diff --git a/.env.sample b/.env.sample
index 1a692c2..0a0c901 100644
--- a/.env.sample
+++ b/.env.sample
@@ -9,8 +9,18 @@ LETS_ENCRYPT_ENV=production
 # Secret Versions
 SECRET_POSTGRES_PASSWORD_VERSION=v1
 
+COMPOSE_FILE="compose.yml"
+
 # Container Settings
 ## Timezone inside the containers. The value needs to be in the form 'Europe/Berlin'.
 ## A list of these tz database names can be looked up at Wikipedia
 ## https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
 TZ=UTC
+
+## SSO config
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
+#SSO_DOMAIN=accounts.example.com
+#ORG_NAME="My Organization"
+#SSO_APP=mattermost
+#SSO_ID=
+#SECRET_MATTERMOST_SSO_SECRET_VERSION=v1
\ No newline at end of file
diff --git a/abra.sh b/abra.sh
index e6c130b..51a9b95 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1,2 @@
 export ENTRYPOINT_VERSION=v1
+export GITLAB_CONFIG_VERSION=v1
\ No newline at end of file
diff --git a/compose.sso.yml b/compose.sso.yml
new file mode 100644
index 0000000..779f71d
--- /dev/null
+++ b/compose.sso.yml
@@ -0,0 +1,21 @@
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: gitlab_config_patch
+        target: /gitlab_config_patch.json
+        mode: 0555
+    secrets:
+      - mattermost_sso_secret
+
+secrets:
+  mattermost_sso_secret:
+    external: true
+    name: ${STACK_NAME}_mattermost_sso_secret_${SECRET_MATTERMOST_SSO_SECRET_VERSION}
+
+configs:
+  gitlab_config_patch:
+    name: ${STACK_NAME}_gitlab_config_${GITLAB_CONFIG_VERSION}
+    file: ./gitlab_config_patch.json.tmpl
+    template_driver: golang
\ No newline at end of file
diff --git a/compose.yml b/compose.yml
index 9175eab..ed22048 100644
--- a/compose.yml
+++ b/compose.yml
@@ -59,7 +59,6 @@ services:
         backupbot.backup.post-hook: "rm -rf /var/lib/postgresql/data/postgres-backup.sql"
         backupbot.backup.path: "/var/lib/postgresql/data/"
 
-
 secrets:
   postgres_password:
     external: true
@@ -70,6 +69,7 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
     file: ./entrypoint.sh
 
+
 networks:
   proxy:
     external: true
diff --git a/entrypoint.sh b/entrypoint.sh
index 9ca2f50..217aa82 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -15,5 +15,12 @@ else
     exit 1
 fi
 
+# Patch Mattermost config to enable SSO
+if test -f "/run/secrets/mattermost_sso_secret"; then
+    export PATCH=`cat /gitlab_config_patch.json`
+    jq ".GitLabSettings = $PATCH" < mattermost/docker/volumes/app/mattermost/config/config.json > tmp.json &&
+    mv tmp.json mattermost/docker/volumes/app/mattermost/config/config.json
+fi
+
 # https://github.com/mattermost/mattermost-server/blob/master/build/Dockerfile
-/entrypoint.sh "mattermost"
+/entrypoint.sh "mattermost"
\ No newline at end of file
diff --git a/gitlab_config_patch.json.tmpl b/gitlab_config_patch.json.tmpl
new file mode 100644
index 0000000..2250c05
--- /dev/null
+++ b/gitlab_config_patch.json.tmpl
@@ -0,0 +1,12 @@
+{
+  "Enable": true,
+  "Secret": "${MATTERMOST_SSO_SECRET}",
+  "Id": "${SSO_ID}",
+  "Scope": "",
+  "AuthEndpoint": "https://${SSO_DOMAIN}/application/o/authorize/",
+  "TokenEndpoint": "https://${SSO_DOMAIN}/application/o/token/",
+  "UserAPIEndpoint": "https://${SSO_DOMAIN}/application/o/userinfo/",
+  "DiscoveryEndpoint": "https://${SSO_DOMAIN}/application/o/${SSO_APP}/.well-known/openid-configuration",
+  "ButtonText": "${ORG_NAME}",
+  "ButtonColor": "#ff0000"
+}
\ No newline at end of file