diff --git a/ansible/roles/assets/tasks/containerimages.yml b/ansible/roles/assets/tasks/containerimages.yml
index 8b23a1a..84483a8 100644
--- a/ansible/roles/assets/tasks/containerimages.yml
+++ b/ansible/roles/assets/tasks/containerimages.yml
@@ -14,6 +14,12 @@
   loop_control:
     label: "{{ item.dest | basename }}"
 
+- name: Parse pinniped manifest for container images
+  ansible.builtin.shell:
+    cmd: >-
+      cat {{ pinniped_manifest.dest }} | yq --no-doc eval '.. | .image? | select(.)' | awk '!/ /';
+  register: pinniped_parsedmanifest
+
 - name: Parse metacluster helm charts for container images
   ansible.builtin.shell:
     cmd: "{{ item.value.helm.parse_logic }}"
@@ -43,6 +49,8 @@
       results: "{{ kubeadmimages.stdout_lines }}"
     - source: clusterapi
       results: "{{ clusterapi_parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten | list }}"
+    - source: pinniped
+      results: "{{ pinniped_parsedmanifest.stdout_lines }}"
   loop_control:
     label: "{{ item.source }}"
 
@@ -64,4 +72,4 @@
         docker://{{ item }} \
         docker-archive:./{{ ( item | regex_findall('[^/:]+'))[-2] }}_{{ lookup('ansible.builtin.password', '/dev/null length=5 chars=ascii_lowercase,digits seed={{ item }}') }}.tar:{{ item }}
     chdir: /opt/metacluster/container-images
-  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + dependencies.container_images) | flatten | unique | sort }}"
+  loop: "{{ (containerimages_charts + containerimages_kubeadm + containerimages_clusterapi + containerimages_pinniped + dependencies.container_images) | flatten | unique | sort }}"
diff --git a/ansible/roles/assets/tasks/main.yml b/ansible/roles/assets/tasks/main.yml
index 820903c..5003dac 100644
--- a/ansible/roles/assets/tasks/main.yml
+++ b/ansible/roles/assets/tasks/main.yml
@@ -16,6 +16,7 @@
     - /opt/metacluster/helm-charts
     - /opt/metacluster/k3s
     - /opt/metacluster/kube-vip
+    - /opt/metacluster/pinniped
     - /opt/workloadcluster/helm-charts
     - /opt/workloadcluster/node-templates
     - /var/lib/rancher/k3s/agent/images
diff --git a/ansible/roles/assets/tasks/manifests.yml b/ansible/roles/assets/tasks/manifests.yml
index 5427cd4..dbc3605 100644
--- a/ansible/roles/assets/tasks/manifests.yml
+++ b/ansible/roles/assets/tasks/manifests.yml
@@ -15,8 +15,9 @@
           {{
             { 'components': (
               metacluster_chartvalues |
-              combine({ 'clusterapi': components.clusterapi }) |
-              combine({ 'kubevip'   : components.kubevip }) ),
+              combine({ 'clusterapi'     : components['clusterapi'] }) |
+              combine({ 'kubevip'        : components['kubevip'] }) |
+              combine({ 'local-user-auth': components['local-user-auth'] })),
               'appliance': {
                 'version': (applianceversion)
               }
@@ -108,6 +109,21 @@
   delay: 5
   until: kubevip_manifest is not failed
 
+- name: Download pinniped local-user-authenticator manifest
+  ansible.builtin.get_url:
+    url: https://get.pinniped.dev/{{ components['local-user-authenticator'].version }}/install-local-user-authenticator.yaml
+    dest: /opt/metacluster/pinniped/local-user-authenticator.yaml
+  register: pinniped_manifest
+  retries: 5
+  delay: 5
+  until: pinniped_manifest is not failed
+
+- name: Trim image hash from manifest
+  ansible.builtin.copy:
+    dest: /opt/metacluster/pinniped/local-user-authenticator.yaml
+    content: "{{ lookup('ansible.builtin.file', '/opt/metacluster/pinniped/local-user-authenticator.yaml') | regex_replace('([ ]*image: .*)@.*', '\\1') }}"
+  no_log: true
+
 # - name: Inject manifests
 #   ansible.builtin.template:
 #     src: "{{ item.type }}.j2"
diff --git a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
index e38c9e0..7ab887f 100644
--- a/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/bootstrap/roles/metacluster/tasks/authentication.yml
@@ -10,6 +10,29 @@
         kubeconfig: "{{ kubeconfig.path }}"
         values: "{{ components['dex'].chart_values }}"
 
+- block:
+
+    - name: Install pinniped local-user-authenticator
+      kubernetes.core.k8s:
+        src: /opt/metacluster/pinniped/local-user-authenticator.yaml
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+
+    - name: Create local-user-authenticator accounts
+      kubernetes.core.k8s:
+        template: secret.j2
+        state: present
+        kubeconfig: "{{ kubeconfig.path }}"
+      vars:
+        _template:
+          name: "{{ item.username }}"
+          namespace: local-user-authenticator
+          type: ''
+          data:
+            - groups: group1,group2
+              passwordHash: "{{ item.password }}"
+      loop: "{{ components['local-user-authenticator'].users }}"
+
 - block:
 
     - name: Install pinniped chart
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index 42c0db2..09a7104 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -255,6 +255,14 @@ components:
           service:
             public:
               type: ClusterIP
+    local-user-authenticator:
+      # Must match the appVersion (!=chart version) referenced at `components.pinniped.helm.version`
+      version: v0.27.0
+      users:
+        - username: metauser
+          password: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
+        - username: metaguest
+          password: "{{ vapp['metacluster.password'] | password_hash('bcrypt') }}"
 
   step-certificates:
     helm: