diff --git a/.env.sample b/.env.sample
index f75e5c1..83fc2b4 100644
--- a/.env.sample
+++ b/.env.sample
@@ -7,3 +7,10 @@ SECRET_ADMIN_PASSWORD_VERSION=v1
 
 # MSSQL driver
 COMPOSE_FILE="compose.yml:compose.mssql.yml"
+
+# OpenID Connect (SSO)
+# COMPOSE_FILE="compose.yml:compose.oidc.yml"
+# OIDC_ENABLED=1
+# OIDC_CLIENT_ID=
+# OIDC_ISSUER_URL=
+# SECRET_OIDC_CLIENT_SECRET=v1
diff --git a/abra.sh b/abra.sh
index 5bf044b..49bb492 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1 +1,2 @@
 export CUSTOM_ENTRYPOINT_VERSION=v1
+export OIDC_CONF_VERSION=v1
diff --git a/compose.oidc.yml b/compose.oidc.yml
new file mode 100644
index 0000000..ac6d6be
--- /dev/null
+++ b/compose.oidc.yml
@@ -0,0 +1,26 @@
+---
+version: "3.8"
+
+services:
+  app:
+    configs:
+      - source: oidc_conf
+        target: /etc/rstudio/openid-client-secret
+        mode: 0600
+    environment:
+      - OIDC_CLIENT_ID
+      - OIDC_ENABLED
+      - OIDC_ISSUER_URL
+    secrets:
+      - oidc_client_secret
+
+configs:
+  oidc_conf:
+    name: ${STACK_NAME}_oidc_conf_${OIDC_CONF_VERSION}
+    file: oidc.conf.tmpl
+    template_driver: golang
+
+secrets:
+  oidc_client_secret:
+    name: ${STACK_NAME}_oidc_client_secret_${SECRET_OIDC_CLIENT_SECRET}
+    external: true
diff --git a/compose.yml b/compose.yml
index 4348221..d1d6d59 100644
--- a/compose.yml
+++ b/compose.yml
@@ -12,8 +12,9 @@ services:
     secrets:
       - admin_password
     environment:
-      - ROOT=TRUE
+      - DOMAIN=${DOMAIN}
       - PASSWORD_FILE=/run/secrets/admin_password
+      - ROOT=TRUE
     configs:
       - source: custom_entrypoint
         target: /docker-entrypoint.sh
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 4a9c257..ca00200 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -26,4 +26,10 @@ file_env() {
 
 file_env "PASSWORD"
 
+{{ if eq (env "OIDC_ENABLED") "1" }}
+echo "auth-openid=1" >> /etc/rstudio/rserver.conf
+echo "auth-openid-issuer=${OIDC_ISSUER_URL}" >> /etc/rstudio/rserver.conf
+echo "auth-openid-base-uri=https://${DOMAIN}" >> /etc/rstudio/rserver.conf
+{{ end }}
+
 exec "$@"
diff --git a/oidc.conf.tmpl b/oidc.conf.tmpl
new file mode 100644
index 0000000..ceba242
--- /dev/null
+++ b/oidc.conf.tmpl
@@ -0,0 +1,2 @@
+client-id={{ env "OIDC_CLIENT_ID" }}
+client-secret={{ secret "oidc_client_secret" }}