Add basic SSO setup to README, tweak settings order

.env.sample

@@ -9,8 +9,6 @@ DOMAIN=outline.example.com
 LETS_ENCRYPT_ENV=production
 
 COMPOSE_FILE="compose.yml"
-#COMPOSE_YML="compose.yml:compose.oidc.yml"
-#COMPOSE_YML="compose.yml:compose.google.yml"
 
 # –––––––––––––––– REQUIRED ––––––––––––––––
 
@@ -70,6 +68,7 @@ ALLOWED_DOMAINS=
 #SMTP_TLS_CIPHERS=
 #SMTP_SECURE=true
 
+#COMPOSE_YML="$COMPOSE_FILE:compose.oidc.yml"
 #OIDC_ENABLED=1
 #OIDC_CLIENT_ID=
 #OIDC_AUTH_URI=
@@ -80,6 +79,7 @@ ALLOWED_DOMAINS=
 #OIDC_SCOPES="openid profile email"
 #SECRET_OIDC_CLIENT_SECRET_VERSION=v1
 
+#COMPOSE_YML="$COMPOSE_FILE:compose.google.yml"
 #GOOGLE_ENABLED=1
 #GOOGLE_CLIENT_ID=
 #SECRET_GOOGLE_CLIENT_SECRET_VERSION=v1

README.md

@@ -52,3 +52,13 @@ Where `<username-to-delete>` is the username of the user to be removed, and
 revisions to (instead of deleting them).
 
 _As of 2022-03-30, this requires `abra` RC version, run `abra upgrade --rc`._
+
+## Single Sign On with Keycloak
+
+`abra app config YOURAPPNAME`, then uncomment everything in the `OIDC_` section.
+
+Create a new client in Keycloak:
+
+- **Valid Redirect URIs**: `https://YOURAPPDOMAIN/auth/oidc.callback`
+
+`abra app deploy YOURAPPDOMAIN`