diff --git a/roles/enable_root/templates/authorized_keys.j2 b/roles/enable_root/templates/authorized_keys.j2
index 5ee0159b9ffdf0b9c7959ba0cb5830511a11f31b..f7eff2cc56bea11fdd047d2e1741798a1da2c71b 100644
--- a/roles/enable_root/templates/authorized_keys.j2
+++ b/roles/enable_root/templates/authorized_keys.j2
@@ -1,3 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvjn5cQuMkqTo04ZnkuDXfUBeAt7oZ6xrT4phfMemqx12dDqLyFrMgUWOoVMFj+TNyR5M8WOCI6CRT6EXOMtqaxhPtWB1QlDNo0Ml8xTzSKckUO0EhdqNKh+nlQfVeaVIx0DZZeWWNpPCrKPCM4TSAXXiwtZuImd6/Zo4RI1x+oTcFR9zQulUGUuX8rf7+4c/oKr58B+La8bXP8QujtfLm29pl1kawSouCfdxt93wRfbISM7mGs/WqzttRXL9m5AeOMuo5S4Ia0GPMcIEUfsQhEyEU7tiTpEq5lDdf6H7a9SlHXzhd9f2Dn3mlv3mmQHaGBJvUuWmVwydxkdtCRQhOQ== root@m2-m
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2xrAkFRdYBpYs14AYSzdPFcIOt2zKXIgjPpyj/6eg/yl3y8N84T9VNw9ATRzb3+PJEw1lOfah6xLkFl7FueT6359y14c7wkNByGHgcL022SludkhM2zBe/3ebhcBs11L4Z725rqVnGDSKdKuwZjbCmUtu/nHwGYU/BnLKbQXMVyq53L5cbIyWGfvItPnwCF2ZMy1v0lmnFs1O3qDK9U/qcwc/77MTB0Z/ey0zsoXvmxjkdYr+zgQLRNm2+fkCXn+ZorbeDwWjhHE21arhMym5x3VG0XU2Ob9nL1Z2xEGQVSnBVWeadTMNzkfM8U07Md2tSOIC5B3ePETxk97puxbEQ== root@m2-m
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPijQ597uLqEPAvVZXQlSjrUfFl2h7SRBTCRhH4hQJMVu55dhFYiojJZ0tjjV3jTcgWs1AsyRp3wDtNp8iQxbwEY2JPxCOjNuH0et4I/y3y6VUjcVWanSaIkdPf5AFNb9KIXo3Hvdyvav8SfFpioRQ0FKp8SZs1JYXpuQ0mZY26oKCKcNsWXv9ZN7knUN0xvYNMycpCnI2Nl666Zrs0gGyJ6e+Xq5bpk1lm8nuK9q52bTRjxqtdEBuSGwkZea+NBJzpYw5rEucteQI66y6tzFuYJk2WC4bUifffIxnkQXKYVynJg1MJ2CGI69r9hXt9eUtH3WrDxrJGmCau8jD3lib hines@sparge
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnakq6Lgq2n6yjcMaC7xQXMDMRdN33T6mPCqRy+TPdu0aPvVty0UFeAWsCyTxHeVfst9Vr0HwRRBvNihp1CJuOWGbk0H5a8yALDhLqoHazv2jlMQcLDgTktw0Jgo38+tcBShJyey1iHh8X5WgsS5/hgxR3OzoNBEzqzHUidMO/EI0ahNlM60l8EYL8Ww799NmPgqdPbwxK9nHsoFmx/NKhnUdronSg33L0CJZT3t2fccXAq+4Pbm7uYEkL3T/NgMdgpG5mKS3mKDtKyyKm2gOf3fVzExFew2etBxB3ANPEWvSuJ2XwXQv8sFE1722XQVR4RFgilCWUqXSN7EmqoHkNQ== jupiter@cvlproject
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index 7b1149bae000a3f59eb24e68beed1abb123cf420..1142ced19b1fc72e522758b3d6da17e8517c7d5b 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -96,7 +96,21 @@
 -
  name: "enabling Karaage configuration"
  shell: cp -rvpf /root/karaage3.1.7/conf/karaage3-wsgi.conf /etc/httpd/conf.d/karaage3-wsgi.conf
+ sudo: true
  when: ansible_os_family == "RedHat"
+-
+ name: "Enable shibboleth, should it be in shibboleth-sp role?"
+ lineinfile: insertafter="{{ item.after }}" line="{{ item.line }}" dest=/etc/{% if ansible_os_family == 'RedHat'  %}httpd{% else %}apache2{% endif %}/conf-available/karaage3-wsgi.conf state=present
+ with_items:
+   - { after: 'EOF', line: '<Location /karaage>' } 
+   - { after: '^<Location /karaage>', line: 'AuthType Shibboleth' }
+   - { after: '^AuthType Shibboleth', line: 'ShibRequireSession On' }
+   - { after: '^ShibRequireSession On', line: 'ShibUseHeaders On' }
+   - { after: '^ShibUseHeaders On', line: 'require valid-user' }
+   - { after: 'EOF', line: '</Location>' }
+#   - { after: '^require valid-user', line: '</Location>' }
+ sudo: true
+
 -
  name: "Installing other packages Debian"
  apt: name={{ item }} update_cache=yes
@@ -139,11 +153,8 @@
  sudo: true
 
