diff --git a/ssoauth/app_settings/__init__.py b/ssoauth/app_settings/__init__.py
index f8b66c874716f5fe1bff06cb29524c47b699704c..b00d50eaf9b3853e144669ce5484cbb681f2a2c3 100644
--- a/ssoauth/app_settings/__init__.py
+++ b/ssoauth/app_settings/__init__.py
@@ -1,6 +1,7 @@
 from onelogin.saml2 import settings as onelogin_settings
 from .defaults import *
 from django import conf
+from datetime import datetime, timedelta
 
 
 # merge defaults with customized user settings
@@ -87,7 +88,8 @@ ONELOGIN_SETTINGS_TEMPLATE = {
         "wantNameIdEncrypted": False,
         "wantAssertionsEncrypted": True,
         "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-        "metadataCacheDuration": SP_METADATA_LIFETIME,
+        "metadataCacheDuration": "P{n}D".format(n=SP_METADATA_LIFETIME_DAYS),
+        "metadataValidUntil": (datetime.now() + timedelta(days=SP_METADATA_LIFETIME_DAYS)).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
     },
     "contactPerson": SP_CONTACTS,
     "organization": SP_ORGANIZATION,
diff --git a/ssoauth/app_settings/defaults.py b/ssoauth/app_settings/defaults.py
index e4f2b197fa938a841c7b5a0d948d0ea4f086045c..b62f97dd1e56a64262b61f140b73e3e6ac858fda 100644
--- a/ssoauth/app_settings/defaults.py
+++ b/ssoauth/app_settings/defaults.py
@@ -9,7 +9,7 @@ If you want to change something:
 
 
 """
-Settings you want to change:
+Settings you may want to change:
 """
 
 # host and port, not what Django thinks, but what nginx serves
@@ -18,6 +18,8 @@ SP_PORT = 443
 
 IDP_META_URL = "https://idp.hs-hannover.de/idp/shibboleth"  # test is "https://idp-test.it.hs-hannover.de/idp/shibboleth"
 
+SP_KEY = "{project_settings}/cert/sp.key"
+SP_CERT = "{project_settings}/cert/sp.pem"
 
 """
 Settings you DON'T want to change (in fact, you want to avoid even thinking about them):
@@ -25,10 +27,7 @@ Settings you DON'T want to change (in fact, you want to avoid even thinking abou
 
 IDP_REQUIRED = True  # die on start if cannot find IDP or parse its meta
 
-SP_KEY = "{project_settings}/cert/sp.key"
-SP_CERT = "{project_settings}/cert/sp.pem"
-
-SP_METADATA_LIFETIME = "P20Y"  # "P7D"-like (https://www.w3.org/TR/xmlschema-2/#duration)
+SP_METADATA_LIFETIME_DAYS = 365 * 20
 
 # if you really really need to add/modify something in OneLogin settings, add it to ONELOGIN_OVERRIDES
 ONELOGIN_OVERRIDES = {}  # e.g.: ONELOGIN_OVERRIDES = { "strict": False }