diff --git a/.ci-img.yml b/.ci-img.yml
new file mode 100644
index 0000000..d508f0a
--- /dev/null
+++ b/.ci-img.yml
@@ -0,0 +1,5 @@
+---
+lint:
+  image: ghcr.io/terraform-linters/tflint
+opentofu:
+  image: ghcr.io/opentofu/opentofu:latest
\ No newline at end of file
diff --git a/saml/outputs.tf b/saml/outputs.tf
index e3f31c9..f8cb09f 100644
--- a/saml/outputs.tf
+++ b/saml/outputs.tf
@@ -1,3 +1,11 @@
-output "provider-id" {
+output "provider_id" {
   value = authentik_provider_saml.prj.id
 }
+
+output "metadata_url" {
+  value = "https://${data.kubernetes_ingress_v1.authentik.spec[0].rule[0].host}/api/v3/providers/saml/${authentik_provider_saml.prj.id}/metadata/?download"
+}
+
+output "saml_certificate_secret_name" {
+  value = "${local.app_slug}-saml"
+}
diff --git a/saml/providers.tf b/saml/providers.tf
index 250b1a1..39cad76 100644
--- a/saml/providers.tf
+++ b/saml/providers.tf
@@ -1,5 +1,10 @@
 terraform {
+  required_version = ">= 1.0"
   required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.20.0"
+    }
     kubectl = {
       source  = "gavinbunney/kubectl"
       version = "~> 1.14.0"
diff --git a/saml/saml.tf b/saml/saml.tf
index d69c720..424cc59 100644
--- a/saml/saml.tf
+++ b/saml/saml.tf
@@ -60,3 +60,9 @@ resource "authentik_provider_saml" "prj" {
   sp_binding          = var.binding
 }
 
+data "kubernetes_ingress_v1" "authentik" {
+  metadata {
+    name      = "authentik"
+    namespace = "${var.domain}-auth"
+  }
+}
diff --git a/saml/variables.tf b/saml/variables.tf
index 36f86cd..e777bdf 100644
--- a/saml/variables.tf
+++ b/saml/variables.tf
@@ -4,6 +4,12 @@ variable "component" {
 variable "instance" {
   type = string
 }
+variable "namespace" {
+  type = string
+}
+variable "domain" {
+  type = string
+}
 variable "issuer" {
   type = string
 }