 -
- # TODO: Fix it
- name: "Check DB tables has been created or not"
- shell: ls /root/.karaage_db_init
- ignore_errors: true
- sudo: true
+ name: "Check karaage DB has been initialized or not"
+ shell: mysql -h {{ karaageDbHost }}  -u {{ karaageDbName }} --password={{ mysql_user_password }} -Bse 'use karaage; show tables;' | wc -l 
  register: karaage_db_init
 
 -
@@ -158,9 +169,9 @@
 
 -
  name: " Create DB tables"
- shell: kg-manage migrate && touch /root/.karaage_db_init 
+ shell: kg-manage migrate 
  sudo: true
- when: karaage_db_init is not defined
+ when: karaage_db_init.stdout.find("0") == 0
 
 -
  name: "Restarting Celery"
diff --git a/roles/karaage3.1.17/tasks/main.yml b/roles/karaage3.1.17/tasks/main.yml
index 66d2a9b7fc01263ffe647ed8d4961bd90f63d7ec..97bee7661e79a272285cf7b9d5f72d5ddd9ed497 100644
--- a/roles/karaage3.1.17/tasks/main.yml
+++ b/roles/karaage3.1.17/tasks/main.yml
@@ -1,4 +1,14 @@
 ---
+ - name: "Copying the apache key file"
+   template: src="files/{{ apache_key_file }}" dest="{{ x509_key_file }}" mode=0644
+   sudo: true
+   when: apache_key_file is defined
+ 
+ - name: "Copying the apache cert file"
+   template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert_file }}" mode=0644
+   sudo: true
+   when: apache_cert_file is defined
+
  - include: prerequisitesDebian.yml
    when: ansible_os_family == "Debian"
  - include: apacheDebian.yml
diff --git a/roles/karaage3.1.17/templates/default-ssl.j2 b/roles/karaage3.1.17/templates/default-ssl.j2
index 690c03cc63901cc0eebeb5ece72d62393fe3b373..6462e0a413c8c1e102d02f36eb680324c1938b5e 100644
--- a/roles/karaage3.1.17/templates/default-ssl.j2
+++ b/roles/karaage3.1.17/templates/default-ssl.j2
@@ -59,12 +59,13 @@
 	#   Note: Inside SSLCACertificatePath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
-    {% if x509_cert_path is defined %}
-	SSLCACertificatePath {{ x509_cert_path }} 
+    {% if ldapCaCertFile is defined and ldapCaCertDir is defined %}
+    SSLCACertificatePath {{ ldapCaCertDir }} 
+    SSLCACertificateFile {{ ldapCaCertDir }}/{{ ldapCaCertFile }}
     {% else %}
-	SSLCACertificatePath /etc/ssl/certs/
+    SSLCACertificatePath /etc/ssl/certs/
+    SSLCACertificateFile {{ x509_cacert_file }}
     {% endif %}
-	SSLCACertificateFile {{ x509_cacert_file }}
 
 	#   Certificate Revocation Lists (CRL):
 	#   Set the CA revocation path where to find CA CRLs for client
diff --git a/roles/karaage3.1.17/templates/settings.py.j2 b/roles/karaage3.1.17/templates/settings.py.j2
index 2a2a211601e59558fb5272534130040e6312fe46..2fc1a48d4a39833ac5adb17dc4bad597f3dc9da9 100644
--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -294,7 +294,8 @@ ACCOUNTS_ORG_NAME = '{{ karaageAcountName }}'
 #
 # default: SHIB_SUPPORTED = False
 #
-# SHIB_SUPPORTED = True
+# TODO: Should we add a variable to use shibboleth or not???
+SHIB_SUPPORTED = True
 
