diff --git a/README.md b/README.md
index 05769bd..cf03cdf 100644
--- a/README.md
+++ b/README.md
@@ -12,9 +12,19 @@
 7. `abra deploy`
 9. Open the configured domain in your browser to finish set-up
 
-## SSO
+## Keycloak OpenID single sign-on
 
-https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak
+(Or use Rocket.Chat's [manual set-up guide](https://docs.rocket.chat/guides/administrator-guides/authentication/open-id-connect/keycloak))
+
+1. Edit `.envrc`; uncomment and edit all the Accounts_OAuth lines, and the
+	 `COMPOSE_FILE` line
+2. `direnv allow` (or `source .envrc`)
+3. Insert the OpenID secret into Docker: (FIXME add option for this to `abra`)
+```
+echo "your-secret-string-from-keycloak" | docker secret  create "${STACK_NAME}_openid_key_${VERSION}" -
+```
+4. `abra deploy`
+5. You should now have a "Login via Keycloak" option on the login page
 
 [Rocket.chat]: https://rocket.chat
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra