diff --git a/Dockerfile b/Dockerfile
index a33318966..2254c2eae 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # To run: docker run -d -v /path/to/fence-config.yaml:/var/www/fence/fence-config.yaml --name=fence -p 80:80 fence
 # To check running container: docker exec -it fence /bin/bash
 
-FROM quay.io/cdis/python-nginx:pybase3-1.0.0
+FROM quay.io/cdis/python-nginx:pybase3-1.1.0
 
 ENV appname=fence
 
diff --git a/fence/blueprints/login/__init__.py b/fence/blueprints/login/__init__.py
index c20012dda..c363a294b 100644
--- a/fence/blueprints/login/__init__.py
+++ b/fence/blueprints/login/__init__.py
@@ -56,7 +56,7 @@ def default_login():
         The default root login route.
         """
         # default login option
-        if "DEFAULT_LOGIN_IDP" in config:
+        if config.get("DEFAULT_LOGIN_IDP"):
             default_idp = config["DEFAULT_LOGIN_IDP"]
         elif "default" in config.get("ENABLED_IDENTITY_PROVIDERS", {}):
             # fall back on ENABLED_IDENTITY_PROVIDERS.default
@@ -219,7 +219,7 @@ def provider_info(login_details):
                 provider_info(login_details) for login_details in login_options
             ]
         except KeyError as e:
-            raise InternalError("login options misconfigured: {}".format(e))
+            raise InternalError("LOGIN_OPTIONS misconfigured: {}".format(e))
 
         # if several login_options are defined for this default IDP, will
         # default to the first one:
@@ -227,7 +227,11 @@ def provider_info(login_details):
             (info for info in all_provider_info if info["idp"] == default_idp), None
         )
         if not default_provider_info:
-            raise InternalError("default provider misconfigured")
+            raise InternalError(
+                "default provider misconfigured: DEFAULT_LOGIN_IDP is set to {}, which is not configured in LOGIN_OPTIONS".format(
+                    default_idp
+                )
+            )
 
         return flask.jsonify(
             {"default_provider": default_provider_info, "providers": all_provider_info}
diff --git a/fence/config-default.yaml b/fence/config-default.yaml
index 0058776e5..133a10a44 100644
--- a/fence/config-default.yaml
+++ b/fence/config-default.yaml
@@ -259,7 +259,7 @@ LOGIN_OPTIONS: [] # !!! remove the empty list to enable login options!
 # - Google? Use: '{{BASE_URL}}/login/google'
 # - Multi-tenant fence (e.g. another fence instance)? Use: '{{BASE_URL}}/login/fence'
 # - Sibboleth? Use: '{{BASE_URL}}/login/shib'
-DEFAULT_LOGIN_IDP: google
+DEFAULT_LOGIN_IDP: null
 DEFAULT_LOGIN_URL: '{{BASE_URL}}/login/google'
 
 # `LOGIN_REDIRECT_WHITELIST` is a list of extra whitelisted URLs which can be redirected