diff --git a/saml/saml.go b/saml/saml.go
index 614044bb2b305d8ea83acfecec13f3a41992373e..6fab1a876c414db975d198243ef9c169cf5a455a 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -232,9 +232,9 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 	if err != nil {
 		return nil, err
 	}
-	ssoURL := baseURL
-	ssoURL.Path += "/sso"
-	metadataURL := baseURL
+	ssoURL := *baseURL
+	ssoURL.Path += "/login"
+	metadataURL := *baseURL
 	metadataURL.Path += "/metadata"
 	svc := fmt.Sprintf("%s%s", baseURL.Host, baseURL.Path)
 	if !strings.HasSuffix(svc, "/") {
@@ -246,11 +246,15 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 		return nil, err
 	}
 
+	// Create the SAML IdentityProvider, but then we put another
+	// mux.Router in front in order to wrap just the ssoURL with
+	// our own SSO handler.
 	idp := &saml.IdentityProvider{
 		Key:                     cert.PrivateKey,
 		Certificate:             cert.Leaf,
 		Logger:                  logger.DefaultLogger,
-		SSOURL:                  *ssoURL,
+		MetadataURL:             metadataURL,
+		SSOURL:                  ssoURL,
 		ServiceProviderProvider: config,
 		SessionProvider:         users,
 	}