diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
index 89657a2bb..6f67c5de6 100644
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
@@ -43,6 +43,8 @@ public class ConfigurationPropertiesBean {
 	private String logoImageUrl;
 	
 	private Long regTokenLifeTime;
+	
+	private boolean forceHttps;
 
 	public ConfigurationPropertiesBean() {
 
@@ -50,11 +52,18 @@ public class ConfigurationPropertiesBean {
 
 	/**
 	 * Endpoints protected by TLS must have https scheme in the URI.
+	 * @throws HttpsUrlRequiredException 
 	 */
 	@PostConstruct
-	public void checkForHttps() {
+	public void checkForHttps() throws HttpsUrlRequiredException {
 		if (!StringUtils.startsWithIgnoreCase(issuer, "https")) {
-			logger.warn("Configured issuer url is not using https scheme.");
+			if (this.forceHttps) {
+				logger.warn("Configured issuer url is not using https scheme. This is not allowed!");
+				throw new HttpsUrlRequiredException(issuer);
+			}
+			else {
+				logger.warn("Configured issuer url is not using https scheme.");
+			}
 		}
 	}
 
@@ -113,4 +122,12 @@ public class ConfigurationPropertiesBean {
 	public void setRegTokenLifeTime(Long regTokenLifeTime) {
 		this.regTokenLifeTime = regTokenLifeTime;
 	}
+	
+	public boolean isForceHttps() {
+		return forceHttps;
+	}
+
+	public void setForceHttps(boolean forceHttps) {
+		this.forceHttps = forceHttps;
+	}
 }
diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/HttpsUrlRequiredException.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/HttpsUrlRequiredException.java
new file mode 100644
index 000000000..a158b4b73
--- /dev/null
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/HttpsUrlRequiredException.java
@@ -0,0 +1,27 @@
+package org.mitre.openid.connect.config;
+
+public class HttpsUrlRequiredException extends Exception {
+
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1318613592371145910L;
+	private String error;
+	/**
+	 * @param error
+	 */
+	public HttpsUrlRequiredException(String error) {
+		this.setError(error);
+	}
+	public String getError() {
+		return error;
+	}
+	public void setError(String error) {
+		this.error = error;
+	}
+	@Override
+	public String toString() {
+		return "HttpsUrlRequiredException [error=" + this.error + "]";
+	}
+	
+}
diff --git a/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java b/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java
index 261cd01d8..1576e301b 100644
--- a/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java
+++ b/openid-connect-common/src/test/java/org/mitre/openid/connect/config/ConfigurationPropertiesBeanTest.java
@@ -20,15 +20,20 @@
 package org.mitre.openid.connect.config;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
 
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 
 /**
  * @author jricher
  *
  */
 public class ConfigurationPropertiesBeanTest {
-
+	
+	@Rule
+	public ExpectedException expectedException = ExpectedException.none();
 	/**
 	 * Test getters and setters for configuration object.
 	 */
@@ -45,11 +50,68 @@ public class ConfigurationPropertiesBeanTest {
 		bean.setIssuer(iss);
 		bean.setTopbarTitle(title);
 		bean.setLogoImageUrl(logoUrl);
+		bean.setForceHttps(true);
 
 		assertEquals(iss, bean.getIssuer());
 		assertEquals(title, bean.getTopbarTitle());
 		assertEquals(logoUrl, bean.getLogoImageUrl());
-
+		assertEquals(true, bean.isForceHttps());
+	}
+	@Test
+	public void testCheckForHttps() throws HttpsUrlRequiredException {
+		ConfigurationPropertiesBean bean = new ConfigurationPropertiesBean();
+		
+		// issuer is http
+		// leave as default, which is unset/false
+		try {
+			bean.checkForHttps();			
+		}
+		catch (HttpsUrlRequiredException e) {
+			fail("Unexpected HttpsUrlRequiredException for http issuer with default forceHttps, message:" + e.getError());
+		}
+		
+		// set to false
+		try {
+		bean.setForceHttps(false);
+		bean.checkForHttps();
+		}
+		catch (HttpsUrlRequiredException e) {
+			fail("Unexpected HttpsUrlRequiredException for http issuer with forceHttps=false, message:" + e.getError());
+		}
+		
+		// set to true
+		
+		bean.setForceHttps(true);
+		this.expectedException.expect(HttpsUrlRequiredException.class);
+		bean.checkForHttps();
+		
+		// issuer is https
+		// leave as default, which is unset/false
+		try {
+			bean.checkForHttps();			
+		}
+		catch (HttpsUrlRequiredException e) {
+			fail("Unexpected HttpsUrlRequiredException for https issuer with default forceHttps, message:" + e.getError());
+		}
+		
+		// set to false
+		try {
+		bean.setForceHttps(false);
+		bean.checkForHttps();
+		}
+		catch (HttpsUrlRequiredException e) {
+			fail("Unexpected HttpsUrlRequiredException for https issuer with forceHttps=false, message:" + e.getError());
+		}
+		
+		// set to true
+		try {
+		bean.setForceHttps(true);
+		bean.checkForHttps();
+		}
+		catch (HttpsUrlRequiredException e) {
+			fail("Unexpected HttpsUrlRequiredException for https issuer with forceHttps=true, message:" + e.getError());
+		}
+		
 	}
 
 }