diff --git a/README.md b/README.md
index dd25f2b..1c0e895 100644
--- a/README.md
+++ b/README.md
@@ -8,12 +8,13 @@ PaaS - creates easily deployable declarative web applications with (moslty) file
 * Frontend niceties such chosen.js, datatables.js and lightbox.js - but apps should still work without JS.
 * Off-request worker based on a file-system persistence and streaming intermediary results (if js is supported, or upon refresh)
 * Whooshalchemy search
+* SSO Sign in through [pi2-sso]()
 * Installation with gunicorn, generates nginx config and letsencrypt certificate
 * Based on [Flask](), [Sqlalchemy](), [TWW](https://gitlab.com/pisquared/tww) and others
 
 
 ## TODO
-* [ ] [list] pagination of many items
+* [X] [list] pagination of many items
 * [ ] [prod_install] Download sensitive prompt
 * [ ] [vm_gen] Auto generate dependency graph for `view_models/_process_order`
 * [ ] [auto_dns] Start and test `auto_dns.service`
diff --git a/bootstrap/config.py b/bootstrap/config.py
index d31d234..1283a33 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -26,3 +26,5 @@ MAKEDIRS = [
 
 APP_BASE_URL = "http://localhost:5000"
 SECURITY_ENABLED = True
+SSO_BASE_URL = 'https://sso.localhost:5008'
+SSO_CLIENT_ID = APP_BASE_URL
diff --git a/bootstrap/sensitive_dev.py b/bootstrap/sensitive_dev.py
index b2c3864..180cf69 100644
--- a/bootstrap/sensitive_dev.py
+++ b/bootstrap/sensitive_dev.py
@@ -1,2 +1,2 @@
 SSO_CLIENT_ID = '123456'
-SSO_CLIENT_SECRET = 'secret'
\ No newline at end of file
+SSO_CLIENT_SECRET = 'secret'
diff --git a/bootstrap/webapp/templates/navigation.html b/bootstrap/webapp/templates/navigation.html
index 5e36469..a32d1a1 100644
--- a/bootstrap/webapp/templates/navigation.html
+++ b/bootstrap/webapp/templates/navigation.html
@@ -1,9 +1,8 @@
-<a href="{{ url_for('home') }}">{{ _("Home") }}</a> |
 <div class="pull-right">
     {% if current_user.is_authenticated %}
-        <a href="#">{{ current_user.email }}</a> |
+        <a href="{{ config.SSO_BASE_URL }}">{{ current_user.username }}</a> |
         <a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> |
     {% else %}
-        <a href="{{ url_for('security.login') }}">{{ _("SSO Login") }}</a> |
+        <a href="{{ url_for('security.login') }}">{{ _("Login SSO") }}</a>
     {% endif %}
 </div>
\ No newline at end of file
diff --git a/oshipka/webapp/default_routes.py b/oshipka/webapp/default_routes.py
index 9372f0a..f313440 100644
--- a/oshipka/webapp/default_routes.py
+++ b/oshipka/webapp/default_routes.py
@@ -6,8 +6,8 @@ from flask_security import login_user
 
 from oshipka.util.strings import random_string_generator
 from oshipka.webapp import oshipka_bp, app
-from config import MEDIA_DIR, APP_BASE_URL, SECURITY_ENABLED
-from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET
+from config import MEDIA_DIR, APP_BASE_URL, SECURITY_ENABLED, SSO_BASE_URL, SSO_CLIENT_ID
+from sensitive import SSO_CLIENT_SECRET
 
 
 # TODO: VULNZ - EVERYONE HAS ACCESS TO THIS
@@ -15,9 +15,11 @@ from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET
 def get_media(filepath):
     return send_from_directory(MEDIA_DIR, filepath)
 
+
 if SECURITY_ENABLED:
     from oshipka.persistance import User, db
-    SSO_BASE_URL = 'http://sso.localhost:5008'
+    app.config['SSO_BASE_URL'] = SSO_BASE_URL
+
     SSO_AUTH_URL = '/oidc/auth'
     SSO_TOKEN_URL = '/oidc/token'
     SSO_USERINFO_URL = "/endpoints/userinfo"
@@ -27,7 +29,7 @@ if SECURITY_ENABLED:
     @oshipka_bp.route('/sso')
     def sso():
         callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_callback')
-        state = request.referrer or url_for('home')
+        state = request.referrer or url_for('home') + "|" + random_string_generator()
         session['oidc_state'] = state
         params = urllib.parse.urlencode({
             'redirect_uri': callback_url,
@@ -58,6 +60,7 @@ if SECURITY_ENABLED:
                 'client_secret': SSO_CLIENT_SECRET,
                 'grant_type': 'authorization_code'
             },
+            verify=False,
         )
         if response.status_code == 200:
             response_json = response.json()
@@ -67,6 +70,7 @@ if SECURITY_ENABLED:
                 headers={
                     'Authorization': "Bearer {}".format(access_token)
                 },
+                verify=False,
             )
             if response.status_code == 200:
                 response_json = response.json()
@@ -74,12 +78,12 @@ if SECURITY_ENABLED:
                 user = User.query.filter_by(username=username).first()
                 redirect_uri = url_for('home')
                 if not user:
-                    user = User(username=username)
+                    user = User(username=username, token=access_token)
                     db.session.add(user)
                     db.session.commit()
                 login_user(user)
                 if 'oidc_state' in session:
-                    redirect_uri = session['oidc_state']
+                    redirect_uri = session['oidc_state'].split('|')[0] or url_for('home')
                     del session['oidc_state']
                 return redirect(redirect_uri)
-        return response.json()
+        return response.text
diff --git a/vm_gen/templates/html/navigation.html b/vm_gen/templates/html/navigation.html
index 07660e8..cdd5214 100644
--- a/vm_gen/templates/html/navigation.html
+++ b/vm_gen/templates/html/navigation.html
@@ -11,7 +11,7 @@
 
 <div class="pull-right">
     {% if current_user.is_authenticated %}
-        <a href="#">{{ current_user.username }}</a> |
+        <a href="{{ config.SSO_BASE_URL }}">{{ current_user.username }}</a> |
         <a href="{{ url_for('security.logout') }}">{{ _("Logout") }}</a> |
     {% else %}
         <a href="{{ url_for('security.login') }}">{{ _("Login SSO") }}</a>