diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 924bb342973e83ac00a53f4024484c79aeac8c96..7a909aca6d9d195c7f0b56d872d8a940b599ead8 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -1,9 +1,4 @@
 class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
-  # include Users::AddBrandToRequestParams
-  # include Users::LayoutChoice
-  # include I18nHelper
-
-
   protect_from_forgery except: :saml
   before_action :redirect_unless_university_has_sso
   skip_before_action :verify_authenticity_token, only: :saml
@@ -23,9 +18,9 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   def saml_setup
     # SAML config is stored in current brand
     request.env['omniauth.strategy'].options[:issuer] = "#{user_saml_omniauth_authorize_url}/metadata"
-    request.env['omniauth.strategy'].options[:idp_sso_target_url] = current_university.sso_target_url
-    request.env['omniauth.strategy'].options[:idp_cert] = current_university.sso_cert
-    request.env['omniauth.strategy'].options[:name_identifier_format] = current_university.sso_name_identifier_format
+    request.env['omniauth.strategy'].options[:idp_sso_target_url] = current_context.sso_target_url
+    request.env['omniauth.strategy'].options[:idp_cert] = current_context.sso_cert
+    request.env['omniauth.strategy'].options[:name_identifier_format] = current_context.sso_name_identifier_format
 
     render plain: "Omniauth SAML setup phase.", status: 404
   end
@@ -33,7 +28,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   private
 
   def manage_user(user_infos)
-    @user = User.from_omniauth(current_university, user_infos)
+    @user = User.from_omniauth(current_context, user_infos)
 
     if @user&.persisted?
       @user.remember_me = true
@@ -45,6 +40,6 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   end
 
   def redirect_unless_university_has_sso
-    redirect_to root_path and return unless current_university.has_sso?
+    redirect_to root_path and return unless current_context.has_sso?
   end
 end
diff --git a/app/models/university/with_sso.rb b/app/models/university/with_sso.rb
index 91ef0d463e0143666a8bdaf6deff7b936dc8b30e..906beb0f271d919baa1bfc5c061c028148b7e94b 100644
--- a/app/models/university/with_sso.rb
+++ b/app/models/university/with_sso.rb
@@ -18,6 +18,28 @@ module University::WithSso
     super(value)
   end
 
+  def sso_cert
+    sso_inherit_from_university? ? university.sso_cert : @sso_cert
+  end
+
+  def sso_mapping
+    sso_inherit_from_university? ? university.sso_mapping : @sso_mapping
+  end
+
+  def sso_name_identifier_format
+    sso_inherit_from_university? ? university.sso_name_identifier_format : @sso_name_identifier_format
+  end
+
+  def sso_provider
+    sso_inherit_from_university? ? university.sso_provider : @sso_provider
+  end
+
+  def sso_target_url
+    sso_inherit_from_university? ? university.sso_target_url : @sso_target_url
+  end
+
+  private
+
   def sso_mapping_should_have_email
     errors.add(:sso_mapping, :missing_email) unless (sso_mapping || []).detect { |sso_item| sso_item['internal_key'] == 'email' }
   end
diff --git a/app/models/user/with_omniauth.rb b/app/models/user/with_omniauth.rb
index 64ba7ddc5433e77746467b4deb1b35c2d82f0089..f57b43c5ab853059c2a06ebf2df7e09b27a532a4 100644
--- a/app/models/user/with_omniauth.rb
+++ b/app/models/user/with_omniauth.rb
@@ -3,8 +3,9 @@ module User::WithOmniauth
 
   included do
 
-    def self.from_omniauth(university, attributes)
-      mapping = university.sso_mapping || []
+    def self.from_omniauth(context, attributes)
+      mapping = context.sso_mapping || []
+      university = context.is_a?(University) ? context : context.university
 
       # first step: we find the email (we are supposed to have an email mapping)
       email = get_email_from_mapping(mapping, attributes)
@@ -12,6 +13,7 @@ module User::WithOmniauth
 
       user = User.where(university: university, email: email.downcase).first_or_create do |u|
         u.password = "#{Devise.friendly_token[0,20]}!" # meets password complexity requirements
+        u.registration_context = context
       end
 
       # update user data according to mapping & infos provided by SSO