 # Path to AUP policy. Note that setting this will not disable the Karaage
 # default page, it might be better to replace the AUP with a file in
diff --git a/roles/karaage3.1.17/vars/readme.txt b/roles/karaage3.1.17/vars/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..ab2fcb044db48d903df29ced0d71413e98f89029
--- /dev/null
+++ b/roles/karaage3.1.17/vars/readme.txt
@@ -0,0 +1,4 @@
+
+apache_cert_file: "{{ inventory_hostname }}.{{ domain }}.crt"
+apache_key_file: "{{ inventory_hostname }}.{{ domain }}.key"
+
diff --git a/roles/ldapserver/meta/main.yml b/roles/ldapserver/meta/main.yml
deleted file mode 100644
index 11e79807cceb222f4d145464d2f0db20a1aefec7..0000000000000000000000000000000000000000
--- a/roles/ldapserver/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 437211fad504ad1049c7dd3322ff2a61eb4fcbc7..582041c82664276f87e22f95ac0ae7552634c122 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}.yml"
 - name: install system packages apt
   apt: name={{ item }} state=installed update_cache=true
   sudo: true
@@ -13,6 +14,11 @@
   with_items: system_packages
   when: ansible_os_family == 'RedHat'
 
+- name: Fixed default configuration 
+  lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
+  sudo: true
+  when: ansible_os_family == 'Debian'
+
 - name: hash password
   command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
   register: ldapManagerHash
@@ -53,8 +59,8 @@
 - name: template acls.ldif
   template: src=acls_ldif.j2 dest=/tmp/acls.ldif
 
-- name: template ppolicy_moduleload.ldif
-  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
 
 - name: template ppolicy_overlay.ldif
   template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -77,6 +83,12 @@
   file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
+# Change to remove easy-rsa and to use fixed key and certs
+- name: copy fixed keys and certs from files directory
+  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
+  with_items: ldapCertFiles 
+  sudo: true
+  
 - name: copy cert
   command: cp /etc/ssl/certs/server.crt {{ ldapcert }}
   sudo: true
@@ -127,16 +139,6 @@
   register: aclConfigured
 
 
-- name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
-  ignore_errors: true
-  register: ditConfigured
-
-- name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
-  ignore_errors: true
-  register: accountsConfigured
-
 - name: check real Accounts config
   shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
@@ -153,8 +155,7 @@
   ignore_errors: true
   register: binddnConfigured
 
--
-  name: Initialise cosine and ppolicy
+- name: Initialise cosine and ppolicy
   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
   with_items:
    - ppolicy
@@ -170,22 +171,33 @@
   sudo: true
   when: tlsConfigured|failed
 
+- name: check DIT config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  ignore_errors: true
+  register: ditConfigured
+
+- name: check Accounts config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
   sudo: true
   when: managerConfigured|failed
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
   sudo: true
   ignore_errors: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 
 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
   sudo: true
   when: aclConfigured|failed
 
@@ -209,3 +221,44 @@
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
+      
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  sudo: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config 
+  sudo: true
+  when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+  ignore_errors: true
+  sudo: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
+  sudo: true
+  when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured
+
+- name: add pwpolicies
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured|failed
+
diff --git a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/templates/load_modules_ldif.j2
similarity index 70%
rename from roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
rename to roles/ldapserver/templates/load_modules_ldif.j2
index 084cc60366dc216b2c24ae1a3d5ef29cdf5e4957..fd643276f003704e547e7b5136f62440f13cef08 100644
--- a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
+++ b/roles/ldapserver/templates/load_modules_ldif.j2
@@ -1,5 +1,5 @@
 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }} 
 olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/CentOS.yml
similarity index 77%
rename from roles/ldapserver/vars/main.yml
rename to roles/ldapserver/vars/CentOS.yml
index c3953ac3b4519d1c524c869bf716230d12821911..7159629c2947b81c5502b014b053e4a09c1b4970 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -2,4 +2,4 @@
   ldapcert: /etc/openldap/certs/ldapcert.pem
   ldapkey: /etc/openldap/certs/ldapkey.pem
   cacert: /etc/openldap/certs/cacert.pem
-
+  module_path: "/usr/lib64/openldap/"
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7732d830f30bc489eba194ce251fcf02157542dc
--- /dev/null
+++ b/roles/ldapserver/vars/Debian.yml
@@ -0,0 +1,5 @@
+---
+  ldapcert: /etc/ldap/certs/ldapcert.pem
+  ldapkey: /etc/ldap/certs/ldapkey.pem
+  cacert: /etc/ldap/certs/cacert.pem
+  module_path: "/usr/lib/ldap"
diff --git a/roles/mysql/tasks/mysql_server.yml b/roles/mysql/tasks/mysql_server.yml
index 17f11ea8bed3e226bc83be142935246abcf0ac47..9e4b32d5a1c8a1a30daf641f873afd6a7403db79 100644
--- a/roles/mysql/tasks/mysql_server.yml
+++ b/roles/mysql/tasks/mysql_server.yml
@@ -45,7 +45,7 @@
   sudo: true
 
