diff --git a/roles/myconext/tasks/main.yml b/roles/myconext/tasks/main.yml
index 54c425e86..0d386520d 100644
--- a/roles/myconext/tasks/main.yml
+++ b/roles/myconext/tasks/main.yml
@@ -207,7 +207,45 @@
       - source: /opt/openconext/myconext/apple-app-site-association
         target: /var/www/.well-known/apple-app-site-association
         type: bind
+    env:
+      HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}"
+      HTTPD_SERVERNAME: "login.{{ myconext_base_domain }}"
 
+- name: Create the servicedesk gui
+  community.docker.docker_container:
+    name: servicedeskgui
+    image: ghcr.io/openconext/openconext-myconext/servicedesk-gui:{{ servicedesk_gui_version }}
+    pull: true
+    restart_policy: "always"
+    state: started
+    networks:
+      - name: "loadbalancer"
+    labels:
+      traefik.http.routers.servicedeskgui.rule: "Host(`servicedesk.{{ myconext_base_domain }}`)"
+      traefik.http.routers.servicedeskgui.tls: "true"
+      traefik.enable: "true"
+    healthcheck:
+      test: ["CMD", "curl", "--fail" , "http://localhost"]
+      interval: 10s
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    mounts:
+      - source: /etc/localtime
+        target: /etc/localtime
+        type: bind
+      - source: /opt/openconext/common/favicon.ico
+        target: /var/www/favicon.ico
+        type: bind
+      - source: /opt/openconext/myconext/apple-app-site-association
+        target: /var/www/.well-known/apple-app-site-association
+        type: bind
     env:
       HTTPD_CSP: "{{ httpd_csp.lenient_with_static_img_for_idp }}"
       HTTPD_SERVERNAME: "login.{{ myconext_base_domain }}"
+      OPENCONEXT_INSTANCENAME: "{{ instance_name }}"
+      OPENCONEXT_ENGINE_LOGOUT_URL: "https://engine.{{ base_domain }}/logout"
+      OPENCONEXT_HELP_EMAIL: "{{ support_email }}"
+      SHIB_ENTITYID: "https://servicedesk.{{ myconext_base_domain }}/shibboleth"
+      SHIB_REMOTE_ENTITYID: "https://engine.{{ base_domain }}/authentication/idp/metadata"
+      SHIB_REMOTE_METADATA: "{{ shibboleth_metadata_sources.engine }}"
diff --git a/roles/servicedesk-gui/defaults/main.yml b/roles/servicedesk-gui/defaults/main.yml
new file mode 100644
index 000000000..2aadf58ef
--- /dev/null
+++ b/roles/servicedesk-gui/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+servicedesk_gui_version: ''
+servicedesk_gui_snapshot_timestamp: ''
+servicedesk_install: true
diff --git a/roles/servicedesk-gui/handlers/main.yml b/roles/servicedesk-gui/handlers/main.yml
new file mode 100644
index 000000000..a45857dd2
--- /dev/null
+++ b/roles/servicedesk-gui/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+- name: restart httpd
+  service:
+    name: httpd
+    state: restarted
+
+- name: reload httpd
+  service:
+    name: httpd
+    state: reloaded
+
+- name: restart iptables
+  service:
+    name: iptables
+    state: restarted
diff --git a/roles/servicedesk-gui/meta/main.yml b/roles/servicedesk-gui/meta/main.yml
new file mode 100644
index 000000000..73b314ff7
--- /dev/null
+++ b/roles/servicedesk-gui/meta/main.yml
@@ -0,0 +1 @@
+---
\ No newline at end of file
diff --git a/roles/servicedesk-gui/tasks/main.yml b/roles/servicedesk-gui/tasks/main.yml
new file mode 100644
index 000000000..673777ef7
--- /dev/null
+++ b/roles/servicedesk-gui/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: copy virtual host config
+  template:
+    src: servicedesk.conf.j2
+    dest: /etc/httpd/conf.d/servicedesk.conf
+  notify: reload httpd
diff --git a/roles/servicedesk-gui/templates/account.conf.j2 b/roles/servicedesk-gui/templates/account.conf.j2
new file mode 100644
index 000000000..270e1c769
--- /dev/null
+++ b/roles/servicedesk-gui/templates/account.conf.j2
@@ -0,0 +1,74 @@
+{% if apache_app_listen_address.servicedesk is defined %}
+Listen {{ apache_app_listen_address.servicedesk }}:{{ loadbalancing.servicedesk.port }}
