diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index 765439c5bb..8e16297678 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -293,6 +293,23 @@
   tags:
   - ipsilon
 
+- name: copy saml2 metadata script
+  template:
+    src: prepare-saml2-metadata.py
+    dest: /usr/local/bin/prepare-saml2-metadata
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+  - ipsilon
+
+- name: generate the saml2 metadata
+  command:
+    cmd: /usr/local/bin/prepare-saml2-metadata
+    creates: /etc/ipsilon/root/saml2/metadata.xml
+  tags:
+  - ipsilon
+
 - name: set sebooleans so ipsilon can talk to the db
   seboolean:
     name: httpd_can_network_connect_db
diff --git a/roles/ipsilon/templates/prepare-saml2-metadata.py b/roles/ipsilon/templates/prepare-saml2-metadata.py
new file mode 100644
index 0000000000..da75b2d9ef
--- /dev/null
+++ b/roles/ipsilon/templates/prepare-saml2-metadata.py
@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+
+from ipsilon.providers.saml2idp import IdpMetadataGenerator, Certificate
+from datetime import timedelta
+cert = Certificate()
+cert.import_cert('/etc/ipsilon/root/saml2/idp.crt', '/etc/ipsilon/root/saml2/idp.key')
+#meta = IdpMetadataGenerator('https://id{{ env_suffix }}.fedoraproject.org', cert, timedelta(3600))
+meta = IdpMetadataGenerator('https://id{{ env_suffix }}.fedoraproject.org', cert)
+meta.output('/etc/ipsilon/root/saml2/metadata.xml')