diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 76b8e9c763..335481cb15 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -79,15 +79,19 @@
         owner=ipsilon group=ipsilon setype=httpd_var_lib_t
 
 - name: copy SAML2 private key
-  copy: src={{ private }}/files/ipsilon/saml2.key dest=/etc/ipsilon/saml2/certificate.key
+  copy: src={{ private }}/files/saml2/production/keys/idp.key dest=/etc/ipsilon/saml2/idp.key
         owner=ipsilon group=ipsilon mode=0600
   when: env != "staging"
 
 - name: copy SAML2 public key
-  copy: src=saml2.pem dest=/etc/ipsilon/saml2/certificate.pem
+  copy: src={{ private }}/files/saml2/production/keys/idp.crt dest=/etc/ipsilon/saml2/idp.crt
         owner=ipsilon group=ipsilon mode=0644
   when: env != "staging"
 
+- name: copy SAML2 metadata
+  copy: src={{ private }}/files/saml2/idp-{{env}}.xml dest=/etc/ipsilon/saml2/metadata.xml
+        owner=ipsilon group=ipsilon mode=0644
+
 - name: copy SAML2 STG private key
   copy: src={{ private }}/files/ipsilon/saml2.stg.key dest=/etc/ipsilon/saml2/certificate.stg.key
         owner=ipsilon group=ipsilon mode=0600
@@ -98,6 +102,7 @@
         owner=ipsilon group=ipsilon mode=0644
   when: env == "staging"
 
+
 - name: set sebooleans so ipsilon can talk to the db
   seboolean: name=httpd_can_network_connect_db
                     state=true
diff --git a/roles/ipsilon/templates/configuration.conf b/roles/ipsilon/templates/configuration.conf
index 549d9e8fd1..43e4dc8862 100644
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@@ -45,6 +45,8 @@ saml2 idp certificate file=certificate.stg.pem
 saml2 idp key file=certificate.stg.key
 {% else %}
 saml2 idp nameid salt={{ ipsilon_saml2_nameid_salt }}
+saml2 idp certificate file=idp.crt
+saml2 idp key file=idp.key
 {% endif %}
 saml2 allow self registration=False
 saml2 default nameid=transient