diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignaturePageController.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignaturePageController.java
index c3c93079a..bac6e4366 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignaturePageController.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/aup/AupSignaturePageController.java
@@ -22,6 +22,7 @@
 
 import java.util.Date;
 import java.util.Optional;
+import java.util.function.Supplier;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -30,8 +31,10 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.servlet.ModelAndView;
@@ -44,37 +47,45 @@
 import it.infn.mw.iam.persistence.model.IamAupSignature;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
 import it.infn.mw.iam.persistence.repository.IamAupSignatureRepository;
+import it.infn.mw.iam.service.aup.DefaultAupSignatureCheckService;
 
 @Controller
 public class AupSignaturePageController {
 
-
   final IamAupRepository repo;
   final IamAupSignatureRepository signatureRepo;
   final AccountUtils accountUtils;
   final TimeProvider timeProvider;
   final ApplicationEventPublisher publisher;
+  final DefaultAupSignatureCheckService service;
 
   @Autowired
   public AupSignaturePageController(IamAupRepository aupRepo,
       IamAupSignatureRepository aupSignatureRepo, AccountUtils accountUtils,
-      TimeProvider timeProvider, ApplicationEventPublisher publisher) {
+      TimeProvider timeProvider, ApplicationEventPublisher publisher,
+      DefaultAupSignatureCheckService service) {
     this.repo = aupRepo;
     this.signatureRepo = aupSignatureRepo;
     this.accountUtils = accountUtils;
     this.timeProvider = timeProvider;
     this.publisher = publisher;
+    this.service = service;
   }
 
   @PreAuthorize("hasRole('USER')")
-  @RequestMapping(value = "/iam/aup/sign", method = {RequestMethod.GET})
-  public ModelAndView signAupPage() {
+  @RequestMapping(value = "/iam/aup/sign", method = { RequestMethod.GET })
+  public ModelAndView signAupPage(HttpSession session) {
     ModelAndView view;
 
     Optional<IamAup> aup = repo.findDefaultAup();
 
     if (aup.isPresent()) {
       view = new ModelAndView("iam/signAup");
+
+      IamAccount account = accountUtils.getAuthenticatedUserAccount().orElseThrow(
+          () -> new IllegalStateException("No iam account found for authenticated user"));
+
+      view.addObject("daysLeftToExpirySignature", service.getRemainingDaysSignatureExpiration(account));
       view.addObject("aup", aup.get());
     } else {
       view = new ModelAndView("iam/noAup");
@@ -84,8 +95,7 @@ public ModelAndView signAupPage() {
   }
 
   private Optional<SavedRequest> checkForSavedSpringSecurityRequest(HttpSession session) {
-    SavedRequest savedRequest =
-        (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
+    SavedRequest savedRequest = (SavedRequest) session.getAttribute("SPRING_SECURITY_SAVED_REQUEST");
 
     if (!isNull(savedRequest)) {
       session.removeAttribute("SPRING_SECURITY_SAVED_REQUEST");
@@ -95,7 +105,6 @@ private Optional<SavedRequest> checkForSavedSpringSecurityRequest(HttpSession se
 
   }
 
-
   @PreAuthorize("hasRole('USER')")
   @RequestMapping(method = RequestMethod.POST, value = "/iam/aup/sign")
   public ModelAndView signAup(HttpServletRequest request, HttpServletResponse response,
@@ -103,7 +112,6 @@ public ModelAndView signAup(HttpServletRequest request, HttpServletResponse resp
 
     Optional<IamAup> aup = repo.findDefaultAup();
 
-
     if (!aup.isPresent()) {
       return new ModelAndView("iam/noAup");
     }
@@ -129,5 +137,3 @@ public ModelAndView signAup(HttpServletRequest request, HttpServletResponse resp
     return new ModelAndView("redirect:/dashboard");
   }
 }
-
-
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java
index da6beabfb..fd16bc9fb 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/web/aup/EnforceAupFilter.java
@@ -32,6 +32,7 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 
 import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.api.aup.error.AupNotFoundError;
@@ -43,13 +44,16 @@
 
 public class EnforceAupFilter implements Filter {
 
+  @Value("${iam.aup.advance-notice}")
+  private int EXPIRY_NOTICE_DAYS = 30;
+
   public static final Logger LOG = LoggerFactory.getLogger(EnforceAupFilter.class);
 
   public static final String AUP_API_PATH = "/iam/aup";
   public static final String AUP_SIGN_PATH = "/iam/aup/sign";
   public static final String SIGN_AUP_JSP = "signAup.jsp";
-
   public static final String REQUESTING_SIGNATURE = "iam.aup.requesting-signature";
+  public static final String SIGNATURE_REMAINING_DAYS = "iam.aup.signature-remaining-days";
 
   final AUPSignatureCheckService signatureCheckService;
   final AccountUtils accountUtils;
@@ -92,8 +96,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
     }
 
     Optional<IamAccount> authenticatedUser = accountUtils.getAuthenticatedUserAccount();
+    Optional<IamAup> aup = aupRepo.findDefaultAup();
 
-    if (!authenticatedUser.isPresent() || !aupRepo.findDefaultAup().isPresent()) {
+    if (!authenticatedUser.isPresent() || !aup.isPresent()) {
       chain.doFilter(request, response);
       return;
     }
@@ -103,15 +108,16 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         chain.doFilter(request, response);
         return;
       }
-      if (!res.isCommitted()) {
+      if (!res.isCommitted() && aup.isPresent()) {
         res.sendRedirect(AUP_SIGN_PATH);
       }
       return;
     }
 
-    if (signatureCheckService.needsAupSignature(authenticatedUser.get())
-        && !sessionOlderThanAupCreation(session) && !res.isCommitted()) {
+    int remainingDays = signatureCheckService.getRemainingDaysSignatureExpiration(authenticatedUser.get());
+    if ((remainingDays <= EXPIRY_NOTICE_DAYS) && !sessionOlderThanAupCreation(session) && !res.isCommitted()) {
 
+      session.setAttribute(SIGNATURE_REMAINING_DAYS, remainingDays);
       session.setAttribute(REQUESTING_SIGNATURE, true);
       res.sendRedirect(AUP_SIGN_PATH);
       return;
diff --git a/iam-login-service/src/main/webapp/WEB-INF/views/iam/signAup.jsp b/iam-login-service/src/main/webapp/WEB-INF/views/iam/signAup.jsp
index d1dda018d..77fc7da99 100644
--- a/iam-login-service/src/main/webapp/WEB-INF/views/iam/signAup.jsp
+++ b/iam-login-service/src/main/webapp/WEB-INF/views/iam/signAup.jsp
@@ -18,6 +18,14 @@
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
 <%@ taglib prefix="t" tagdir="/WEB-INF/tags/iam"%>
 <t:page title="Sign Acceptable Usage Policy">
+  <c:if test="${daysLeftToExpirySignature > 0}">
+      <form id="skip-sign-aup-form" class="sign-aup-form form" action="/iam/aup/skip-sign" method="post">
+      <h2 class="text-center">You still have ${daysLeftToExpirySignature} days to sign</h2>
+      <div>
+        <input id="skip-sign-aup-btn" class="btn btn-success" type="submit" value="Skip the sign AUP">
+      </div>
+    </form>
+  </c:if>
   <h2 class="text-center">Sign Acceptable Usage Policy</h2>
   <form id="sign-aup-form" class="sign-aup-form form" action="/iam/aup/sign" method="post">
     <c:if test="${aup.text != null}">