diff --git a/app/services/service_provider_seeder.rb b/app/services/service_provider_seeder.rb
index 1e21e70bd82..caa0308fa69 100644
--- a/app/services/service_provider_seeder.rb
+++ b/app/services/service_provider_seeder.rb
@@ -41,6 +41,7 @@ def run
 
   def service_providers
     file = Rails.root.join('config', 'service_providers.yml').read
+    file.gsub!('%{env}', deploy_env) if deploy_env
     content = ERB.new(file).result
     YAML.safe_load(content).fetch(rails_env)
   rescue Psych::SyntaxError => syntax_error
@@ -55,10 +56,16 @@ def write_service_provider?(config)
     return true if rails_env != 'production'
 
     restrict_env = config['restrict_to_deploy_env']
+    in_prod = deploy_env == 'prod'
+    in_sandbox = !%w[prod staging].include?(deploy_env)
+    in_staging = deploy_env == 'staging'
 
-    is_production_or_has_a_restriction = (deploy_env == 'prod' || restrict_env.present?)
+    return true if restrict_env == 'prod' && in_prod
+    return true if restrict_env == 'staging' && in_staging
+    return true if restrict_env == 'sandbox' && in_sandbox
+    return true if restrict_env.blank? && !in_prod
 
-    !is_production_or_has_a_restriction || (restrict_env == deploy_env)
+    false
   end
 
   def check_for_missing_sps
diff --git a/config/service_providers.localdev.yml b/config/service_providers.localdev.yml
index 6b46b2e79e0..8d2e10798b8 100644
--- a/config/service_providers.localdev.yml
+++ b/config/service_providers.localdev.yml
@@ -494,3 +494,9 @@ production:
 
   'urn:gov:login:test-providers:fake-unrestricted-sp':
     friendly_name: 'Fake/Test stub SP, env unrestricted'
+
+  'urn:gov:login:test-providers:fake-sandbox-sp':
+    friendly_name: 'Fake/Test stub SP, sandbox SP with env-specific hostname'
+    redirect_uris:
+      - 'https://%{env}.example.com'
+    restrict_to_deploy_env: 'sandbox'
diff --git a/spec/services/service_provider_seeder_spec.rb b/spec/services/service_provider_seeder_spec.rb
index 3d1b95646f4..ab1e7852f16 100644
--- a/spec/services/service_provider_seeder_spec.rb
+++ b/spec/services/service_provider_seeder_spec.rb
@@ -78,6 +78,21 @@
 
     context 'when running in a production environment' do
       let(:rails_env) { 'production' }
+      let(:sandbox_issuer) { 'urn:gov:login:test-providers:fake-sandbox-sp' }
+      let(:staging_issuer) { 'urn:gov:login:test-providers:fake-staging-sp' }
+      let(:prod_issuer) { 'urn:gov:login:test-providers:fake-prod-sp' }
+      let(:unrestricted_issuer) { 'urn:gov:login:test-providers:fake-unrestricted-sp' }
+
+      context 'when %{env} is present in the config file' do
+        let(:deploy_env) { 'dev' }
+
+        it 'is replaced with the deploy_env' do
+          run
+
+          sp = ServiceProvider.find_by(issuer: sandbox_issuer)
+          expect(sp.redirect_uris).to eq(%w[https://dev.example.com])
+        end
+      end
 
       context 'in prod' do
         let(:deploy_env) { 'prod' }
@@ -85,18 +100,10 @@
         it 'only writes configs with restrict_to_deploy_env for prod' do
           run
 
-          # restrict_to_deploy_env: prod
-          expect(ServiceProvider.find_by(issuer: 'urn:gov:login:test-providers:fake-prod-sp')).
-            to be_present
-
-          # restrict_to_deploy_env: staging
-          expect(ServiceProvider.find_by(issuer: 'urn:gov:login:test-providers:fake-staging-sp')).
-            to eq(nil)
-
-          # restrict_to_deploy_env: nil
-          expect(
-            ServiceProvider.find_by(issuer: 'urn:gov:login:test-providers:fake-unrestricted-sp'),
-          ).to eq(nil)
+          expect(ServiceProvider.find_by(issuer: prod_issuer)).to be_present
+          expect(ServiceProvider.find_by(issuer: sandbox_issuer)).not_to be_present
+          expect(ServiceProvider.find_by(issuer: staging_issuer)).not_to be_present
+          expect(ServiceProvider.find_by(issuer: unrestricted_issuer)).not_to be_present
         end
 
         it 'sends New Relic an error if the DB has an SP not in the config' do
@@ -114,20 +121,10 @@
         it 'only writes configs with restrict_to_deploy_env for that env, or no restrictions' do
           run
 
-          # restrict_to_deploy_env: prod
-          expect(ServiceProvider.find_by(issuer: 'urn:gov:login:test-providers:fake-prod-sp')).
-            to eq(nil)
-
-          # restrict_to_deploy_env: staging
-          expect(ServiceProvider.find_by(issuer: 'urn:gov:login:test-providers:fake-staging-sp')).
-            to be_present
-
-          # restrict_to_deploy_env: nil
-          expect(
-            ServiceProvider.find_by(
-              issuer: 'urn:gov:login:test-providers:fake-unrestricted-sp',
-            ),
-          ).to be_present
+          expect(ServiceProvider.find_by(issuer: staging_issuer)).to be_present
+          expect(ServiceProvider.find_by(issuer: unrestricted_issuer)).to be_present
+          expect(ServiceProvider.find_by(issuer: sandbox_issuer)).not_to be_present
+          expect(ServiceProvider.find_by(issuer: prod_issuer)).not_to be_present
         end
 
         it 'sends New Relic an error if the DB has an SP not in the config' do
@@ -142,6 +139,15 @@
       context 'in another environment' do
         let(:deploy_env) { 'int' }
 
+        it 'only writes configs with restrict_to_deploy_env for sandbox' do
+          run
+
+          expect(ServiceProvider.find_by(issuer: sandbox_issuer)).to be_present
+          expect(ServiceProvider.find_by(issuer: unrestricted_issuer)).to be_present
+          expect(ServiceProvider.find_by(issuer: staging_issuer)).not_to be_present
+          expect(ServiceProvider.find_by(issuer: prod_issuer)).not_to be_present
+        end
+
         it 'does not send New Relic an error if the DB has an SP not in the config' do
           allow(NewRelic::Agent).to receive(:notice_error)
           create(:service_provider, issuer: 'missing_issuer')