diff --git a/internal/controllermanager/prepare_controllers.go b/internal/controllermanager/prepare_controllers.go
index dcb565fa..fc821886 100644
--- a/internal/controllermanager/prepare_controllers.go
+++ b/internal/controllermanager/prepare_controllers.go
@@ -14,11 +14,15 @@ import (
 	k8sinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/klog/v2/klogr"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
 
 	pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
 	pinnipedinformers "github.com/suzerain-io/pinniped/generated/1.19/client/informers/externalversions"
 	"github.com/suzerain-io/pinniped/internal/controller/apicerts"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachecleaner"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/webhookcachefiller"
 	"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
 	"github.com/suzerain-io/pinniped/internal/controllerlib"
 	"github.com/suzerain-io/pinniped/internal/provider"
@@ -36,6 +40,7 @@ func PrepareControllers(
 	dynamicCertProvider provider.DynamicTLSServingCertProvider,
 	servingCertDuration time.Duration,
 	servingCertRenewBefore time.Duration,
+	idpCache *idpcache.Cache,
 ) (func(ctx context.Context), error) {
 	// Create k8s clients.
 	k8sClient, aggregatorClient, pinnipedClient, err := createClients()
@@ -104,6 +109,22 @@ func PrepareControllers(
 				servingCertRenewBefore,
 			),
 			singletonWorker,
+		).
+		WithController(
+			webhookcachefiller.New(
+				idpCache,
+				installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
+				klogr.New(),
+			),
+			singletonWorker,
+		).
+		WithController(
+			webhookcachecleaner.New(
+				idpCache,
+				installationNamespacePinnipedInformers.IDP().V1alpha1().WebhookIdentityProviders(),
+				klogr.New(),
+			),
+			singletonWorker,
 		)
 
 	// Return a function which starts the informers and controllers.
diff --git a/internal/server/server.go b/internal/server/server.go
index 774c9e4e..64faa1d2 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -26,6 +26,7 @@ import (
 	pinnipedclientset "github.com/suzerain-io/pinniped/generated/1.19/client/clientset/versioned"
 	"github.com/suzerain-io/pinniped/internal/apiserver"
 	"github.com/suzerain-io/pinniped/internal/certauthority/kubecertauthority"
+	"github.com/suzerain-io/pinniped/internal/controller/identityprovider/idpcache"
 	"github.com/suzerain-io/pinniped/internal/controller/issuerconfig"
 	"github.com/suzerain-io/pinniped/internal/controllermanager"
 	"github.com/suzerain-io/pinniped/internal/downward"
@@ -118,11 +119,8 @@ func (a *App) runServer(ctx context.Context) error {
 	}
 	defer shutdownCA()
 
-	// Create a WebhookTokenAuthenticator.
-	webhookTokenAuthenticator, err := config.NewWebhook(cfg.WebhookConfig)
-	if err != nil {
-		return fmt.Errorf("could not create webhook client: %w", err)
-	}
+	// Initialize the cache of active identity providers.
+	idpCache := idpcache.New()
 
 	// This cert provider will provide certs to the API server and will
 	// be mutated by a controller to keep the certs up to date with what
@@ -139,6 +137,7 @@ func (a *App) runServer(ctx context.Context) error {
 		dynamicCertProvider,
 		time.Duration(*cfg.APIConfig.ServingCertificateConfig.DurationSeconds)*time.Second,
 		time.Duration(*cfg.APIConfig.ServingCertificateConfig.RenewBeforeSeconds)*time.Second,
+		idpCache,
 	)
 	if err != nil {
 		return fmt.Errorf("could not prepare controllers: %w", err)
@@ -147,7 +146,7 @@ func (a *App) runServer(ctx context.Context) error {
 	// Get the aggregated API server config.
 	aggregatedAPIServerConfig, err := getAggregatedAPIServerConfig(
 		dynamicCertProvider,
-		webhookTokenAuthenticator,
+		idpCache,
 		k8sClusterCA,
 		startControllersFunc,
 	)