diff --git a/.env.sample b/.env.sample
index 703815d..e724c5f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -10,6 +10,9 @@ SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
 
 # SSO_ENABLED=0
+## only set one of those depending on which SSO you're using
+# SSO_AUTHENTIK=1
+# SSO_KEYCLOAK=0
 # SSO_PROVIDER_URL=https://sso.example.org/
 # SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
 # SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
diff --git a/abra.sh b/abra.sh
index a4adbdf..40c319c 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
 export ENTRYPOINT_CONF_VERSION=v1
-export LOCAL_CONF_VERSION=v2
+export LOCAL_CONF_VERSION=v3
 
 create_admin () {
     export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
diff --git a/compose.yml b/compose.yml
index 0b9950c..f74ca84 100644
--- a/compose.yml
+++ b/compose.yml
@@ -15,6 +15,8 @@ services:
       - DATABASE_PASSWORD_FILE=/run/secrets/db_password
       - DOMAIN
       - SSO_ENABLED
+      - SSO_KEYCLOAK
+      - SSO_AUTHENTIK
       - SSO_PROVIDER_URL
       - SSO_SAML_URL
       - SSO_LOGOUT_URL
@@ -57,7 +59,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.2.0+apache-debian-1.29.1-prod"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+apache-1.29.1-prod"
   db:
     image: mysql:5.7
     environment:
diff --git a/local.yaml.tmpl b/local.yaml.tmpl
index b4b118f..0e90077 100644
--- a/local.yaml.tmpl
+++ b/local.yaml.tmpl
@@ -3,6 +3,17 @@ kimai:
   saml:
     activate: true
     title: Login with SAML
+    {{ if eq (env "SSO_AUTHENTIK") "1" }}
+    mapping:
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
+      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
+    roles:
+      attribute: http://schemas.xmlsoap.org/claims/Group
+      resetOnLogin: true
+      attribute: Roles
+      mapping:
+        - { saml: admin.group, kimai: ROLE_ADMIN }
+    {{ else if eq (env "SSO_KEYCLOAK") "1" }}
     mapping:
       - { saml: $Email, kimai: email }
       - { saml: $FirstName $LastName, kimai: alias }
@@ -12,6 +23,7 @@ kimai:
       mapping:
         - { saml: Admins, kimai: ROLE_ADMIN }
         - { saml: Management, kimai: ROLE_TEAMLEAD }
+    {{ end }}
     connection:
       # You SAML provider
       # Your Authentik instance, replace https://authentik.company with your authentik URL
diff --git a/release/0.3.0+apache-debian-1.29.1-prod b/release/0.3.0+apache-debian-1.29.1-prod
new file mode 100644
index 0000000..c9478ab
--- /dev/null
+++ b/release/0.3.0+apache-debian-1.29.1-prod
@@ -0,0 +1,5 @@
+If you have SSO enabled this upgrade will break unless you add
+`SSO_KEYCLOAK=1` or `SSO_AUTHENTIK=1` in your env file for kimai!
+This allows us to support both SSO methods
+
+knoflook @ kotec.pl