diff --git a/manifests/edusign/app.pp b/manifests/edusign/app.pp
index a09fe0a7..46efeae1 100644
--- a/manifests/edusign/app.pp
+++ b/manifests/edusign/app.pp
@@ -32,14 +32,16 @@
       image    => 'docker.sunet.se/edusign-sp',
       imagetag => $version,
       hostname => $facts['networking']['fqdn'],
-      volumes  => ['/var/log:/var/log','/etc/ssl:/etc/ssl','/etc/dehydrated:/etc/dehydrated','/etc/metadata:/etc/metadata:ro','/etc/edusign:/etc/edusign:ro'],
+      volumes  => ['/var/log:/var/log','/etc/ssl:/etc/ssl','/etc/dehydrated:/etc/dehydrated','/etc/metadata:/etc/metadata:ro','/etc/edusign:/etc/edusign:ro', '/var/run/md-signer2.crt:/etc/shibboleth/md-signer2.crt:ro'],
       env      => ['METADATA_FILE=/etc/metadata/swamid-idp-transitive.xml',
                     "SP_HOSTNAME=${_host}",
                     'BACKEND_HOST=edusign-app.docker',
                     'MAX_FILE_SIZE=20M',
                     'ACMEPROXY=acme-c.sunet.se',
                     'DISCO_URL=https://service.seamlessaccess.org/ds',
-                    "MULTISIGN_BUTTONS=${invites}"],
+                    "MULTISIGN_BUTTONS=${invites}",
+                    'MDQ_BASE_URL=https://mds.swamid.se/',
+                    'MDQ_SIGNER_CERT=/etc/shibboleth/md-signer2.crt'],
       depends  => ['edusign-app'],
       ports    => ['443:443','80:80']
     }
diff --git a/manifests/edusign/validator.pp b/manifests/edusign/validator.pp
new file mode 100644
index 00000000..707eba93
--- /dev/null
+++ b/manifests/edusign/validator.pp
@@ -0,0 +1,35 @@
+# For edusign validator service
+class sunet::edusign::validator($version='1.0.2', $host=undef, $ensure='present') {
+  $_host = $host ? {
+      undef    => $facts['networking']['fqdn'],
+      default  => $host
+  }
+  $pkcs11pin = safe_hiera('pkcs11pin')
+  sunet::docker_run{'sigval':
+      ensure   => $ensure,
+      image    => 'docker.sunet.se/sigval',
+      imagetag => $version,
+      hostname => $facts['networking']['fqdn'],
+      ports    => ['443:8443'],
+      volumes  => ['/var/log:/var/log',
+                  '/etc/ssl:/etc/ssl',
+                  '/etc/Chrystoki.conf.d:/etc/Chrystoki.conf.d',
+                  '/etc/luna/cert:/usr/safenet/lunaclient/cert',
+                  '/etc/localtime:/etc/localtime:ro',
+                  '/etc/sigval:/etc/sigval'],
+      env      => ['SPRING_CONFIG_ADDITIONAL_LOCATION=/etc/sigval/',
+                  "SIGVAL_SERVICE_PKCS11_PIN=${pkcs11pin}",
+                  'TZ=Europe/Stockholm',
+                  "TOMCAT_TLS_SERVER_KEY=/etc/ssl/private/${facts['networking']['fqdn']}_infra.key",
+                  "TOMCAT_TLS_SERVER_CERTIFICATE=/etc/ssl/certs/${facts['networking']['fqdn']}_infra.crt",
+                  'TOMCAT_TLS_SERVER_CERTIFICATE_CHAIN=/etc/ssl/certs/infra.crt']
+  }
+
+  if $facts['sunet_nftables_opt_in'] == 'yes' or ( $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '22.04') >= 0 ) {
+      sunet::nftables::docker_expose { 'signapi' :
+        allow_clients => ['130.242.125.110/32', '130.242.125.140/32'],
+        port          => '443',
+        iif           => $facts['interface_default'],
+      }
+  }
+}