diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 629a467..64019b9 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -1,11 +1,13 @@
 # Note that the matching is done with re.match()
 '.*\.cert\.sunet\.se$':
   soc:
+  sunet::startship:
   sunet::server:
     fail2ban: false
     ssh_allow_from_anywhere: false
 
-'^internal-sto1-dev-vulndash-1.cert.sunet.se$':
+'^vul-dashboard-test.cert.sunet.se$':
+  sunet::dockerhost2:
 #  soc::sso:
 #    hostname: 'vd-dev.cert.sunet.se'
 #    email: 'cert@cert.sunet.se'
@@ -16,7 +18,6 @@
 #    certbot: false
 
 test-sso-proxy1.cert.sunet.se:
-  sunet::starship:
   sunet::dockerhost2:
   sunet::certbot::acmed:
   soc::satosa:
diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/acme-dns-auth.py b/global/overlay/etc/puppet/modules/soc/files/sso/acme-dns-auth.py
deleted file mode 100755
index 6873088..0000000
--- a/global/overlay/etc/puppet/modules/soc/files/sso/acme-dns-auth.py
+++ /dev/null
@@ -1,154 +0,0 @@
-#!/usr/bin/env python3
-import json
-import os
-import requests
-import sys
-
-### EDIT THESE: Configuration values ###
-
-# URL to acme-dns instance
-ACMEDNS_URL = "https://acme-d.sunet.se"
-# Path for acme-dns credential storage
-STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
-# Whitelist for address ranges to allow the updates from
-# Example: ALLOW_FROM = ["192.168.10.0/24", "::1/128"]
-ALLOW_FROM = []
-# Force re-registration. Overwrites the already existing acme-dns accounts.
-FORCE_REGISTER = False
-
-###   DO NOT EDIT BELOW THIS POINT   ###
-###         HERE BE DRAGONS          ###
-
-DOMAIN = os.environ["CERTBOT_DOMAIN"]
-if DOMAIN.startswith("*."):
-    DOMAIN = DOMAIN[2:]
-VALIDATION_DOMAIN = "_acme-challenge."+DOMAIN
-VALIDATION_TOKEN = os.environ["CERTBOT_VALIDATION"]
-
-
-class AcmeDnsClient(object):
-    """
-    Handles the communication with ACME-DNS API
-    """
-
-    def __init__(self, acmedns_url):
-        self.acmedns_url = acmedns_url
-
-    def register_account(self, allowfrom):
-        """Registers a new ACME-DNS account"""
-
-        if allowfrom:
-            # Include whitelisted networks to the registration call
-            reg_data = {"allowfrom": allowfrom}
-            res = requests.post(self.acmedns_url+"/register",
-                                data=json.dumps(reg_data))
-        else:
-            res = requests.post(self.acmedns_url+"/register")
-        if res.status_code == 201:
-            # The request was successful
-            return res.json()
-        else:
-            # Encountered an error
-            msg = ("Encountered an error while trying to register a new acme-dns "
-                   "account. HTTP status {}, Response body: {}")
-            print(msg.format(res.status_code, res.text))
-            sys.exit(1)
-
-    def update_txt_record(self, account, txt):
-        """Updates the TXT challenge record to ACME-DNS subdomain."""
-        update = {"subdomain": account['subdomain'], "txt": txt}
-        headers = {"X-Api-User": account['username'],
-                   "X-Api-Key": account['password'],
-                   "Content-Type": "application/json"}
-        res = requests.post(self.acmedns_url+"/update",
-                            headers=headers,
-                            data=json.dumps(update))
-        if res.status_code == 200:
-            # Successful update
-            return
-        else:
-            msg = ("Encountered an error while trying to update TXT record in "
-                   "acme-dns. \n"
-                   "------- Request headers:\n{}\n"
-                   "------- Request body:\n{}\n"
-                   "------- Response HTTP status: {}\n"
-                   "------- Response body: {}")
-            s_headers = json.dumps(headers, indent=2, sort_keys=True)
-            s_update = json.dumps(update, indent=2, sort_keys=True)
-            s_body = json.dumps(res.json(), indent=2, sort_keys=True)
-            print(msg.format(s_headers, s_update, res.status_code, s_body))
-            sys.exit(1)
-
-class Storage(object):
-    def __init__(self, storagepath):
-        self.storagepath = storagepath
-        self._data = self.load()
-
-    def load(self):
-        """Reads the storage content from the disk to a dict structure"""
-        data = dict()
-        filedata = ""
-        try:
-            with open(self.storagepath, 'r') as fh:
-                filedata = fh.read()
-        except IOError as e:
-            if os.path.isfile(self.storagepath):
-                # Only error out if file exists, but cannot be read
-                print("ERROR: Storage file exists but cannot be read")
-                sys.exit(1)
-        try:
-            data = json.loads(filedata)
-        except ValueError:
-            if len(filedata) > 0:
-                # Storage file is corrupted
-                print("ERROR: Storage JSON is corrupted")
-                sys.exit(1)
-        return data
-
-    def save(self):
-        """Saves the storage content to disk"""
-        serialized = json.dumps(self._data)
-        try:
-            with os.fdopen(os.open(self.storagepath,
-                                   os.O_WRONLY | os.O_CREAT, 0o600), 'w') as fh:
-                fh.truncate()
-                fh.write(serialized)
-        except IOError as e:
-            print("ERROR: Could not write storage file.")
-            sys.exit(1)
-
-    def put(self, key, value):
-        """Puts the configuration value to storage and sanitize it"""
-        # If wildcard domain, remove the wildcard part as this will use the
-        # same validation record name as the base domain
-        if key.startswith("*."):
-            key = key[2:]
-        self._data[key] = value
-
-    def fetch(self, key):
-        """Gets configuration value from storage"""
-        try:
-            return self._data[key]
-        except KeyError:
-            return None
-
-if __name__ == "__main__":
-    # Init
-    client = AcmeDnsClient(ACMEDNS_URL)
-    storage = Storage(STORAGE_PATH)
-
-    # Check if an account already exists in storage
-    account = storage.fetch(DOMAIN)
-    if FORCE_REGISTER or not account:
-        # Create and save the new account
-        account = client.register_account(ALLOW_FROM)
-        storage.put(DOMAIN, account)
-        storage.save()
-
-        # Display the notification for the user to update the main zone
-        msg = "Please add the following CNAME record to your main DNS zone:\n{}"
-        cname = "{} CNAME {}.".format(VALIDATION_DOMAIN, account["fulldomain"])
-        print(msg.format(cname))
-
-    # Update the TXT record in acme-dns instance
-    client.update_txt_record(account, VALIDATION_TOKEN)
diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
index 8b13789..564331f 100644
--- a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
@@ -1 +1,12 @@
-
+<?xml version="1.0"?>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport" entityID="https://test-sso-proxy1.cert.sunet.se/idp" ID="id-n7R8mWCiqYiT6r3iW"><ns1:Signature Id="Signature1"><ns1:SignedInfo><ns1:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns1:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns1:Reference URI="#id-n7R8mWCiqYiT6r3iW"><ns1:Transforms><ns1:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns1:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns1:Transforms><ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns1:DigestValue>nFSzCo/PD8NHgfhbSll7FPPMRn0=</ns1:DigestValue></ns1:Reference></ns1:SignedInfo><ns1:SignatureValue>JkP8EE2nm6fWVdRF9pFjeyYJvvUydbWydqKWr7OU6pKpmdUsNEsg3iTzzmOUOsM3
+UcH8E86ff6akEmPHtgY6HAcRoc4bQdx3QyJFjRxVXgRPWEaYRfq8pjec2DcRHN9n
+DQ7GHS8zLiErn2r3EOvP4Y4HuBv0dkNwczEIpsrvfBsYYfTdYJt17A42Duj+RKoP
+jc2B9XTRmk4FhkN0pqeQ6iw/2V5Db8+VYzdHkXIJ9Hih1BLVpVgz+zWTXtn2XMXB
+csS065j6rqTCs46SeQQh2IyEsbfndA4/4olfsy3viwS5PQ0z9wvb9BMi7pbdweJQ
+8u/Rs0gWT8OgiRjB3tZkezQhaU52eScE5WYRQba/Cwr7gwclbhybxMgc5X+zENaY
+7tipK1VuPebsER6ZAB1qVxTGDtkw1RdTjTaMtBvcRnJaE84IAzY5otU7/kU3bO0G
++9/PKsEFuHGvGulZG6zegntE4BidaMfLGoN0cnaCPXr7RnSwG1iEz7UQBDq3Rgj5
+3Nd60m+SPySKSBkYOFQPHbtFxlobL1PTkt3j139bRodnvxtckQ4Lirw9BO2yS7Q6
+Oqesp3dWmpGSuoZ7twMklz5KYCZPnq/+GLWKX0IhF3djxUxmXCCZhld4C3YTYSYz
+G1BFbUnsoWRDw4975MuovnRsd7DTiXHW3gAxVz7RwN4=</ns1:SignatureValue><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUaPhsQpj7XhL4ydnikGQEzVI5x8YwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMB4XDTI0MTAzMDEyMTMyMVoXDTM0MTAyODEyMTMyMVowGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyhEgpwXLwiQErxg6qbsAVfyR+f6akvl56tmuIkn+vequDOMmKSeJ8bXTa43aYkixIZoL3BZakZQB9uUqx0pLTfPSS24alR5jZnEXem5c8/NBIUXyX+o0IKo2WrOcHk4p/O1owyYmqNfvu7PUu0hO65of42zrW97RYNoI01PQ8FBO/pzgkbv/9rOBKk78z1lW+k4FQej73GA+XmMFzwYiQRfWMmTqZuIv7oi52lgtcc1UIAoKZSKECGBCthpfixXZQV/O7NIUeNi76domGkjvg9smkDFCzsvgHoAu1HKsQV2IcvGf9pspqspRmckEqL+OomIXQhpZzxMqYSdAv1IKbPBWZf/vTzfGPMx+BUpGBJbf00lODn8uHenJp3V3ZOn9ze78DgbRqWCdix5+8jWkZHi4j+nJwGXubB0cNFgCqNFrVt6JejSZjg/4fKySPjZzNeA80gD77cav+YMq9lmw4n3YqjExweXuWFvuqc741zrl9GJw3IuU+IHkjwCo8Ls3mdmJD1u55Z+wbSxYMl80szlqj68qeG/jTy60Z/II91zeE6OcbgNh9MVo14A9wuI5rOtJN6mDZ53ZI/nWCkusok7t0PUhXV0zs4hj483vCTywR2HAU8LSVp+HMwsTeRC1ckRif9Nt7gmVCHcYDYOdJvcSbo92Z7hpIEDSHbLxQO0CAwEAAaNTMFEwHQYDVR0OBBYEFClsBiNqmeM3ZdYSFV/LHcAhy8LrMB8GA1UdIwQYMBaAFClsBiNqmeM3ZdYSFV/LHcAhy8LrMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJMsrgCjszKIJKgWvS0fmjvB721GSr19BRHgSD4Y1RqbRPxvSX5M/aIBhOJBih8B0O5+