diff --git a/gitlab.rb.tmpl b/gitlab.rb.tmpl
index 4d4ed3b..29d2a76 100644
--- a/gitlab.rb.tmpl
+++ b/gitlab.rb.tmpl
@@ -550,7 +550,7 @@
 # gitlab_rails['smartcard_required_for_git_access'] = false
 # gitlab_rails['smartcard_san_extensions'] = false
 
-{{ if eq SSO "true" }}
+{{ if eq env "SSO" "true" }}
 ### OmniAuth Settings
 ###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
 # gitlab_rails['omniauth_enabled'] = nil
@@ -568,20 +568,20 @@ gitlab_rails['omniauth_block_auto_created_users'] = false
 gitlab_rails['omniauth_providers'] = [
   {
     "name" => "openid_connect",
-    "label" => "{{ ORG_NAME }}",
-    "icon" => "https://git.{{ BASE_DOMAIN }}/uploads/-/system/appearance/favicon/1/favicon.png",
+    "label" => "{{ env "ORG_NAME" }}",
+    "icon" => "https://git.{{ env "BASE_DOMAIN" }}/uploads/-/system/appearance/favicon/1/favicon.png",
     "args" => { 
       "name" => "openid_connect",
       "scope" => ["openid","profile","email"],
       "response_type" => "code",
-      "issuer" => "https://accounts.{{ BASE_DOMAIN }}/realms/{{ KEYCLOAK_REALM }}",
+      "issuer" => "https://accounts.{{ env "BASE_DOMAIN" }}/realms/{{ env "KEYCLOAK_REALM" }}",
       "discovery" => true,
       "client_auth_method" => "query",
       "send_scope_to_token_endpoint" => "false",
       "client_options" => {
         "identifier" => "gitlab",
-        "secret" => "{{ GITLAB_KEYCLOAK_SECRET }}",
-        "redirect_uri" => "https://git.{{ BASE_DOMAIN }}/users/auth/openid_connect/callback"
+        "secret" => "{{ env "GITLAB_KEYCLOAK_SECRET" }}",
+        "redirect_uri" => "https://git.{{ env "BASE_DOMAIN" }}/users/auth/openid_connect/callback"
       }
     }
   }