diff --git a/docs/configuration.md b/docs/configuration.md
index d903a21e..a8fa07de 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -11,6 +11,7 @@ Conduit's configuration file is divided into the following sections:
 - [Global](#global)
     - [TLS](#tls)
     - [Proxy](#proxy)
+    - [SSO (Single Sign-On)](#sso)
 
 
 ## Global
@@ -109,3 +110,39 @@ exclude = ["*.clearnet.onion"]
 [global]
 {{#include ../conduit-example.toml:22:}}
 ```
+
+### SSO (Single Sign-On)
+
+Authentication through SSO instead of a password can be enabled by configuring OIDC (OpenID Connect) identity providers.
+Identity providers using OAuth such as Github are not supported yet.
+
+> **Note:** The `*` symbol indicates that the field is required, and the values in **parentheses** are the possible values
+
+| Field | Type | Description | Default |
+| --- | --- | --- | --- |
+| `issuer`* | `Url` | The issuer URL. | N/A |
+| `name` | `string` | The name displayed on fallback pages. | `issuer` |
+| `icon` | `Url` OR `MxcUri` | The icon displayed on fallback pages. | N/A |
+| `scopes` | `array` | The scopes used to obtain extra claims which can be used for templates. | `["openid"]` |
+<!-- | `pkce` | `bool` |  | `true` | -->
+<!-- | `backchannel_logout` | `bool` |  | `true` | -->
+<!-- | `unique_claim` | `string` | The key of the claim, used to uniquely identify users | `"sub"` | <!-1- TODO: claim_correlation? -1-> -->
+<!-- | `credentials`* | `table` | See [Client Credentials](#client-credentials) | N/A | -->
+| `client_id`* | `string` | The provider-supplied, unique ID for the client. | N/A |
+| `client_secret`* | `string` | The provider-supplied, unique ID for the client. | N/A |
+| `authentication_method`* | `"basic" | "post"` | The method used for client authentication. | N/A |
+
+<!-- TODO -->
+<!-- #### Example -->
+<!-- ```toml -->
+<!-- [global.sso.keycloak] -->
+<!-- name = "A Mysterious KeyCloak Server" -->
+<!-- icon = "mxc://matrix.org/tuKmXlmbHzYPFmdHafbZHOWj" -->
+<!-- issuer = "https://oidc.conduit.rs:8443/realms/dev_team_realm" -->
+<!-- scopes = ["openid", "profile"] -->
+<!-- ``` -->
+<!-- localpart = "userinfo.preferred_username" -->
+<!-- displayname = "id_token.name" -->
+<!-- avatar_url = "userinfo.picture" -->
+<!-- email = "userinfo.email" -->
+<!-- msisdn = "userinfo.phone_number" -->