diff --git a/.gitignore b/.gitignore
index ec1f302a0d2804cade81abdbbd44c0dcef90c149..d3e541f0e3b4c16980e2f19d86b60bf9e4ffc328 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,6 @@ backend.xml
 
 # client database
 oidc-clients.json
+
+# deployment-specific configuration
+config/saml-metadata-signing.crt
diff --git a/README.md b/README.md
index 666767a002ab3d4b46c9c1e898a994e6a7a544de..377e1b9ef38e4085c41e14491c63b54db8490142 100644
--- a/README.md
+++ b/README.md
@@ -119,3 +119,5 @@ Here is a collection of links for further resources about SAML and the ACOnet fe
 * [SAML attributes](https://wiki.univie.ac.at/display/federation/Attributes)
 * [Service/entity categories](https://wiki.refeds.org/display/ENT/)
 * [Discovery services](https://wiki.univie.ac.at/display/federation/Discovery+Services)
+* [ACOnet metadata](https://wiki.univie.ac.at/display/federation/Metadata)
+* [ACOnet metadata signing key](https://wiki.univie.ac.at/display/federation/Metadata+Signing+Key)
diff --git a/config/saml2-backend.yaml b/config/saml2-backend.yaml
index 5ac6575ebaa6b01f832c3a7e608341cd9dedae88..688fd6377892c264d1dcc6ba1c48be97264d3043 100644
--- a/config/saml2-backend.yaml
+++ b/config/saml2-backend.yaml
@@ -47,7 +47,8 @@ config:
     # from the centrally managed ACOnet endpoint (and we refresh it every 12h with that cryptic string)
     metadata:
       remote:
-        - url: "https://eduid.at/md/aconet-interfed.xml"
+        - url: !ENV SATOSA_SAML_METADATA_URL
+          cert: !ENV SATOSA_SAML_METADATA_CERT_FILE
           check_validity: true
           disable_ssl_certificate_validation: false
           freshness_period: "P0Y0M0DT12H0M0S"
diff --git a/docker-compose.yml b/docker-compose.yml
index 8ed800f66fe7a0ea46c8c888142c2daffd235878..cfb05f27b3852d75e1245227ec5806187e14037e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,9 @@ services:
       - SATOSA_SAML_KEY_FILE
       - SATOSA_SAML_CERT_FILE
       - SATOSA_SAML_DISCOVERY_SERVICE=${SATOSA_SAML_DISCOVERY_SERVICE:-https://eduid.at/ds/wayf/}
+
+      - SATOSA_SAML_METADATA_URL=${SATOSA_SAML_METADATA_URL:-https://eduid.at/md/aconet-interfed.xml}
+      - SATOSA_SAML_METADATA_CERT_FILE
     ports:
       - ${SATOSA_DEPLOYMENT_PORT:-443}:${SATOSA_PORT:-8443}
     volumes:
diff --git a/env.example b/env.example
index 87036c9db5cf54352744dd5c304b8cd3fda0ec3f..b97796805a579fcd31069e1fdd48c6cc3ad3d2c6 100644
--- a/env.example
+++ b/env.example
@@ -14,6 +14,8 @@ SATOSA_OIDC_KEY_FILE=ssl/oidc.key
 SATOSA_SAML_KEY_FILE=ssl/saml.key
 SATOSA_SAML_CERT_FILE=ssl/saml.crt
 SATOSA_SAML_DISCOVERY_SERVICE=<base_url>/disco
+SATOSA_SAML_METADATA_URL=https://eduid.at/md/aconet-interfed.xml
+SATOSA_SAML_METADATA_CERT_FILE=
 
 # ssl/tls files for gunicorn
 SATOSA_GUNICORN_KEY=ssl/gunicorn.key