diff --git a/playbooks/common/status.yml b/playbooks/common/status.yml
new file mode 100644
index 0000000..a8e9f96
--- /dev/null
+++ b/playbooks/common/status.yml
@@ -0,0 +1,22 @@
+---
+
+- name: Retrieve current ReplicationController status
+  command: 'oc get rc -o json -n "{{ project }}"'
+  register: rc_state
+  changed_when: false
+
+- name: Parse the list of deployed ReplicationController
+  set_fact:
+    replication_controllers: '{{ rc_state.stdout |from_json |json_query(''items[? @.status.replicas && @.status.replicas != `0`].metadata.annotations."openshift.io/deployment-config.name"'') }}'
+    replication_controllers_status: '{{ rc_state.stdout |from_json |json_query(''items[? @.status.replicas && @.status.replicas != `0`].{"name": metadata.annotations."openshift.io/deployment-config.name", "status": status.readyReplicas}'') }}'
+
+
+- name: Retrieve current DeploymentConfig status
+  command: 'oc get dc -o json -n "{{ project }}"'
+  register: dc_state
+  changed_when: false
+
+- name: Parse the list of DeploymentConfig
+  set_fact:
+    deployment_configs: '{{ dc_state.stdout |from_json |json_query(''items[? metadata.generation > `1`].metadata.name'') }}'
+    deployment_configs_status: '{{ dc_state.stdout |from_json |json_query(''items[? metadata.generation > `1` ].{"name": metadata.name, "status": status.replicas}'') }}'
diff --git a/playbooks/common/wait_for.yml b/playbooks/common/wait_for.yml
new file mode 100644
index 0000000..f2b8bab
--- /dev/null
+++ b/playbooks/common/wait_for.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Wait for all pending deployments to become ready
+  command: 'oc get rc -o json -n "{{ project }}"'
+  register: rc_state
+  changed_when: false
+  retries: "{{ retries }}"
+  delay: "{{ delay }}"
+  until: 'rc_state.stdout |from_json |json_query(''items[?  status.replicas != `0` && (status.readyReplicas == ""|| status.readyReplicas == `0`) ].metadata.annotations."openshift.io/deployment-config.name"'') |intersect(pod_to_wait) |length == 0'
diff --git a/playbooks/configure-openshift-access-control.yml b/playbooks/configure-openshift-access-control.yml
index ff01173..d7e12d9 100644
--- a/playbooks/configure-openshift-access-control.yml
+++ b/playbooks/configure-openshift-access-control.yml
@@ -3,9 +3,17 @@
   - name: Configure the OpenShift Access Control Layer
     hosts: itix
     become: yes
+    vars:
+      itix_sso_route: sso.{{ openshift_master_default_subdomain }}
     tasks:
     - name: Remove authenticated users the right to create projects
       command: oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
 
+    - name: Nicolas can create projects
+      command: oc adm policy add-cluster-role-to-user self-provisioner nicolas.masse@itix.fr
+
     - name: Give the monitoring rights to nicolas
       command: oc adm policy add-role-to-user view nicolas.masse@itix.fr -n openshift-metrics
+
+    roles:
+      - { name: 'sso', tags: 'sso' }
diff --git a/roles/sso/defaults/main.yml b/roles/sso/defaults/main.yml
new file mode 100644
index 0000000..587d92d
--- /dev/null
+++ b/roles/sso/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+itix_sso_template: sso71-allinone
+itix_sso_project: sso
+itix_sso_realm: itix
+itix_sso_application_name: sso
+itix_sso_retries: 30
+itix_sso_delay: 5
diff --git a/roles/sso/tasks/main.yml b/roles/sso/tasks/main.yml
new file mode 100644
index 0000000..4b4b9ab
--- /dev/null
+++ b/roles/sso/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+
+- name: Get a list of existing projects
+  command: oc get projects -o name
+  register: oc_get_projects
+  changed_when: false
+
+- name: Create a new project for SSO
+  command: oc new-project "{{ itix_sso_project }}"
+  when: '"projects/" ~ itix_sso_project not in oc_get_projects.stdout_lines'
+
+- name: Query existing deploymentconfigs
+  command: oc get dc -n "{{ itix_sso_project }}" -o name -l "application={{ itix_sso_application_name }}"
+  register: oc_get_dc
+  changed_when: false
+
+- name: Deploy app if needed
+  set_fact:
+    deploy_needed: "{{ 'deploymentconfigs/' ~ itix_sso_application_name not in oc_get_dc.stdout_lines }}"
+
+- name: Process the OpenShift Template and create the OpenShift objects
+  command: oc new-app -n {{ itix_sso_project }} {{ itix_sso_template }} -p "SSO_HOSTNAME={{ itix_sso_hostname }}" -p "APPLICATION_NAME={{ itix_sso_application_name }}"
+  when: deploy_needed
+
+- name: Wait for OpenShift to create all objects
+  pause:
+    seconds: '{{ itix_sso_delay }}'
+  when: deploy_needed
+
+- include: common/wait_for.yml
+  static: no
+  vars:
+    pod_to_wait:
+      - sso
+      - sso-postgresql
+    delay: "{{ itix_sso_delay }}"
+    retries: "{{ itix_sso_retries }}"
+    project: "{{ itix_sso_project }}"
+  tags: status
+
+- name: Get Admin Username
+  command: oc get dc {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_USERNAME")].value}'
+  register: username
+  changed_when: false
+  tags: status
+
+- name: Get Admin Password
+  command: oc get dc {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_PASSWORD")].value}'
+  register: password
+  changed_when: false
+  tags: status
+
+- name: Get Route URL
+  command: oc get route {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.host}'
+  register: route
+  changed_when: false
+  tags: status
+
+- set_fact:
+    sso_route_name: '{{ route.stdout }}'
+
+- name: SSO is ready !
+  debug: msg="Login on https://{{ sso_route_name }}/auth/admin with username = '{{ username.stdout }}' and password = '{{ password.stdout }}'"
+  tags: status