ckan/templates/kubernetes/ckan.yaml
+++ b/roles/ckan/templates/kubernetes/ckan.yaml
@@ -152,15 +152,20 @@ spec:
 {% if fjelltopp_cloud_provider != 'azure' %}
             - name: AWS_DEFAULT_REGION
               value: "{{ aws_region }}"
+            - name: CKAN_SAML_IDP_CERT
+              value: |-
+                {{ ckan_saml_idp_cert }}
 {% endif %}
 {% if fjelltopp_env_type == 'local' %}
+            - name: CKAN_SAML_IDP_CERT
+              value: "{{ ckan_saml_idp_cert }}"
             - name: HOME
               value: "/usr/lib/ckan"
 {% endif %}
           image: {{ ckan_image }}:{{ ckan_image_tag }}
           imagePullPolicy: {{ (fjelltopp_env_type == 'local') | ternary('IfNotPresent', 'Always') }}
           name: ckan
-          
+
 # assume local user uid
 {% if fjelltopp_env_type == 'local' %}
           tty: true
diff --git a/roles/ckan/vars/secrets.yml b/roles/ckan/vars/secrets.yml
index e79f505..e142db2 100644
--- a/roles/ckan/vars/secrets.yml
+++ b/roles/ckan/vars/secrets.yml
@@ -14,3 +14,8 @@ ckan_beaker_secret: "{{ lookup('aws_secret', application_namespace + '_ckan_beak
                     on_missing='skip', on_deleted='skip') }}"
 ckan_api_secret: "{{ lookup('aws_secret', application_namespace + '_ckan_api_secret' , region = aws_region,
                     on_missing='skip', on_deleted='skip') }}"
+
+#The following is not really a secret but a certificate
+#This is uploaded manually to AWS #TODO
+ckan_saml_idp_cert: "{{ lookup('aws_secret', application_namespace + '_ckan_saml_idp_cert' , region = aws_region,
+                    on_missing='skip', on_deleted='skip') }}"