+<Virtualhost {{ apache_app_listen_address.servicedesk }}:{{ loadbalancing.servicedesk.port }}>
+{% else %}
+<Virtualhost *:443 >
+{% endif %}
+    # General setup for the virtual host, inherited from global configuration
+    ServerName https://login.{{ myconext_base_domain }}
+
+    ErrorLog "|/usr/bin/logger -S 32k -p local3.err  -t 'Apache-servicedesk'"
+    CustomLog "|/usr/bin/logger -S 32k -p local3.info  -t 'Apache-servicedesk'" combined
+
+    RewriteEngine on
+
+    {% for links in myconext.links %}
+    RewriteRule   "^/{{ links.name }}(/|$)"			"{{ links.url }}"  [R,L]
+    {% endfor %}
+
+    RewriteCond %{REQUEST_URI} !\.html$
+    RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+    RewriteCond %{REQUEST_URI} !\.svg$
+    RewriteCond %{REQUEST_URI} !\.png$
+    RewriteCond %{REQUEST_URI} !\.ico$
+    RewriteCond %{REQUEST_URI} !\.woff$
+    RewriteCond %{REQUEST_URI} !\.woff2$
+    RewriteCond %{REQUEST_URI} !\.ttf$
+    RewriteCond %{REQUEST_URI} !\.eot$
+    RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+    RewriteCond %{REQUEST_URI} !^/myconext
+    RewriteCond %{REQUEST_URI} !^/tiqr
+    RewriteCond %{REQUEST_URI} !^/config
+    RewriteCond %{REQUEST_URI} !^/saml
+    RewriteCond %{REQUEST_URI} !^/actuator
+    RewriteCond %{REQUEST_URI} !^/internal
+    RewriteCond %{REQUEST_URI} !^/fonts
+    RewriteCond %{REQUEST_URI} !^/.well-known
+    RewriteRule (.*) /index.html [L]
+
+    ProxyPreserveHost On
+    ProxyPass /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api retry=0
+    ProxyPassReverse /myconext/api http://localhost:{{ springapp_tcpport }}/myconext/api
+
+    ProxyPass /actuator http://localhost:{{ springapp_tcpport }}/internal retry=0
+    ProxyPass /internal http://localhost:{{ springapp_tcpport }}/internal retry=0
+    ProxyPass /config http://localhost:{{ springapp_tcpport }}/config retry=0
+
+    DocumentRoot "{{ _springapp_dir }}/current"
+
+    <Directory "{{ _springapp_dir }}/current">
+      Require all granted
+      Options     -Indexes
+    </Directory>
+
+    Header always set Content-Security-Policy "{{ httpd_csp.lenient_with_static_img_for_idp }}"
+    Header always set X-Frame-Options "DENY"
+    Header always set Referrer-Policy "same-origin"
+    Header always set X-Content-Type-Options "nosniff"
+
+    {% if haproxy_backend_tls %}
+    SSLEngine on
+    SSLCertificateFile      {{ tls.cert_path }}/backend.{{ base_domain }}.pem
+    SSLCertificateKeyFile   {{ tls.cert_private_path }}/backend.{{ base_domain }}.key
+    Include ssl_backend.conf
+    {% endif %}
+
+    {% if apache_app_listen_address.all is defined %}
+    SSLEngine on
+    SSLCertificateFile      {{ tls.cert_path }}/{{ tls_star_cert }}
+    SSLCertificateKeyFile   {{ tls.cert_private_path }}/{{ tls_star_cert_key }}
+    SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }}
+    Include ssl_backend.conf
+    {% endif %}
+
+</VirtualHost>
diff --git a/roles/servicedesk-gui/vars/main.yml b/roles/servicedesk-gui/vars/main.yml
new file mode 100644
index 000000000..90a4a758a
--- /dev/null
+++ b/roles/servicedesk-gui/vars/main.yml
@@ -0,0 +1,4 @@
+---
+springapp_tcpport: 9189
+springapp_artifact_id: servicedesk-gui
+springapp_version: "{{ servicedesk_gui_version }}"
diff --git a/roles/springboot/defaults/main.yml b/roles/springboot/defaults/main.yml
index a3219e7c1..def37fca6 100644
--- a/roles/springboot/defaults/main.yml
+++ b/roles/springboot/defaults/main.yml
@@ -27,6 +27,11 @@ springboot_gui_services:
     group: myconext
     enabled: "{{ springboot_services_state.account }}"
     version: "{{ account_gui_version }}"
+  - name: servicedesk
+    alias: servicedesk-gui
+    group: myconext
+    enabled: "{{ springboot_services_state.servicedesk }}"
+    version: "{{ servicedesk_gui_version }}"
 
 springboot_server_services:
   - name: manage