diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/services-frontend.xml b/global/overlay/etc/puppet/modules/soc/files/sso/services-frontend.xml
new file mode 100644
index 0000000..e82aa7e
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/files/sso/services-frontend.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:metadata:algsupport" entityID="https://sunetcert-services-ssoproxy.cert.sunet.se/idp" ID="id-Zv1yrbgdsSsO7md4u"><ns1:Signature Id="Signature1"><ns1:SignedInfo><ns1:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ns1:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns1:Reference URI="#id-Zv1yrbgdsSsO7md4u"><ns1:Transforms><ns1:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ns1:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ns1:Transforms><ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns1:DigestValue>ea5CK5EebDHy83Z2KsAPryq25U8=</ns1:DigestValue></ns1:Reference></ns1:SignedInfo><ns1:SignatureValue>DeE1XpN5qlzzMbebl7VNswoh9esm9PWEnS/jsN3t7ucm3ws2IjUP5kP1r9BMD9x6
+lPhP+pgbPB4NTYBI/D5TYBS92VMSPy1XlT8q6mbzcauNOxJPRlaTRo5PR+jB3HUe
+CHxvyCoNezr0LqOWAeEn6VDOhZcQrpKLnRyYx9lQdrcdInE0gaDCLq2FA/dhsFp8
+ahyfRG5i8DSyL1vOJY4bQsaPV/oi5XqvtFEDtXpu4we3XlxCG2749z3s30Sy9od+
+oTZGb0dpKRL5qaD9xM+dez6Qhj/0pta+o4ffLz2nVXaD+ZMYuZ8R7eJTFzsl94CD
+ky9XHptY/HMxya0lXlrzh7hDq1qNsOu4a0aX4RMpFTfo1ljZYkapKPRwu3d8oOfs
+UqjjR2eQJkY0tekM3R9ugLve/+yyDYHcKtMoeTGjR2+MggpWvmOwHWoX94orZBx5
+FVJFhZAqum+IVghKwm5MpnWFjvhumAfUqq5iUFQL6d1w3fghCL5pSK2FHqmg/6Pd
+tZ0p2cTtpUP8g9DowZng/L7FktHdDItfsnTbwOJTzcBCYRCFpr0lA+ns+Uf1znvM
+mIfqqasWKvCOlzD+UXm1L6bdgEOSL+NxOhRHf3qL4Tqbc6mhWA2e7E1Ooz1QvYDv
+2/kge8PVWwCb5voQvQ0M0rZnkAxce5mjDeJ3gRnu7Wk=</ns1:SignatureValue><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUIiT1u8Nc1qPNCx1KhF9WCpRK41YwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMB4XDTI1MDIwNDExMTcyNloXDTM1MDIwMjExMTcyNlowGjEYMBYGA1UEAwwPc2F0b3NhX21ldGFkYXRhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvm9agfWF2Y+WJ6TgdCW/RDqOcd9C/jjzGxEwFr+glajIuQAQFDwQYiIR2gnEVxxwNu35ENQuANDqbBVq8yLeOeiALbRSLGN0OhX5jcTBTid8Lc7cBHp4YfX/3A9Sw0HeItVssIbaxLQgG/TsTDPi5+pRlT5jEZWpAkmfdfsUOR57ORa1FyLa3xKpMbDnCgB1ZYp2uSnCaMM/K4g3umVDIhkTNigVLEmMOxg01mHFrOJzcrC2bUxakBRdrwPI+j2ezuEVc4wf0drYMTU7Y5KSNT6aUJ2QwM+jKEa5FYXCU/WZsi47dnhG54HfD8EL6qyaVbuYFvB/g2Z2ANAMVJI6kn4+E0P0b3oU4ZWkCYzJtBgLe7IyxZFhSh+zrX0muR2rUKOqJ342idQ18Rpcw5z2896zsC/I6ahRMAB8Uli4etyPtJQh+636FMbCNBMKQkQ1EfHEmFF6bAWCkTCu5reKDaEuJMoER/p4WuMVmY8lYZyIpi84aD3guf+qSMWQg20Yeu6KuW1qNfSn8oHmM2cRchR0xKjLuynTbupnhcqWUo2dTl8OrNP5Y4ydchd7RwZp4ytTwqIlx1skg4+q6FeU5ZuyfBgA4a9dN9CY6GRbhOyI0eqqsT8m5DmRXSVd8B77h9vnQGQwI7/VpNa3OKeb0N1vcQoCd911Loh8Gh/n/p8CAwEAAaNTMFEwHQYDVR0OBBYEFPcXQDPgCRH9wcdbk0UDOv7kXEA8MB8GA1UdIwQYMBaAFPcXQDPgCRH9wcdbk0UDOv7kXEA8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBACoArajSMJXxEpVmbN5rWWoiL0JIE+4a5HW7UolqC7u7BVp476emRw+b2CJaR2/juFaGz9hmOGeN7lhqwtzTmu6wM/E/vi2/wabFeRfj0O/BftaZR4Nnt45LHuzLLQX6fWxcCb9j04+bibtxucvtJdZlaeksLbn7SOPvnienPdjTOeMzB4TNrVWJ9WysqYGG8+Ogcef1zS+pQ63erlx2kU25rizAbPAWTse+cwBUUfgbSkuhL+zM3KsxmD0eeWKQluhZD1nI8hOX168DhQpoA0uXhgpw433AC4Vd0WJ5jOUO9p0VWIy4qGJ7O27mk/yvm5gDIy0cohBb5YGd7wmEA/uDc9O4/N/3SRILzFfVQ+bIDbznxinsWRd8XTViTWMR3WMF5mNZ/6RtVmzkxRjeSlhgprvjN5ym9AxXQgWng9qt21iuMeWKnfRuzUkK9ShscXMjpQ2oV3tSd33B3T4my7bUg2Lft+D0WXjG9zA6xQwNYfc/9gLcDZSrPVEMan0tvic1KWhKa/PF5+8WOdgv60DshFmemE8QOrTdNeJAXLDxXf8Pe3UOapstUh/Z8RK6+JEwfF3KNY6Ipct/yJBz/8qs2DgcsQcHijrHPIjVKX60k+Mz70pRCNtSWFUmmZh4uKwPBLgKhS2ZZUabiG3jAYcSYfg3qmYVfttpKa2qnlcV</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns1:Signature><ns0:Extensions><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/><ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/><ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/><ns2:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/><ns2:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/></ns0:Extensions><ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"><ns0:KeyDescriptor use="signing"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>MIIFFTCCAv2gAwIBAgIUZZyKa8JDFjEVSxf0Bowd7drQ7TAwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMB4XDTI1MDIwNDExMTcxOFoXDTM1MDIwMjExMTcxOFowGjEYMBYGA1UEAwwPc2F0b3NhX2Zyb250ZW5kMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1rhniRDGck7F9Xl5dc1GPlbHH5bTVXrdsHj4IVPNDCSZWCRBnPa7fmmOoD3e73mo8b08/yZzb+Xucb4/xJ/RF1A6FQ4i7zbtm1VhTWlYPUK4bLsY8SoSec4e94bvTXH9gtjf8ggaifnA8sciTMJ0vBKyzunKGpptH11mUiP3HAVM2fqQEUin1ioxne2pdaLS7cewTFAn/mlj3nsBPszJ9tcWRuXakzApLXjJBVvN1KW8d5mFMN6IqjDCQeIs0qEJRpQ/I6cwaEWwEMhGS+v7FlK99EXiYGtnyANYVw1o8uf9qZkUn6EowT83flABOPXgKZCpf3lIbDUOAdtxjlSjZQ5yv0XyTnnXzuM14uumVjH5k0icSb7t+LtYnJg4iuQlg5YZ60tqG6n5+BGeqPgx0t