diff --git a/data/model/user.py b/data/model/user.py
index 83a7497a0..e5b34a099 100644
--- a/data/model/user.py
+++ b/data/model/user.py
@@ -295,6 +295,15 @@ def list_entity_robot_permission_teams(entity_name, include_permissions=False):
   return TupleSelector(query, fields)
 
 
+def confirm_attached_federated_login(user, service_name):
+  """ Verifies that the given user has a federated service identity for the specified service.
+      If none found, a row is added for that service and user.
+  """
+  with db_transaction():
+    if not lookup_federated_login(user, service_name):
+      attach_federated_login(user, service_name, user.username)
+
+
 def create_federated_user(username, email, service_name, service_id,
                           set_password_notification, metadata={}):
   if not is_create_user_allowed():
diff --git a/data/users/__init__.py b/data/users/__init__.py
index 826727bc1..c9f7d41dd 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -15,6 +15,19 @@ from util.aes import AESCipher
 
 logger = logging.getLogger(__name__)
 
+def get_federated_service_name(authentication_type):
+  if authentication_type == 'LDAP':
+    return 'ldap'
+
+  if authentication_type == 'JWT':
+    return 'jwtauthn'
+
+  if authentication_type == 'Keystone':
+    return 'keystone'
+
+  raise Exception('Unknown auth type: %s' % authentication_type)
+
+
 class UserAuthentication(object):
   def __init__(self, app=None, override_config_dir=None):
     self.app_secret_key = None
@@ -45,8 +58,8 @@ class UserAuthentication(object):
       verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
       issuer = app.config.get('JWT_AUTH_ISSUER')
       max_fresh_s = app.config.get('JWT_AUTH_MAX_FRESH_S', 300)
-      users = ExternalJWTAuthN(verify_url, issuer, override_config_dir, max_fresh_s,
-                               app.config['HTTPCLIENT'])
+      users = ExternalJWTAuthN(verify_url, issuer, override_config_dir,
+                               app.config['HTTPCLIENT'], max_fresh_s)
     elif authentication_type == 'Keystone':
       auth_url = app.config.get('KEYSTONE_AUTH_URL')
       keystone_admin_username = app.config.get('KEYSTONE_ADMIN_USERNAME')
diff --git a/endpoints/api/suconfig.py b/endpoints/api/suconfig.py
index d2c21e7d1..576965bea 100644
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@@ -13,10 +13,12 @@ from app import app, CONFIG_PROVIDER, superusers
 from data import model
 from data.database import configure
 from auth.permissions import SuperUserPermission
+from auth.auth_context import get_authenticated_user
 from data.database import User
 from util.config.configutil import add_enterprise_config_defaults
 from util.config.validator import validate_service_for_config, CONFIG_FILENAMES
 from data.runmigration import run_alembic_migration
+from data.users import get_federated_service_name
 
 import features
 
@@ -208,6 +210,13 @@ class SuperUserConfig(ApiResource):
       # Write the configuration changes to the YAML file.
       CONFIG_PROVIDER.save_yaml(config_object)
 
+      # If the authentication system is not the database, link the superuser account to the
+      # the authentication system chosen.
+      if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
+        service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
+        current_user = get_authenticated_user()
+        model.user.confirm_attached_federated_login(current_user, service_name)
+
       return {
         'exists': True,
         'config': config_object
diff --git a/static/js/core-config-setup.js b/static/js/core-config-setup.js
index 48f3081fb..c7ad79b76 100644
--- a/static/js/core-config-setup.js
+++ b/static/js/core-config-setup.js
@@ -207,7 +207,7 @@ angular.module("core-config-setup", ['angularFileUpload'])
               '</form>',
             "title": 'Enter Password',
             "buttons": {
-              "verify": {
+              "success": {
                 "label": "Validate Config",
                 "className": "btn-success",
                 "callback": function() {
diff --git a/util/config/validator.py b/util/config/validator.py
index 976d69e5b..82a15fff7 100644
--- a/util/config/validator.py
+++ b/util/config/validator.py
@@ -344,7 +344,8 @@ def _validate_jwt(config, password):
   # Try to instatiate the JWT authentication mechanism. This will raise an exception if
   # the key cannot be found.
   users = ExternalJWTAuthN(verify_endpoint, issuer, OVERRIDE_CONFIG_DIRECTORY,
-                           app.config['HTTPCLIENT'])
+                           app.config['HTTPCLIENT'],
+                           app.config.get('JWT_AUTH_MAX_FRESH_S', 300))
 
   # Verify that the superuser exists. If not, raise an exception.
   username = get_authenticated_user().username
@@ -403,4 +404,4 @@ _VALIDATORS = {
   'ldap': _validate_ldap,
   'jwt': _validate_jwt,
   'keystone': _validate_keystone,
-}
\ No newline at end of file
+}