diff --git a/.env.sample b/.env.sample
index d74bed7..4da335b 100644
--- a/.env.sample
+++ b/.env.sample
@@ -72,13 +72,19 @@ SECRET_DB_PASSWORD_VERSION=v1
 #SECRET_AUTHENTIK_ID_VERSION=v1
 #LOGIN_TYPE='auto'
 
+# Keycloak SSO
+#COMPOSE_FILE="$COMPOSE_FILE:compose.keycloak.yml"
+#KEYCLOAK_DOMAIN=keycloak.example.com
+#SECRET_KEYCLOAK_CLIENT_ID_VERSION=v1
+#SECRET_KEYCLOAK_CLIENT_SECRET_VERSION=v1
+
 # Matrix .well-known redirect
 #COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
 #MATRIX_DOMAIN=matrix.example.com
 
 # Allow remote connections to db
 # 🚩🚩 dangerous, use only for development sites!
-#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml
+#COMPOSE_FILE="$COMPOSE_FILE:compose.public-db.yml"
 
 # Wide-open CORS
 # 🚩🚩 dangerous, use only for development sites!
diff --git a/compose.keycloak.yml b/compose.keycloak.yml
new file mode 100644
index 0000000..027bc4d
--- /dev/null
+++ b/compose.keycloak.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  app:
+    secrets:
+      - keycloak_client_id
+      - keycloak_client_secret
+
+secrets:
+  keycloak_client_id:
+    external: true
+    name: ${STACK_NAME}_keycloak_client_id_${SECRET_KEYCLOAK_CLIENT_ID_VERSION}
+  keycloak_client_secret:
+    external: true
+    name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET_VERSION}