diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini
index 73f2170..b37625b 100644
--- a/ansible/inventories/production/hosts.ini
+++ b/ansible/inventories/production/hosts.ini
@@ -9,9 +9,6 @@ ipaserver
 ipareplicas
 ipaclients
 
-[ipsilon]
-idp001 ansible_host=10.100.x.x
-
 # Playbook and role specific inventory hosts and groups
 [ipaserver]
 ipa001 ansible_host=10.100.1.110
@@ -22,3 +19,6 @@ ipa002 ansible_host=10.100.1.111
 [ipaclients]
 build-a-box ansible_host=10.100.1.112
 
+[ipsilon]
+idp001 ansible_host=10.100.x.x
+
diff --git a/ansible/playbooks/role-rocky-ipsilon.yml b/ansible/playbooks/role-rocky-ipsilon.yml
new file mode 100644
index 0000000..4e84dba
--- /dev/null
+++ b/ansible/playbooks/role-rocky-ipsilon.yml
@@ -0,0 +1,51 @@
+---
+# Stands up an ipsilon instance for simple SSO
+- name: Configure ipsilon server
+  hosts: ipsilon
+  become: true
+  vars_files:
+  - vars/encpass.yml
+
+  # This is to try to avoid the handler issue in pre/post tasks
+  handlers:
+    - include: handlers/main.yml
+
+  pre_tasks:
+    - name: Check if ansible cannot be run here
+      stat:
+        path: /etc/no-ansible
+      register: no_ansible
+
+    - name: Verify if we can run ansible
+      assert:
+        that:
+          - "not no_ansible.stat.exists"
+        msg: "/etc/no-ansible exists - skipping run on this node"
+
+    - name: Install arrfab ipsilon repo
+      yum_repository:
+        name: copr:copr.fedorainfracloud.org:arrfab:noggin
+        description: Copr repo for noggin owned by arrfab
+        file: copr_repos
+        baseurl: https://download.copr.fedorainfracloud.org/results/arrfab/noggin/epel-8-$basearch/
+        gpgcheck: true
+        gpgkey: https://download.copr.fedorainfracloud.org/results/arrfab/noggin/pubkey.gpg
+        enabled: true
+
+  roles:
+    - role: rockylinux.ipsilon
+      state: present
+
+  post_tasks:
+    - name: Touching run file that ansible has ran here
+      file:
+        path: /var/log/ansible.run
+        state: touch
+        mode: '0644'
+        owner: root
+        group: root
+
+    - name: "Turn on reverse zone syncing"
+      freeipa.ansible_freeipa.ipadnsconfig:
+        ipaadmin_password: '{{ ipaadmin_password }}'
+        allow_sync_ptr: true
diff --git a/ansible/playbooks/vars/encpass.yml b/ansible/playbooks/vars/encpass.yml
index f5c59c1..fdceed4 100644
--- a/ansible/playbooks/vars/encpass.yml
+++ b/ansible/playbooks/vars/encpass.yml
@@ -6,3 +6,6 @@ ipaadmin_password: !vault |
 ipadm_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           REDACTED
+ipsilon_db_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          REDACTED
diff --git a/ansible/roles/requirements.yml b/ansible/roles/requirements.yml
index f0aad2c..3c52e46 100644
--- a/ansible/roles/requirements.yml
+++ b/ansible/roles/requirements.yml
@@ -5,6 +5,9 @@ roles:
   # monitoring
   - name: cloudalchemy.node-exporter
   - name: cloudalchemy.prometheus
+  - name: rockylinux.ipsilon
+    src: https://github.com/rocky-linux/ansible-role-ipsilon
+    version: master
 
 collections:
   # freeipa