diff --git a/SSO.md b/SSO.md
new file mode 100644
index 0000000000..bec96f43ec
--- /dev/null
+++ b/SSO.md
@@ -0,0 +1,22 @@
+# SSO using OpenId Connect
+
+To use an external source of authentication your SSO will need to support OpendID Connect :
+
+ - And OpenID Connect Discovery endpoint should be available
+ - Client authentication will be done using Id and Secret.
+
+A master password will still required and not controlled by the SSO (depending of your point of view this might be a feature ;).
+This introduce another way to control who can use the vault without having to use invitation or using an LDAP.
+
+## Configuration
+
+The following configurations are available
+
+ - `SSO_ENABLED` : Activate the SSO
+ - `SSO_ONLY` : disable email+Master password authentication
+ - `SSO_AUTHORITY` : the OpendID Connect Discovery endpoint of your SSO
+ - `SSO_CLIENT_ID` : Client Id
+ - `SSO_CLIENT_SECRET` : Client Secret
+ - `SSO_KEY_FILEPATH` : And optional public key that can be used to authenticate the SSO during the exchange flow.
+
+The callback url is : `https://your.domain/identity/connect/oidc-signin`