diff --git a/src/roles/configure-wiki/tasks/main.yml b/src/roles/configure-wiki/tasks/main.yml
index 59c2c3bb..89112af1 100644
--- a/src/roles/configure-wiki/tasks/main.yml
+++ b/src/roles/configure-wiki/tasks/main.yml
@@ -57,6 +57,7 @@
   with_items:
     - preLocalSettings.d
     - postLocalSettings.d
+    - samlAuthorizations.d
 
 - name: Ensure base templates are present (but do not overwrite)
   template:
@@ -71,5 +72,6 @@
     - preLocalSettings.d/base.php
     - preLocalSettings.d/README.md
     - postLocalSettings.d/README.md
+    - samlAuthorizations.d/base.php
   delegate_to: localhost
   run_once: true
diff --git a/src/roles/configure-wiki/templates/samlAuthorizations.d/base.php.j2 b/src/roles/configure-wiki/templates/samlAuthorizations.d/base.php.j2
new file mode 100644
index 00000000..a17e072d
--- /dev/null
+++ b/src/roles/configure-wiki/templates/samlAuthorizations.d/base.php.j2
@@ -0,0 +1,11 @@
+<?php
+
+# // SAML Authorization (What the user can DO)
+# // NOTE - this is only meaningful if the saml idp option being used
+# // REF: https://www.mediawiki.org/wiki/Meza/Setup_SAML_authentication
+# $wgPluggableAuth_Config['Log in using SAML']['data'] += [ 'mapGroups_Map'  => [
+#      'sysop'        => ['memberOf' => ['abc123' ]],
+#      'Viewer'       => ['memberOf' => ['def456' ]],
+#      'Contributor'  => ['memberOf' => ['xyz789' ]]
+# ]];
+
diff --git a/src/roles/init-controller-config/tasks/main.yml b/src/roles/init-controller-config/tasks/main.yml
index 65c9a06e..b7ea8ca3 100644
--- a/src/roles/init-controller-config/tasks/main.yml
+++ b/src/roles/init-controller-config/tasks/main.yml
@@ -72,7 +72,7 @@
     group: "{{ m_config_public_group }}"
     mode: "{{ m_config_public_mode }}"
 
-- name: Ensure pre/post settings directories exists in config
+- name: Ensure pre/post/saml settings directories exists in config
   file:
     path: "{{ m_local_public }}/{{ item }}"
     state: directory
@@ -82,6 +82,7 @@
   with_items:
     - preLocalSettings.d
     - postLocalSettings.d
+    - samlAuthorizations.d
 
 
 - name: "Ensure base files present, do NOT overwrite"
diff --git a/src/roles/mediawiki/templates/LocalSettings.php.j2 b/src/roles/mediawiki/templates/LocalSettings.php.j2
index 74312766..8c6ba31e 100644
--- a/src/roles/mediawiki/templates/LocalSettings.php.j2
+++ b/src/roles/mediawiki/templates/LocalSettings.php.j2
@@ -55,37 +55,52 @@ else {
  *  Perform authentication up front, immediately after $wikiId is setup.
  *
  **/
-## This is commented out because we are no longer using Extension:SimpleSamlAuth
-## Instead we will be using Extension:PluggableAuth with Extension:SimpleSamlphp
-## which is configued as by the user in MezaLocalExtensions.yml
-#require "{{ m_deploy }}/samlLocalSettings.php";
 
+// Get the data needed to know if the server request is an external (remote) or internal (localhost) request
+if     (!empty($_SERVER['HTTP_CLIENT_IP']))       { $ip_address = $_SERVER['HTTP_CLIENT_IP']; }
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; }
+elseif (isset($_SERVER['REMOTE_ADDR'] ) )         { $ip_address = $_SERVER['REMOTE_ADDR']; }
 
+// Allow exceptions of the PluggableAuth/SAML integration for specific wikis
+// so that localhost maintenance script can create new bot accounts on the wikis
 if ( in_array( $wikiId, array( 'mywiki1','mywiki2', ) ) )
-{
- # Skip  "PluggableAuth" AND "SimpleSAMLphp" so that localhost bots can access the wikis
-} else {
+{ # SKIP "PluggableAuth" AND "SimpleSAMLphp" 
+} else { 
+  #  USE "PluggableAuth" AND "SimpleSAMLphp"as follows:
 
