diff --git a/extensions/idp/pkg/config/config.go b/extensions/idp/pkg/config/config.go
index 83bd84554..4979fb0f3 100644
--- a/extensions/idp/pkg/config/config.go
+++ b/extensions/idp/pkg/config/config.go
@@ -27,7 +27,8 @@ type Config struct {
 
 // Ldap defines the available LDAP configuration.
 type Ldap struct {
-	URI string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	URI       string `yaml:"uri" env:"LDAP_URI;IDP_LDAP_URI"`
+	TLSCACert string `yaml:"cacert" env:"LDAP_CACERT;IDP_LDAP_TLS_CACERT"`
 
 	BindDN       string `yaml:"bind_dn" env:"LDAP_BIND_DN;IDP_LDAP_BIND_DN"`
 	BindPassword string `yaml:"bind_password" env:"LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD"`
diff --git a/extensions/idp/pkg/config/defaults/defaultconfig.go b/extensions/idp/pkg/config/defaults/defaultconfig.go
index fe328b2bb..d9b68fb50 100644
--- a/extensions/idp/pkg/config/defaults/defaultconfig.go
+++ b/extensions/idp/pkg/config/defaults/defaultconfig.go
@@ -42,7 +42,7 @@ func DefaultConfig() *config.Config {
 			SignedOutURI:                      "",
 			AuthorizationEndpointURI:          "",
 			EndsessionEndpointURI:             "",
-			Insecure:                          true,
+			Insecure:                          false,
 			TrustedProxy:                      nil,
 			AllowScope:                        nil,
 			AllowClientGuests:                 false,
@@ -69,6 +69,7 @@ func DefaultConfig() *config.Config {
 		},
 		Ldap: config.Ldap{
 			URI:               "ldaps://localhost:9235",
+			TLSCACert:         path.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
 			BindDN:            "uid=idp,ou=sysusers,o=libregraph-idm",
 			BindPassword:      "idp",
 			BaseDN:            "ou=users,o=libregraph-idm",
diff --git a/extensions/idp/pkg/service/v0/service.go b/extensions/idp/pkg/service/v0/service.go
index 71270f0c4..1b1a8bf1d 100644
--- a/extensions/idp/pkg/service/v0/service.go
+++ b/extensions/idp/pkg/service/v0/service.go
@@ -142,6 +142,10 @@ func initLicoInternalEnvVars(ldap *config.Ldap) error {
 		"LDAP_FILTER":              filter,
 	}
 
+	if ldap.TLSCACert != "" {
+		defaults["LDAP_TLS_CACERT"] = ldap.TLSCACert
+	}
+
 	for k, v := range defaults {
 		if err := os.Setenv(k, v); err != nil {
 			return fmt.Errorf("could not set env var %s=%s", k, v)
diff --git a/ocis/pkg/runtime/service/service.go b/ocis/pkg/runtime/service/service.go
index 7215d8098..f791543a4 100644
--- a/ocis/pkg/runtime/service/service.go
+++ b/ocis/pkg/runtime/service/service.go
@@ -112,7 +112,6 @@ func NewService(options ...Option) (*Service, error) {
 	s.ServicesRegistry["glauth"] = glauth.NewSutureService
 	s.ServicesRegistry["graph"] = graph.NewSutureService
 	s.ServicesRegistry["graph-explorer"] = graphExplorer.NewSutureService
-	s.ServicesRegistry["idp"] = idp.NewSutureService
 	s.ServicesRegistry["idm"] = idm.NewSutureService
 	s.ServicesRegistry["ocs"] = ocs.NewSutureService
 	s.ServicesRegistry["store"] = store.NewSutureService
@@ -137,6 +136,7 @@ func NewService(options ...Option) (*Service, error) {
 	s.Delayed["accounts"] = accounts.NewSutureService
 	s.Delayed["proxy"] = proxy.NewSutureService
 	s.Delayed["ocdav"] = ocdav.NewOCDav
+	s.Delayed["idp"] = idp.NewSutureService
 
 	return s, nil
 }