diff --git a/ssoauth/app_settings/__init__.py b/ssoauth/app_settings/__init__.py
index 420e5a5b123ae060e35b14c8548ce6713b22e495..c30b676fbcbf612efcee1835005d576145b702ca 100644
--- a/ssoauth/app_settings/__init__.py
+++ b/ssoauth/app_settings/__init__.py
@@ -17,9 +17,11 @@ for setting_name in [k for k in globals().keys() if k.isupper()]:
 
 # checks
 
-assert SP_HOST and SP_PORT, "Need SP_HOST and SP_PORT configured in settings."
-assert not SP_HOST.lower().startswith(("http:", "https:",)), "Need host name without protocol and port."
-
+SSO_DISABLED = SSO_DISABLED or getattr(conf.settings, "IDP_IGNORE", False)  # legacy config
+if not SSO_DISABLED:
+    assert conf.settings.DEBUG, "Not ignoring IDP on production."
+    assert SP_HOST and SP_PORT, "Need SP_HOST and SP_PORT configured in settings."
+    assert not SP_HOST.lower().startswith(("http:", "https:",)), "Need host name without protocol and port."
 
 # helpers
 
@@ -41,7 +43,10 @@ def read_key(path):
         with open(path, "r") as f:
             return f.read()
     except FileNotFoundError:
-        raise FileNotFoundError("SSO requires a key pair. Missing: {path}".format(path=path))
+        if SSO_DISABLED:
+            return None
+        else:
+            raise FileNotFoundError("SSO requires a key pair. Missing: {path}".format(path=path))
 
 
 # template for OneLogin toolkit settings
diff --git a/ssoauth/app_settings/defaults.py b/ssoauth/app_settings/defaults.py
index 3af24256c4147287b08e241f16105e98d7621f16..b9055a8229150163f124fa7f6c8dd36f00b88aed 100644
--- a/ssoauth/app_settings/defaults.py
+++ b/ssoauth/app_settings/defaults.py
@@ -28,8 +28,8 @@ Settings you might want to change on development (don't change them for producti
 """
 
 # development helpers
+SSO_DISABLED = False
 SP_FORCE_ENTITY_ID = None  # do NOT set for production, set to some unique string on development
-IDP_IGNORE = False  # ignore IDP entirely, SSO will not function
 
 
 """
diff --git a/ssoauth/apps.py b/ssoauth/apps.py
index f9056e179d99191a0ccc14fdabe7978d8d887858..beff0092edb97007e50833ebeef8a156b0696a7e 100644
--- a/ssoauth/apps.py
+++ b/ssoauth/apps.py
@@ -13,9 +13,9 @@ class SSOAuthConfig(AppConfig):
     def ready(self, *args, **kwargs):
         super().ready(*args, **kwargs)
         # OneLogin settings stuff
-        if app_settings.IDP_IGNORE:
-            assert conf.settings.DEBUG, "And how should SSO work on production if you ignore the IDP?"
-            logger.info("SSO will not work.")
+        if app_settings.SSO_DISABLED:
+            assert conf.settings.DEBUG
+            logger.debug("SSO is disabled.")
         else:
             try:
                 app_settings.ONELOGIN_SETTINGS = sso_utils.create_onelogin_settings(app_settings.ONELOGIN_SETTINGS_TEMPLATE)