diff --git a/Changelog.md b/Changelog.md
index dd76849a..9e3174f7 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -2,6 +2,9 @@
 
 This file only reflects the changes that are made in the the docker image. Please refer to the upstream GitLab [CHANGELOG](https://github.com/gitlabhq/gitlabhq/blob/master/CHANGELOG) for the list of changes in GitLab.
 
+**latest**
+- expose SAML OAuth provider configuration
+
 **7.12.2-2**
 - enable persistence `.secret` file used in 2FA
 
diff --git a/README.md b/README.md
index 7d6af3f9..0cc8db2e 100644
--- a/README.md
+++ b/README.md
@@ -40,6 +40,7 @@
     - [Google](#google)
     - [Twitter](#twitter)
     - [GitHub](#github)
+    - [SAML](#saml)
   - [External Issue Trackers](#external-issue-trackers)
   - [Mapping host user and group](#mapping-host-user-and-group)
   - [Piwik](#piwik)
@@ -663,6 +664,14 @@ Once you have the Client ID and secret generated, configure them using the `OAUT
 
 For example, if your Client ID is `xxx` and the Client secret is `yyy`, then adding `--env='OAUTH_GITHUB_API_KEY=xxx' --env='OAUTH_GITHUB_APP_SECRET=yyy'` to the docker run command enables support for GitHub OAuth.
 
+#### SAML
+
+GitLab can be configured to act as a SAML 2.0 Service Provider (SP). This allows GitLab to consume assertions from a SAML 2.0 Identity Provider (IdP) such as Microsoft ADFS to authenticate users. Please refer to the GitLab [documentation](http://doc.gitlab.com/ce/integration/saml.html).
+
+The following parameters have to be configured to enable SAML OAuth support in this image: `OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL`, `OAUTH_SAML_IDP_CERT_FINGERPRINT`, `OAUTH_SAML_IDP_SSO_TARGET_URL`, `OAUTH_SAML_ISSUER` and `OAUTH_SAML_NAME_IDENTIFIER_FORMAT`
+
+Please refer to [Available Configuration Parameters](#available-configuration-parameters) for the default configurations of these parameters.
+
 ### External Issue Trackers
 
 Since version `7.12.2-2` support for external issue trackers can be enabled in the "Service Templates" section of the settings panel.
@@ -792,6 +801,11 @@ Below is the complete list of available options that can be used to customize yo
 - **OAUTH_GITLAB_APP_SECRET**: GitLab App Client secret. No defaults.
 - **OAUTH_BITBUCKET_API_KEY**: BitBucket App Client ID. No defaults.
 - **OAUTH_BITBUCKET_APP_SECRET**: BitBucket App Client secret. No defaults.
+- **OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL**: The URL at which the SAML assertion should be received. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}/users/auth/saml/callback` else defaults to `http://${GITLAB_HOST}/users/auth/saml/callback`.
+- **OAUTH_SAML_IDP_CERT_FINGERPRINT**: The SHA1 fingerprint of the certificate. No Defaults.
+- **OAUTH_SAML_IDP_SSO_TARGET_URL**: The URL to which the authentication request should be sent. No defaults.
+- **OAUTH_SAML_ISSUER**: The name of your application. When `GITLAB_HTTPS=true`, defaults to `https://${GITLAB_HOST}` else defaults to `http://${GITLAB_HOST}`.
+- **OAUTH_SAML_NAME_IDENTIFIER_FORMAT**: Describes the format of the username required by GitLab, Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
 - **GITLAB_GRAVATAR_ENABLED**: Enables gravatar integration. Defaults to `true`.
 - **GITLAB_GRAVATAR_HTTP_URL**: Sets a custom gravatar url. Defaults to `http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`. This can be used for [Libravatar integration](http://doc.gitlab.com/ce/customization/libravatar.html).
 - **GITLAB_GRAVATAR_HTTPS_URL**: Same as above, but for https. Defaults to `https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon`.
diff --git a/assets/config/gitlabhq/gitlab.yml b/assets/config/gitlabhq/gitlab.yml
index f45f69e3..066fffc0 100644
--- a/assets/config/gitlabhq/gitlab.yml
+++ b/assets/config/gitlabhq/gitlab.yml
@@ -221,14 +221,13 @@ production: &base
           args: { scope: '{{OAUTH_GITLAB_SCOPE}}' } }
       - { name: 'bitbucket', app_id: '{{OAUTH_BITBUCKET_API_KEY}}',
           app_secret: '{{OAUTH_BITBUCKET_APP_SECRET}}'}
-      # - { name: 'saml',
-      #     args: {
-      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
-      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
-      #             idp_sso_target_url: 'https://login.example.com/idp',
-      #             issuer: 'https://gitlab.example.com',
-      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
-      #           } }
+      - { name: 'saml',
+          args: {
+                  assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}',
+                  idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}',
+                  idp_sso_target_url: '{{OAUTH_SAML_IDP_SSO_TARGET_URL}}',
+                  issuer: '{{OAUTH_SAML_ISSUER}}',
+                  name_identifier_format: '{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}' } }
 
 
 
diff --git a/entrypoint.sh b/entrypoint.sh
index a4709adb..401ff812 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -127,6 +127,20 @@ OAUTH_GITLAB_APP_SECRET=${OAUTH_GITLAB_APP_SECRET:-}
 OAUTH_BITBUCKET_API_KEY=${OAUTH_BITBUCKET_API_KEY:-}
 OAUTH_BITBUCKET_APP_SECRET=${OAUTH_BITBUCKET_APP_SECRET:-}
 
+case $GITLAB_HTTPS in
+  true)
+    OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-https://${GITLAB_HOST}/users/auth/saml/callback}
+    OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-https://${GITLAB_HOST}}
+    ;;
+  false)
+    OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL=${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL:-http://${GITLAB_HOST}/users/auth/saml/callback}
+    OAUTH_SAML_ISSUER=${OAUTH_SAML_ISSUER:-http://${GITLAB_HOST}}
+    ;;
+esac
+OAUTH_SAML_IDP_CERT_FINGERPRINT=${OAUTH_SAML_IDP_CERT_FINGERPRINT:-}
+OAUTH_SAML_IDP_SSO_TARGET_URL=${OAUTH_SAML_IDP_SSO_TARGET_URL:-}
+OAUTH_SAML_NAME_IDENTIFIER_FORMAT=${OAUTH_SAML_NAME_IDENTIFIER_FORMAT:-urn:oasis:names:tc:SAML:2.0:nameid-format:transient}
+
 GOOGLE_ANALYTICS_ID=${GOOGLE_ANALYTICS_ID:-}
 
 PIWIK_URL=${PIWIK_URL:-}
@@ -567,6 +581,22 @@ else
   sudo -HEu ${GITLAB_USER} sed '/{{OAUTH_BITBUCKET_APP_SECRET}}/d' -i config/gitlab.yml
 fi
 
+# saml
+if [[ -n ${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL} && \
+      -n ${OAUTH_SAML_IDP_CERT_FINGERPRINT} && \
+      -n ${OAUTH_SAML_IDP_SSO_TARGET_URL} && \
+      -n ${OAUTH_SAML_ISSUER} && \
+      -n ${OAUTH_SAML_NAME_IDENTIFIER_FORMAT} ]]; then
+  OAUTH_ENABLED=true
+  sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}},'"${OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}"',' -i config/gitlab.yml
+  sudo -HEu ${GITLAB_USER} sed 's/{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}/'"${OAUTH_SAML_IDP_CERT_FINGERPRINT}"'/' -i config/gitlab.yml
+  sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_IDP_SSO_TARGET_URL}},'"${OAUTH_SAML_IDP_SSO_TARGET_URL}"',' -i config/gitlab.yml
+  sudo -HEu ${GITLAB_USER} sed 's,{{OAUTH_SAML_ISSUER}},'"${OAUTH_SAML_ISSUER}"',' -i config/gitlab.yml
+  sudo -HEu ${GITLAB_USER} sed 's/{{OAUTH_SAML_NAME_IDENTIFIER_FORMAT}}/'"${OAUTH_SAML_NAME_IDENTIFIER_FORMAT}"'/' -i config/gitlab.yml
+else
+  sudo -HEu ${GITLAB_USER} sed "/name: 'saml'/,/name_identifier_format:/d" -i config/gitlab.yml
+fi
+
 # google analytics
 if [[ -n ${GOOGLE_ANALYTICS_ID} ]]; then
   sudo -HEu ${GITLAB_USER} sed 's/{{GOOGLE_ANALYTICS_ID}}/'"${GOOGLE_ANALYTICS_ID}"'/' -i config/gitlab.yml