3EMeP5sVlGuS4/VfoLHwTPXPJy+bpNBr2mlk60g2tqzzC8rTaEh42QCl7t5epqvtlVeGfj3D9IEgR262pzKZeg3PV8fnvXTfC2c9CaSwvqdH9HaTUAgBIOzav3G4NvnInJ6gTgZjCOJinx0dXLo39LtYe9rW5Qu+WXLIzia/zDThvyODzxhS5+Az5+OHXJMVbc+eNebzDnq2KiF9WOqHYAeXkxs6pxxzbNOjIYTV6EwTYgZAKrrGHRiXDnR8zsQw/H5aMDI8isFf+bXuYaOZMCAwEAAaNTMFEwHQYDVR0OBBYEFAKNOna5t3ibid7sCNL0JCIVjExHMB8GA1UdIwQYMBaAFAKNOna5t3ibid7sCNL0JCIVjExHMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKbkOAdOBasxwf3zECu5uA55PqI70pXL2YM4qlWFTE5UrIJ5qqU8t9B+uS58hgh/b9ofd9/3+Ktb7/YEqlVMQAfNHTZgWpz+boEz6AZRUrNdTQTbxQ0iCV6pGVY4hOkouR128KtGeZw2Q4fYLJnso2BV4TcG8AceUcbB4tQ18tPLScitSIx1544GYH3K1T12doGIRu1aYRwqVhWY8neW17GbTQyOAxWs/PKnHB5UGm/s9c7ZZfzwhJobU8Y0h428dso0KGrKbHMf4n8IUj+VnHx6ndNsLEtvXNPSf78t8dO4bWmCuzelirp8Sr2+Uo1Abh0t34TYDbsNzKXNUh7CspVzKfH7uEtRQPooaQdhqYmKMQXmTCqfGJFId8AODtD/a8lZfsPDtaLCXLWS8da361urO10kicQQ+aJjMmV/fHG4i9T+tesY0tl1LcH0S49oPyaz3ZULP2J8ry0KhYXCz7WhgKiJM8l9XfYP0ES+Mi52DA3rmIs4tZFblhnva8EIciVBPCNL30UauDjwK+5eh2120Ys9ol87gH+pnZDHxRG6PjQy1DlkHvhu8nXeNDSgI16VeD6ZqdoO7CTcT3RzG2yuhzFHpESSzsVpEHX3iBE6s7cjAPXBCKiJZpQZsfdzObHw0ZgnrZi3qwh06zAhK04RdCp+Sc6mJcDfb68acXGO</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sunetcert-services-ssoproxy.cert.sunet.se/Saml2SP/sso/post"/><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sunetcert-services-ssoproxy.cert.sunet.se/Saml2SP/sso/redirect"/></ns0:IDPSSODescriptor></ns0:EntityDescriptor>
diff --git a/global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml b/global/overlay/etc/puppet/modules/soc/files/sso/test-frontend.xml
similarity index 100%
rename from global/overlay/etc/puppet/modules/soc/files/sso/frontend.xml
rename to global/overlay/etc/puppet/modules/soc/files/sso/test-frontend.xml
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index 70c4a88..f4d15a9 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -1,10 +1,14 @@
 # General SSO class for SOC. Based on cnaas::sso
 #
+# @param ssotype Deploy either using docker och plain apache
+#
 # @param hostname FQDN of the host this is running on.
 #
 # @param email Support email used in error messages etc.
 #
-# @param service_endpoint Location of service to reverse proxy for.
+# @param service_endpoint Location of service to reverse proxy for. [docker]
+#
+# @param use_groups Should we use groups (default) or are anyone allowed to login.