 - name: "Templating mysql configure file"
-  template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/{{ mysql_config_file_name }}.cnf owner=root group=root
+  template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/mysqld_safe_syslog.cnf owner=root group=root
   sudo: true
 
 - name: "Adding root"
diff --git a/roles/mysql/vars/readme.txt b/roles/mysql/vars/readme.txt
index a17f539ae37d149078df23444a80a1c00d611cb1..ae0e02b275783367720722a8fb8399fe74461478 100644
--- a/roles/mysql/vars/readme.txt
+++ b/roles/mysql/vars/readme.txt
@@ -4,7 +4,6 @@ mysql_type: mysql_client | mysql_server
 mysql_user_db_name: "my_database" 
 mysql_user_name: "my_database" 
 mysql_user_host: "localhost"
-mysql_config_file_name: "mysql_config"
 mysql_root_password: "secret"
 mysql_user_password: "secret"
 
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
index 00c0b6348ef9394324471d628ddd919d39e000b8..9b12bff3167b250622bcc41f4126fca5a9c88b94 100644
--- a/roles/shibboleth-sp/tasks/shibbolethConfig.yml
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -1,11 +1,10 @@
 ---
 -
- name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
- template: src="{{ item }}.j2" dest="/etc/shibboleth/{{ item }}" mode=0644
+ name: "Copying the shibboleth files"
+ template: src=files/{{ item.src }} dest="{{ item.dest }}" mode=0644
+ with_items: shibboleth_file
  sudo: true
- with_items:
-  - metadata.aaf.xml
-  - aaf-metadata-cert.pem
+
 - 
   name: "Setting shibboleth2.xml sp.example.org"
   sudo: true
@@ -13,10 +12,14 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: sp.example.org 
-   replace: "{{ ansible_fqdn }}"
+   replace: "{{ ansible_hostname }}.{{ domain }}"
    backup: yes
    
-  
+-
+ name: "Remove SSO entityID"
+ lineinfile: dest=/etc/shibboleth/shibboleth2.xml regexp="^<SSO entityID=" line="<SSO" state=present
+ sudo: true
+
 - 
   name: "Setting shibboleth2.xml handlerSSL"
   sudo: true
@@ -24,7 +27,7 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: 'handlerSSL="false"' 
-   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"' 
+   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_hostname }}.{{ domain }}/Shibboleth.sso"' 
    
 
 - 
@@ -97,7 +100,16 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>' 
-   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_path }}/{{ x509_common_name }}.cert"/>'
+
+- 
+ name: "fix directory access permission"
+ file: path={{ x509_key_file | dirname }} owner=root group=_shibd state=directory mode=750
+ sudo: true
+- 
+ name: "fix key access permission"
+ file: path={{ x509_key_file }} owner=root group=_shibd mode=644
+ sudo: true
 
 -
  name: "Templating attribute-map.xml"
@@ -109,18 +121,22 @@
  notify:
    - Restarting Apache
    - Restarting shibboleth
+-
+ name: "Copy shib.conf"
+ sudo: true
+ template: src=shib.conf dest="/etc/apache2/conf-available/shib.conf" mode=0644
+-
+ name: "Link shib.conf"
+ sudo: true
+ file: src=/etc/apache2/conf-available/shib.conf path=/etc/apache2/conf-enabled/shib.conf state=link 
+ notify: Restarting Apache
+
 -
  name: "Starting Apache"
  sudo: true
- service:
- args:
-  name: apache2
-  state: started
+ service: name=apache2 state=started
 
 -
  name: "Starting shibboleth"
  sudo: true
- service:
- args:
-  name: shibd
-  state: started
+ service: name=shibd state=started
diff --git a/roles/shibboleth-sp/templates/shib.conf b/roles/shibboleth-sp/templates/shib.conf
new file mode 100644
index 0000000000000000000000000000000000000000..13be15aff19f9f0a39785ced2cc550d2b2dc52e2
--- /dev/null
+++ b/roles/shibboleth-sp/templates/shib.conf
@@ -0,0 +1,5 @@
+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require valid-user
+</Location>