diff --git a/.env.sample b/.env.sample
index eeacf3b..ed7601c 100644
--- a/.env.sample
+++ b/.env.sample
@@ -7,4 +7,11 @@ SECRET_DB_PASSWORD_VERSION=v1
 
 SYNAPSE_ADMIN_EMAIL=admin@example.com
 
-DISABLE_FEDERATION=0
+#DISABLE_FEDERATION=1
+
+#COMPOSE_FILE="compose.yml:compose.keycloak.yml"
+#KEYCLOAK_ENABLED=1
+#KEYCLOAK_NAME=
+#KEYCLOAK_URL=
+#KEYCLOAK_CLIENT_ID=
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
diff --git a/compose.keycloak.yml b/compose.keycloak.yml
new file mode 100644
index 0000000..13ca59f
--- /dev/null
+++ b/compose.keycloak.yml
@@ -0,0 +1,18 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - db_password
+      - keycloak_client_secret
+    environment:
+      - KEYCLOAK_ENABLED
+      - KEYCLOAK_NAME
+      - KEYCLOAK_URL
+      - KEYCLOAK_CLIENT_ID
+
+secrets:
+  keycloak_client_secret:
+    external: true
+    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION}
diff --git a/homeserver.yaml.tmpl b/homeserver.yaml.tmpl
index f7f611e..176837a 100644
--- a/homeserver.yaml.tmpl
+++ b/homeserver.yaml.tmpl
@@ -1896,6 +1896,19 @@ oidc_providers:
   #    - attribute: userGroup
   #      value: "synapseUsers"
 
+  {{ if eq (env "KEYCLOAK_ENABLED") "1" }}
+  - idp_id: keycloak
+    idp_name: {{ env "KEYCLOAK_NAME" }}
+    issuer: "{{ env "KEYCLOAK_URL" }}"
+    client_id: "{{ env "KEYCLOAK_CLIENT_ID" }}"
+    client_secret: "{{ secret "keycloak_client_secret" }}"
+    scopes: ["openid", "profile"]
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name }}"
+  {{ end }}
+
 
 # Enable Central Authentication Service (CAS) for registration and login.
 #