diff --git a/lib/units/auth/saml2.js b/lib/units/auth/saml2.js
index bdd6939d..90df035f 100644
--- a/lib/units/auth/saml2.js
+++ b/lib/units/auth/saml2.js
@@ -11,6 +11,8 @@ var logger = require('../../util/logger')
 var urlutil = require('../../util/urlutil')
 var jwtutil = require('../../util/jwtutil')
 
+const dbapi = require('../../db/api')
+
 module.exports = function(options) {
   var log = logger.createLogger('auth-saml2')
   var app = express()
@@ -18,14 +20,23 @@ module.exports = function(options) {
 
   app.set('strict routing', true)
   app.set('case sensitive routing', true)
-  app.use(bodyParser.urlencoded({extended: false}))
-  app.use(passport.initialize())
 
-  passport.serializeUser(function(user, done) {
-    done(null, user)
-  })
-  passport.deserializeUser(function(user, done) {
-    done(null, user)
+  app.get('/auth/contact', function(req, res) {
+    dbapi.getRootGroup().then(function(group) {
+      res.status(200)
+        .json({
+          success: true
+        , contact: group.owner
+        })
+    })
+    .catch(function(err) {
+      log.error('Unexpected error', err.stack)
+      res.status(500)
+        .json({
+          success: false
+        , error: 'ServerError'
+        })
+      })
   })
 
   var verify = function(profile, done) {
@@ -54,7 +65,23 @@ module.exports = function(options) {
     })
   }
 
-  passport.use(new SamlStrategy(samlConfig, verify))
+  var mySamlStrategy = new SamlStrategy(samlConfig, verify)
+  app.get('/auth/saml/metadata', function(req, res) {
+    res.type('application/xml')
+    res.send((mySamlStrategy.generateServiceProviderMetadata()))
+  })
+
+  app.use(bodyParser.urlencoded({extended: false}))
+  app.use(passport.initialize())
+
+  passport.serializeUser(function(user, done) {
+    done(null, user)
+  })
+  passport.deserializeUser(function(user, done) {
+    done(null, user)
+  })
+
+  passport.use(mySamlStrategy)
 
   app.use(passport.authenticate('saml', {
     failureRedirect: '/auth/saml/'