diff --git a/index.js b/index.js
index e81fb7c..20b9167 100644
--- a/index.js
+++ b/index.js
@@ -14,6 +14,7 @@ const { createAllTables }                            = require("./lib/schema");
 const { initEnvIfMissing, markBootstrapped }         = require("./lib/env");
 const { ensureActiveKey }                            = require("./lib/keys");
 const { routes }                                     = require("./lib/routes");
+const { configurationWorkflow }                      = require("./lib/configWorkflow");
 const { startLdap, isListening }                     = require("./lib/ldap/server");
 const ldapSettings                                   = require("./lib/ldap/settings");
 const { ensureSamlCert }                             = require("./lib/saml/idp");
@@ -166,6 +167,9 @@ const onLoad = async (cfg) => {
 module.exports = {
     sc_plugin_api_version: 1,
     plugin_name: PLUGIN_NAME,
+    configuration_workflow: configurationWorkflow,
     onLoad: onLoad,
-    routes: routes
+    // With configuration_workflow present, Saltcorn invokes capability keys as
+    // (cfg)=>value (state.ts withCfg), so routes must be a function, not the array.
+    routes: () => routes
 };
diff --git a/lib/configWorkflow.js b/lib/configWorkflow.js
new file mode 100644
index 0000000..8526a6e
--- /dev/null
+++ b/lib/configWorkflow.js
@@ -0,0 +1,32 @@
+// Minimal configuration_workflow. Its only job is to make saltcorn-idp show the
+// standard "Configure" cog on the Settings -> Plugins list, consistent with
+// other plugins (the cog renders iff the module exports configuration_workflow
+// -- see server/routes/plugins.js cfg_link). saltcorn-idp is actually configured
+// from its own admin dashboard under ADMIN_BASE_PATH (/admin/idp), so the single
+// step just links there.
+
+const Workflow = require("@saltcorn/data/models/workflow");
+const Form     = require("@saltcorn/data/models/form");
+const { ADMIN_BASE_PATH } = require("./constants");
+
+
+const configurationWorkflow = () =>
+    new Workflow({
+        steps: [
+            {
+                name: "saltcorn-idp",
+                form: async () =>
+                    new Form({
+                        blurb:
+                            "saltcorn-idp is configured from its own admin dashboard " +
+                            "(OIDC clients, groups, SAML SPs, LDAP, signing-key rotation).<br><br>" +
+                            `<a class="btn btn-primary" role="button" href="${ADMIN_BASE_PATH}">` +
+                            "Open the saltcorn-idp dashboard</a>",
+                        fields: []
+                    })
+            }
+        ]
+    });
+
+
+module.exports = { configurationWorkflow };
diff --git a/lib/constants.js b/lib/constants.js
index 4daab1d..b884211 100644
--- a/lib/constants.js
+++ b/lib/constants.js
@@ -5,7 +5,7 @@
 // crypto.js; protocol/policy values live here.
 
 const PLUGIN_NAME    = "saltcorn-idp";
-const PLUGIN_VERSION = "0.0.1";
+const PLUGIN_VERSION = "0.0.3";
 
 // Public OIDC/OAuth2 + machine endpoints live under this path and are
 // CSRF-exempt. Admin (browser, CSRF-protected) pages live under ADMIN_BASE_PATH.
diff --git a/package.json b/package.json
index abd9648..34f4a47 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "saltcorn-idp",
-  "version": "0.0.1",
+  "version": "0.0.3",
   "description": "Saltcorn plugin: turns Saltcorn into an SSO Identity Provider (OIDC/OAuth2, LDAP with groups, and SAML 2.0). Per-tenant asymmetric signing keys sealed at rest; multi-tenant. See VENDORING.md for the dependency-ownership/security posture.",
   "main": "index.js",
   "scripts": {