0vF66I2HxK7EASxmLxzQccRQ+xZyim8dWeeMzxIPal9Oi67zta4WroEdAQFL8nDbdJwA6C1eMHSg2IALN7/yIxxiQdNuepyT/9xZOt/so5AeowR6Ru3RZijhdvjhr5+EKHUJNwUewoR9iUC7XAYXWaQzeVqRXg6XtPBMVUIiVEVjPmudYNfj35/RnZy6GYrZijetUbqNy1fONkmCbxiYeLbr2TAApD8u3bJoYZAzKJGtG4LzKB+cX8UqIa3DN7sbRzmWm1z0MQ0BQHLhJGxjM2Jv3/0mxFB4Z/zZ+TilhrP2NyPcwYoI3ovl98oASJjTD7AQ+iEZ/0iMvK+HDLVuHq8kbOgvxjjg60S+SYM1t/Ul5bbAMaxABCmRoA+S6JLR2lGpHSA38ZzajdvnLeKLMTpZbEsy+/oaVR4DQcmUjKLAsj7VpIq4xjfz2RXIlh+9HNg18Lg+F+tnduf2KtUDUkY8woFb7+4NNQhGkUoAlAMTYQrTQkYI7T3fTccpo7FY078SGFx78t7uVmF6NXyrj22yi37pzIwP9C3iH08Un2iBXNNMjAOWIbbZ8Y1P3ImmkIhQWZQa0I2vOq//oKEstvgDIFWKq6XgeMM+EBKB</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns1:Signature><ns0:Extensions><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/></ns0:Extensions><ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"><ns0:KeyDescriptor use="signing"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUA8ivWRCE3JnzQOsKWqbEuZmoytIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMB4XDTI0MTAzMDEyMTMyMFoXDTM0MTAyODEyMTMyMFowGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApuI3TLwWOnEReXU8Q3FZS7r6aRQoqdmf9nhjEWkrgvg6/leGh15APr2YIT+jPkhLaGT1wbzyONPvxAZDDPFWl4IvDFQfI0C3zdVZqlm/wpCauRzmwNtaKRgT92egqcJo0TIg8FvLZOHkW2fEWbNhRp5fMgnwEp41SeQQ5LK9VkSaU7DUtbk2CFC0SNjZ+nHjofIShJcGkF7l0rCojbhrUuVJ6dTjLr6GAjSQjOxuanzX0x4cFvJUzUkjaQNGNCCoTP/X3Jy6+bvePI3icJMHo6aaJw5l27VoBKkH7Wget9YB9RlDDpXiReQqWSjTFqHei+FFzlR4PNIzZMmyQ2cgU/h7IYEt3C3/Vtvwz002gSrXmNJFhqxXYx7dIOtGcEOYPaGbM929JZ0m2ORPcHDuT25mP71FxaYvsEVUoTalazmiov+1ykmDTYRj2puBnacr/CaJ0u/S6P7fZvgjDkyWEFUsupaPJZC+tso9e5rsQzIGrcU0gU0rcq1cWtIJcutcXHws2PU46iDrLCsuhYEjdTYr2VrKIykDlAIyciiu4qW3yVyS4CX+fGgkUHU8QprKO3IQ576UaMEC/nYGHV+SqzXB0vSf6EjGvB1piht0BY6BOvUEBMn1MM1bIei/spIDxxYE8WY0Cc/GoqD7lz7M6l/1LpQetOFR94j+cn24A/UCAwEAAaNTMFEwHQYDVR0OBBYEFNc38V1SAlnSemXRMulraf+Af1h0MB8GA1UdIwQYMBaAFNc38V1SAlnSemXRMulraf+Af1h0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADoDfxStqezcslsGgLdPfKEnCROdpOZi8OXcgW37lDRczsbjq1dZdTUorF/dku9UHa4Y8Qf4d4zz0qDeSz9JiItPZ4wps77o79zFA9wgn+uDXROoi+BhlC2NnJER4T0CnQHR3b+7z/mxlCyyh9bzrTYqwY4sq2r3nUcZSudTZnXd/vKTcfgBSziggmF6K/YbfsLyUc/opyH60KFxbPBoQvgPrQADtrgvB54zBS79VpytQ89KW7XkNr/hUndt0Jf8fEk/ShgZe5xtxa8Hemf9cophS9wnvBDtRD8e8v0/i9QKluCmaJjcQATeAUjAtORBb5pwkzVfwAk90hz88BQ10ThO/OrjPe6cilLzkBSV2m/9Ve+IDI8axhKtSKqoGJyuIkMmlQc7Kf6IuFKP59rH6l2EcR3oXGOmffz+u4JYSxuvqYsbIQM2DvYw5qbOAYL6jz6hCp99F/mKeYupXbexXJjncXPBAB/KOXzE2acGMBjAm7KB62a2RGYWaclsctuEXzZD/q+K42Y81vXa3ysCmRaSR3KaU04YSn/e8/U6ZBwqmzm2rqmvw3uO4EYEOAyefHMKO51dhdtW4nzAnPjFojZS6aNnBlZR38X1YQMfWW/CSinrurrUvIoEAvpF0C7OiJFAuQoc4SND2ZJ83uEW3AfMN6GXz4OWdxtk6+2TMBzA</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-sso-proxy1.cert.sunet.se/Saml2SP/sso/post"/><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test-sso-proxy1.cert.sunet.se/Saml2SP/sso/redirect"/></ns0:IDPSSODescriptor></ns0:EntityDescriptor>
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index 7ae51a6..c7be754 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -38,7 +38,7 @@ class soc::sso(
   $single_user = false,
   $front_clients = '',
   $satosa = true,
-  $satosa_certbot = true,
+  $satosa_certbot = false,
   $translog = 'INFO',
   $proxy = 'https://shared-sso-proxy1.cert.sunet.se/idp',
   $norpan = false,