diff --git a/ee/api/chalicelib/utils/SAML2_helper.py b/ee/api/chalicelib/utils/SAML2_helper.py
index 6a1ee4eca..86a6c4683 100644
--- a/ee/api/chalicelib/utils/SAML2_helper.py
+++ b/ee/api/chalicelib/utils/SAML2_helper.py
@@ -12,11 +12,11 @@ SAML2 = {
     "sp": {
         "entityId": config("SITE_URL") + "/api/sso/saml2/metadata/",
         "assertionConsumerService": {
-            "url": config("SITE_URL") + "/api/sso/saml2/acs",
+            "url": config("SITE_URL") + "/api/sso/saml2/acs/",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         },
         "singleLogoutService": {
-            "url": config("SITE_URL") + "/api/sso/saml2/sls",
+            "url": config("SITE_URL") + "/api/sso/saml2/sls/",
             "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
         },
         "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
@@ -25,6 +25,12 @@ SAML2 = {
     },
     "idp": None
 }
+
+# in case tenantKey is included in the URL
+sp_acs = config("idp_sp_tk", default="")
+if sp_acs is not None and len(sp_acs) > 0:
+    SAML2["sp"]["assertionConsumerService"]["url"] += sp_acs + "/"
+
 idp = None
 # SAML2 config handler
 if config("SAML2_MD_URL", default=None) is not None and len(config("SAML2_MD_URL")) > 0:
@@ -60,12 +66,9 @@ else:
 
 def init_saml_auth(req):
     # auth = OneLogin_Saml2_Auth(req, custom_base_path=environ['SAML_PATH'])
-
     if idp is None:
         raise Exception("No SAML2 config provided")
-    auth = OneLogin_Saml2_Auth(req, old_settings=SAML2)
-
-    return auth
+    return OneLogin_Saml2_Auth(req, old_settings=SAML2)
 
 
 async def prepare_request(request: Request):
@@ -87,16 +90,14 @@ async def prepare_request(request: Request):
     # If server is behind proxys or balancers use the HTTP_X_FORWARDED fields
     headers = request.headers
     proto = headers.get('x-forwarded-proto', 'http')
+    if headers.get('x-forwarded-proto') is not None:
+        print(f"x-forwarded-proto: {proto}")
     url_data = urlparse('%s://%s' % (proto, headers['host']))
     path = request.url.path
-    # remove / from the /acs/
-    if path.endswith("/"):
-        path = path[:-1]
-    # remove /{tenantKey} from /acs/{tenantKey}
-    if not path.endswith("/acs"):
-        parts = path.split("/")
-        if len(parts) > 2 and parts[-2] == "acs":
-            path = "/".join(parts[:-1])
+    # add / to /acs
+    if not path.endswith("/"):
+        path = path + '/'
+
     return {
         'https': 'on' if proto == 'https' else 'off',
         'http_host': request.headers['host'],
diff --git a/ee/api/routers/saml.py b/ee/api/routers/saml.py
index 117960b50..ee0f0333b 100644
--- a/ee/api/routers/saml.py
+++ b/ee/api/routers/saml.py
@@ -16,6 +16,7 @@ from starlette import status
 
 
 @public_app.get("/sso/saml2", tags=["saml2"])
+@public_app.get("/sso/saml2/", tags=["saml2"])
 async def start_sso(request: Request):
     request.path = ''
     req = await prepare_request(request=request)
@@ -25,6 +26,7 @@ async def start_sso(request: Request):
 
 
 @public_app.post('/sso/saml2/acs', tags=["saml2"])
+@public_app.post('/sso/saml2/acs/', tags=["saml2"])
 async def process_sso_assertion(request: Request):
     req = await prepare_request(request=request)
     session = req["cookie"]["session"]
@@ -111,11 +113,9 @@ async def process_sso_assertion(request: Request):
 
 
 @public_app.post('/sso/saml2/acs/{tenantKey}', tags=["saml2"])
+@public_app.post('/sso/saml2/acs/{tenantKey}/', tags=["saml2"])
 async def process_sso_assertion_tk(tenantKey: str, request: Request):
     req = await prepare_request(request=request)
-    print("------------")
-    print(req)
-    print("------------")
     session = req["cookie"]["session"]
     auth = init_saml_auth(req)
 
@@ -196,6 +196,7 @@ async def process_sso_assertion_tk(tenantKey: str, request: Request):
 
 
 @public_app.get('/sso/saml2/sls', tags=["saml2"])
+@public_app.get('/sso/saml2/sls/', tags=["saml2"])
 async def process_sls_assertion(request: Request):
     req = await prepare_request(request=request)
     session = req["cookie"]["session"]
@@ -230,8 +231,8 @@ async def process_sls_assertion(request: Request):
     return RedirectResponse(url=config("SITE_URL"))
 
 
-@public_app.get('/sso/saml2/metadata/', tags=["saml2"])
 @public_app.get('/sso/saml2/metadata', tags=["saml2"])
+@public_app.get('/sso/saml2/metadata/', tags=["saml2"])
 async def saml2_metadata(request: Request):
     req = await prepare_request(request=request)
     auth = init_saml_auth(req)
diff --git a/scripts/helm/app/chalice.yaml b/scripts/helm/app/chalice.yaml
index fcbea8ed6..09d015401 100644
--- a/scripts/helm/app/chalice.yaml
+++ b/scripts/helm/app/chalice.yaml
@@ -64,5 +64,6 @@ env:
   idp_x509cert: ''
   idp_sls_url: ''
   idp_name: ''
+  idp_sp_tk: ''
   assist_secret: ''
   iceServers: ''
diff --git a/scripts/helmcharts/openreplay/charts/chalice/values.yaml b/scripts/helmcharts/openreplay/charts/chalice/values.yaml
index e5c579739..8e0080746 100644
--- a/scripts/helmcharts/openreplay/charts/chalice/values.yaml
+++ b/scripts/helmcharts/openreplay/charts/chalice/values.yaml
@@ -94,6 +94,7 @@ env:
   idp_x509cert: ''
   idp_sls_url: ''
   idp_name: ''
+  idp_sp_tk: ''
   assist_secret: ''
   iceServers: ''
 
diff --git a/scripts/helmcharts/vars.yaml b/scripts/helmcharts/vars.yaml
index e8ef20bf7..12b4971f8 100644
--- a/scripts/helmcharts/vars.yaml
+++ b/scripts/helmcharts/vars.yaml
@@ -73,6 +73,7 @@ chalice:
     # idp_x509cert: ''
     # idp_sls_url: ''
     # idp_name: ''
+    # idp_sp_tk: ''
 
 
 # If you want to override something