diff --git a/saml/saml.go b/saml/saml.go
index 42090d905298608b97cdc75b921531d4d369d6d8..163815652c47572f4ae97fee6606a841bb5c7179 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -26,6 +26,8 @@ import (
 )
 
 type serviceProvider struct {
+	// Descriptor can either be an inline XML document, or it can
+	// be read from a file with the syntax "@filename".
 	Descriptor string   `yaml:"descriptor"`
 	SSOGroups  []string `yaml:"sso_groups"`
 
@@ -81,9 +83,13 @@ func (c *Config) check() error {
 func (c *Config) loadServiceProviders() error {
 	c.serviceProviderMap = make(map[string]*serviceProvider)
 	for _, sp := range c.ServiceProviders {
-		data, err := ioutil.ReadFile(sp.Descriptor)
-		if err != nil {
-			return err
+		var data []byte
+		if strings.HasPrefix(sp.Descriptor, "@") {
+			var err error
+			data, err = ioutil.ReadFile(sp.Descriptor[1:])
+			if err != nil {
+				return err
+			}
 		}
 		var ent saml.EntityDescriptor
 		if err := xml.Unmarshal(data, &ent); err != nil {