 #
 # @param groups
 #   List of user groups from sso_groups in global/overlay/etc/hiera/data/common.yaml. The
@@ -12,9 +16,19 @@
 #
 # @param passthrough List of paths to disable SAML protection for, e.g. API paths.
 #
-# @param x_remote_user
+# @param x_remote_user (DEPRECATED)
 #   If true, EPPN is put in the HTTP header X-Remote-User instead of REMOTE_USER.
 #
+# @param remote_user (DEPRECATED)
+#   If true, EPPN is put in the HTTP header Remote-User
+#
+# @param user_header
+#   Name of header to put EPPN in. Only used if both x_remote_user and remote_user are false
+#
+# @param unset_auth_header
+#   If set always clear auth_header to not confuse application that normally rely on
+#   basic auth. I.e. graylog4+
+#
 # @param single_user
 #   If true, EPPN is discarded and X-Remote-User is set to "soc-user". This is useful in
 #   cases where the service we reverse proxy for can't create new accounts automatically.
@@ -26,14 +40,22 @@
 # @param proxy
 #   Hostname of the satosa proxy.
 #
+# @param fronted
+#   Which frontend.xml file to use if we use a proxy (could be cleaner)
+#
 # @param entityID
-#   EntityID of the satosa proxy, must not be the same as the proxy hostname.
+#   EntityID of the satosa proxy, might not be the same as the proxy hostname.
 #   Default set to value of proxy.
+#
+# @param extra_proxy_conf
+#   Extra apache configuration files to inlcude in sso-proxy-conf (docker)
+#
 class soc::sso(
   String            $ssotype            = 'docker',
   String            $hostname           = $facts['networking']['fqdn'],
   String            $email              = 'cert@cert.sunet.se',
   Optional[String]  $service_endpoint   = undef,
+  Boolean           $use_groups         = true,
   Array             $groups             = ['PLACEHOLDER'],
   Array             $passthrough        = [],
   Boolean           $x_remote_user      = false,
@@ -44,8 +66,9 @@ class soc::sso(
   Boolean           $satosa             = true,
   Boolean           $satosa_certbot     = false,
   String            $translog           = 'INFO',
-  String            $proxy              = 'https://shared-sso-proxy1.cert.sunet.se/idp',
-  String            $entityID           = $proxy,
+  String            $proxy              = 'https://test-sso-proxy1.cert.sunet.se/idp',
+  String            $frontend           = 'test',
+  String            $entity_id          = $proxy,
   Optional[String]  $extra_proxy_conf   = undef,
 ) {
 
@@ -77,8 +100,10 @@ class soc::sso(
       content => file('soc/sso/apache-ssl.conf'),
     }
   } elsif $ssotype == 'apache' {
-    package { ['apache2',]:
-      ensure => installed,
+    unless Package['apache2'] {
+      package { ['apache2',]:
+        ensure => installed,
+      }
     }
   }
 
@@ -90,9 +115,11 @@ class soc::sso(
     $apache_groups = '/tmp/groups.txt'
   }
 
-  file { $apache_groups:
-    ensure  => file,
-    content => template('soc/sso/apache-groups.txt.erb')
+  if $use_groups {
+    file { $apache_groups:
+      ensure  => file,
+      content => template('soc/sso/apache-groups.txt.erb')
+    }
   }
 
   #
@@ -124,7 +151,6 @@ class soc::sso(
     exec { 'Enable custom 401 error document':
       command => 'a2enconf apache-errors',
       creates => '/etc/apache2/conf-enabled/apache-errors.conf',
-      notify  => Service['apache2'],
     }
   } elsif $ssotype == 'docker' {
     $shibbase = '/opt/sso/shibboleth'
@@ -157,7 +183,7 @@ class soc::sso(
   if $satosa {
     file { "${shibbase}/frontend.xml":
       ensure  => file,
-      content => file('soc/sso/frontend.xml'),
+      content => file("soc/sso/${frontend}-frontend.xml"),
     }
 
     file { "${shibbase}/attribute-policy.xml":
@@ -170,9 +196,9 @@ class soc::sso(
         hiera_key => 'sso_sp_key'
       }
     } else {
-      sunet::snippets::keygen {'shib_cert':
-        key_file  => "${shibbase}/sp-key.pem",
-        cert_file => "${shibbase}/sp-cert.pem"
+      sunet::snippets::keygen {'shib_soc':
+        key_file => "${shibbase}/sp-key.pem",
+        soc_file => "${shibbase}/sp-cert.pem"
       }
     }
   } else {