diff --git a/apps/sonar/check.rhai b/apps/sonar/check.rhai
new file mode 100644
index 0000000..1d67ecd
--- /dev/null
+++ b/apps/sonar/check.rhai
@@ -0,0 +1,13 @@
+const DOMAIN = config.domain;
+fn check_domain() {
+    assert(have_namespace(`${global::DOMAIN}`),                         `There is no ${global::DOMAIN} namespace`);
+}
+fn check_authentik() {
+    assert(have_namespace(`${global::DOMAIN}-auth`),                    `There is no ${global::DOMAIN}-auth namespace`);
+    assert(have_install(`${global::DOMAIN}-auth`, "authentik"),         `No authentik installation in ${global::DOMAIN}-auth`);
+    assert(have_secret(`${global::DOMAIN}-auth`, "authentik"),          `No authentik secret in ${global::DOMAIN}-auth`);
+}
+fn pre_check() {
+    check_domain();
+    check_authentik();
+}
diff --git a/apps/sonar/index.yaml b/apps/sonar/index.yaml
index 7faccfe..4c040ed 100644
--- a/apps/sonar/index.yaml
+++ b/apps/sonar/index.yaml
@@ -329,7 +329,13 @@ options:
     examples:
     - sonar
     type: string
-dependencies: []
+dependencies:
+- dist: null
+  category: core
+  component: cert-manager-self-sign
+- dist: null
+  category: dbo
+  component: pg
 providers:
   kubernetes: true
   authentik: true
diff --git a/apps/sonar/sonar_ConfigMap.tf b/apps/sonar/sonar_ConfigMap.tf
index cac3133..90032a1 100644
--- a/apps/sonar/sonar_ConfigMap.tf
+++ b/apps/sonar/sonar_ConfigMap.tf
@@ -35,10 +35,10 @@ resource "kubectl_manifest" "cm_files" {
         sonar.telemetry.enable=false
         sonar.updatecenter.activate=false
         sonar.auth.saml.enabled=true
-        sonar.auth.saml.applicationId=${module.saml.app_id}
+        sonar.auth.saml.applicationId=https://${local.dns_name}/saml2/metadata
         sonar.auth.saml.providerName=vynil
-        sonar.auth.saml.providerId=${module.saml.issuer}
-        sonar.auth.saml.loginUrl=https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/saml/${var.component}-${var.instance}/sso/binding/init/
+        sonar.auth.saml.providerId=https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}
+        sonar.auth.saml.loginUrl=https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/application/saml/${var.component}-${var.instance}/sso/binding/redirect/
         sonar.auth.saml.certificate.secured=${join("",[for line in split("\n",module.saml.certificate_data): line if !endswith(line, "CERTIFICATE-----")])}
         sonar.auth.saml.user.login=windowsaccountname
         sonar.auth.saml.user.name=name
diff --git a/apps/sonar/sonar_Service.tf b/apps/sonar/sonar_Service.tf
index 6d7d056..14d5005 100644
--- a/apps/sonar/sonar_Service.tf
+++ b/apps/sonar/sonar_Service.tf
@@ -56,6 +56,8 @@ module "saml" {
   dns_names         = local.dns_names
   namespace         = var.namespace
   labels            = local.common_labels
+  audience          = "https://${local.dns_name}/saml2/metadata"
+  saml_issuer       = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}"
   group_mapping     = <<ENDF
 for group in user.ak_groups.all():
     if group.name == "authentik Admins":