From 77fe2b3a6aade1567870c15f690a1cea14727d0e Mon Sep 17 00:00:00 2001
From: Timshel <Timshel@users.noreply.github.com>
Date: Mon, 18 Sep 2023 12:12:29 +0200
Subject: [PATCH] Add some SSO documentation

---
 SSO.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 SSO.md

diff --git a/SSO.md b/SSO.md
new file mode 100644
index 0000000000..bec96f43ec
--- /dev/null
+++ b/SSO.md
@@ -0,0 +1,22 @@
+# SSO using OpenId Connect
+
+To use an external source of authentication your SSO will need to support OpendID Connect :
+
+ - And OpenID Connect Discovery endpoint should be available
+ - Client authentication will be done using Id and Secret.
+
+A master password will still required and not controlled by the SSO (depending of your point of view this might be a feature ;).
+This introduce another way to control who can use the vault without having to use invitation or using an LDAP.
+
+## Configuration
+
+The following configurations are available
+
+ - `SSO_ENABLED` : Activate the SSO
+ - `SSO_ONLY` : disable email+Master password authentication
+ - `SSO_AUTHORITY` : the OpendID Connect Discovery endpoint of your SSO
+ - `SSO_CLIENT_ID` : Client Id
+ - `SSO_CLIENT_SECRET` : Client Secret
+ - `SSO_KEY_FILEPATH` : And optional public key that can be used to authenticate the SSO during the exchange flow.
+
+The callback url is : `https://your.domain/identity/connect/oidc-signin`