diff --git a/src/app/app.ts b/src/app/app.ts
index f488385..910aa7a 100644
--- a/src/app/app.ts
+++ b/src/app/app.ts
@@ -20,3 +20,7 @@ export function appIdpEntityId(app: App): string {
 export function appIdpRedirectUrl(app: App): string {
   return `https://${process.env.DUMMYIDP_CUSTOM_DOMAIN || process.env.VERCEL_URL}/apps/${app.id}/sso`;
 }
+
+export function appIdpMetadataUrl(app: App): string {
+  return `https://${process.env.DUMMYIDP_CUSTOM_DOMAIN || process.env.VERCEL_URL}/apps/${app.id}/metadata`;
+}
diff --git a/src/app/apps/[id]/metadata/route.ts b/src/app/apps/[id]/metadata/route.ts
new file mode 100644
index 0000000..48464a0
--- /dev/null
+++ b/src/app/apps/[id]/metadata/route.ts
@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from "next/server";
+import { getApp } from "@/app/actions";
+import { appIdpEntityId, appIdpRedirectUrl } from "@/app/app";
+import { INSECURE_PUBLIC_CERTIFICATE } from "@/lib/insecure-cert";
+
+export async function GET(
+  req: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const prefix = "-----BEGIN CERTIFICATE-----\n";
+  const suffix = "-----END CERTIFICATE-----";
+  const certNoPEMHeaders = INSECURE_PUBLIC_CERTIFICATE.substring(
+    0,
+    INSECURE_PUBLIC_CERTIFICATE.length - suffix.length,
+  )
+    .substring(prefix.length)
+    .replaceAll("\n", "");
+
+  const app = await getApp(params.id);
+  return new NextResponse(
+    `<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor entityID="${appIdpEntityId(app!)}" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>${certNoPEMHeaders}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
+    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="${appIdpRedirectUrl(app!)}"/>
+  </md:IDPSSODescriptor>
+</md:EntityDescriptor>`,
+    {
+      headers: {
+        "content-type": "application/xml;charset=ISO-8859-1",
+        "x-content-type-options": "nosniff",
+      },
+    },
+  );
+}
diff --git a/src/app/apps/[id]/page.tsx b/src/app/apps/[id]/page.tsx
index 429d157..baaf1ac 100644
--- a/src/app/apps/[id]/page.tsx
+++ b/src/app/apps/[id]/page.tsx
@@ -19,7 +19,11 @@ import {
 } from "@/components/ui/breadcrumb";
 import { DocsLink } from "@/components/DocsLink";
 import { Label } from "@/components/ui/label";
-import { appIdpEntityId, appIdpRedirectUrl } from "@/app/app";
+import {
+  appIdpEntityId,
+  appIdpMetadataUrl,
+  appIdpRedirectUrl,
+} from "@/app/app";
 import { useMemo } from "react";
 import { ArrowDownToLineIcon } from "lucide-react";
 import { SPSettingsForm } from "@/app/apps/[id]/SPSettingsForm";
@@ -95,6 +99,13 @@ export default async function Page({ params }: { params: { id: string } }) {
               </CardHeader>
               <CardContent>
                 <div className="grid gap-y-2">
+                  <div>
+                    <Label>IDP Metadata URL</Label>
+                    <div className="text-sm text-muted-foreground">
+                      {appIdpMetadataUrl(app)}
+                    </div>
+                  </div>
+
                   <div>
                     <Label>IDP Entity ID</Label>
                     <div className="text-sm text-muted-foreground">