+// Load and Configure PluggableAuth for SAML IDP/SSO
 wfLoadExtension( "PluggableAuth" );
 $wgPluggableAuth_EnableAutoLogin = true;
+$wgPluggableAuth_EnableLocalProperties = false;
+$wgPluggableAuth_EnableLocalLogin = false;
+if (isset($ip_address) && $ip_address == '127.0.0.1') 
+{ $wgPluggableAuth_EnableLocalLogin = true;  }
+$wgGroupPermissions['*']['autocreateaccount'] = true;
 
-if     (!empty($_SERVER['HTTP_CLIENT_IP']))       { $ip_address = $_SERVER['HTTP_CLIENT_IP']; }
-elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; }
-elseif (isset($_SERVER['REMOTE_ADDR'] ) )         { $ip_address = $_SERVER['REMOTE_ADDR']; }
+// Load and Configure SimpleSAMLphp for SAML IDP/SSO
+wfLoadExtension( "SimpleSAMLphp" );
+$wgSimpleSAMLphp_InstallDir = '/opt/simplesamlphp';
+
+// SAML Authentication (Who the user IS)
+$wgPluggableAuth_Config['Log in using SAML'] = [
+    'plugin' =>   'SimpleSAMLphp',
+    'data'   => [ 'authSourceId'      => 'default-sp',
+                  'usernameAttribute' => 'AUID',
+                  'realNameAttribute' => 'displayName',
+                  'emailAttribute'    => 'Email'
+                ]
+];
 
-if (isset($ip_address) && $ip_address == '127.0.0.1') { $wgPluggableAuth_EnableLocalLogin = true;  }
-else                                                  { $wgPluggableAuth_EnableLocalLogin = false; }
+// Load all PHP files in samlAuthorizations.d for all wikis
+foreach ( glob("$m_deploy/public/samlAuthorizations.d/*.php") as $filename) {
+  require_once $filename;
+}
 
-$wgPluggableAuth_EnableLocalProperties = false;
-$wgPluggableAuth_ButtonLabel = 'Click Here for Auto-Logon';
+// Load all PHP files in samlAuthorizations.d for this wiki
+foreach ( glob("$m_deploy/public/wikis/$wikiId/samlAuthorizations.d/*.php") as $filename) {
+  require_once $filename; 
+}
 
-wfLoadExtension( "SimpleSAMLphp" );
-$wgSimpleSAMLphp_InstallDir        = '/opt/simplesamlphp';
-$wgSimpleSAMLphp_AuthSourceId      = 'default-sp';
-$wgSimpleSAMLphp_UsernameAttribute = 'AUID';
-$wgSimpleSAMLphp_RealNameAttribute = 'displayName';
-$wgSimpleSAMLphp_EmailAttribute    = 'Email';
-$wgGroupPermissions['*']['autocreateaccount'] = true;
 }
 {% endif %}
 
diff --git a/src/roles/saml/templates/saml20-idp-remote.php.j2 b/src/roles/saml/templates/saml20-idp-remote.php.j2
index 38522fd4..56b93748 100644
--- a/src/roles/saml/templates/saml20-idp-remote.php.j2
+++ b/src/roles/saml/templates/saml20-idp-remote.php.j2
@@ -38,37 +38,15 @@ $metadata['{{ saml_public.idp_entity_id }}'] = array(
 	{% endif %}
 
 
-	{% if saml_secret.cert_fingerprint is defined %}
+       {% if saml_secret.cert_data is defined %}
+       'certData' => '{{ saml_secret.cert_data }}',
 
-	'certFingerprint' => array(
-		{% for fp in saml_secret.cert_fingerprint -%}
-		'{{ fp }}',
-		{%- endfor %}
-	),
+       {% elif saml_public.cert_data is defined %}
+       'certData' => '{{ saml_public.cert_data }}',
 
-	{% elif saml_public.cert_fingerprint is defined %}
+       {% else %}
+       // neither saml_secret.cert_data nor saml_public.cert_data is defined
 
-	'certFingerprint' => array(
-		{% for fp in saml_public.cert_fingerprint -%}
-		'{{ fp }}',
-		{%- endfor %}
-	),
-
-	{% else %}
-	// neither {{ saml_secret.cert_fingerprint }} nor {{ saml_public.cert_fingerprint }} is defined
-	{% endif %}
-
-
-	{% if saml_secret.cert_data is defined %}
-
-	'certData' => '{{ saml_secret.cert_data }}',
-
-	{% elif saml_public.cert_data is defined %}
-
-	'certData' => '{{ saml_public.cert_data }}',
-
-	{% else %}
-	// neither saml_secret.cert_data nor saml_public.cert_data is defined
-	{% endif %}
+       {% endif %}
 
 );