diff --git a/.env.sample b/.env.sample
index 666f3b7..12614aa 100644
--- a/.env.sample
+++ b/.env.sample
@@ -17,3 +17,19 @@ GRIST_DEFAULT_EMAIL=grist@example.com
 
 SECRET_GRIST_SESSION_SECRET_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
+
+COMPOSE_FILE="compose.yml"
+
+# OIDC Single Sign On
+# See https://support.getgrist.com/install/oidc/
+#COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
+#GRIST_OIDC_IDP_ISSUER=https://sso.example.com/realm/myrealm/
+#GRIST_OIDC_IDP_CLIENT_ID=something
+#SECRET_GRIST_OIDC_IDP_CLIENT_SECRET_VERSION=v1
+# Optional settings
+#GRIST_OIDC_IDP_SCOPES
+#GRIST_OIDC_SP_HOST
+#GRIST_OIDC_IDP_END_SESSION_ENDPOINT
+#GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
+#GRIST_OIDC_SP_PROFILE_NAME_ATTR
+#GRIST_OIDC_SP_PROFILE_EMAIL_ATTR
diff --git a/abra.sh b/abra.sh
index 5c54e9d..152f5a3 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1 @@
-export ENTRYPOINT_CONF_VERSION=v1
+export ENTRYPOINT_CONF_VERSION=v2
diff --git a/compose.oidc.yml b/compose.oidc.yml
new file mode 100644
index 0000000..14673f0
--- /dev/null
+++ b/compose.oidc.yml
@@ -0,0 +1,19 @@
+services:
+  app:
+    environment:
+      - GRIST_OIDC_IDP_ISSUER
+      - GRIST_OIDC_IDP_CLIENT_ID
+      - GRIST_OIDC_IDP_CLIENT_SECRET_FILE=/run/secrets/grist_oidc_idp_client_secret
+      - GRIST_OIDC_IDP_SCOPES
+      - GRIST_OIDC_SP_HOST
+      - GRIST_OIDC_IDP_END_SESSION_ENDPOINT
+      - GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT
+      - GRIST_OIDC_SP_PROFILE_NAME_ATTR
+      - GRIST_OIDC_SP_PROFILE_EMAIL_ATTR
+    secrets:
+      - grist_oidc_idp_client_secret
+
+secrets:
+  grist_oidc_idp_client_secret:
+    external: true
+    name: ${STACK_NAME}_grist_oidc_idp_client_secret_${SECRET_GRIST_OIDC_IDP_CLIENT_SECRET_VERSION}
diff --git a/compose.yml b/compose.yml
index 0a74ab0..1867255 100644
--- a/compose.yml
+++ b/compose.yml
@@ -1,6 +1,6 @@
 services:
   app:
-    image: gristlabs/grist:1.1.7
+    image: gristlabs/grist:1.1.12
     networks:
       - proxy
       - internal
@@ -18,7 +18,7 @@ services:
       - APP_HOME_URL=https://${DOMAIN}
       - APP_DOC_URL=https://${DOMAIN}
       - GRIST_SINGLE_ORG
-      - GRIST_ORG_IN_PATH
+      #- GRIST_ORG_IN_PATH
       - COOKIE_MAX_AGE
       - GRIST_FORCE_LOGIN
       - GRIST_HIDE_UI_ELEMENTS
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 59de195..967c05f 100755
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -26,5 +26,6 @@ file_env() {
 
 file_env TYPEORM_PASSWORD
 file_env GRIST_SESSION_SECRET
+file_env GRIST_OIDC_IDP_CLIENT_SECRET
 
 exec ./sandbox/run.sh $@