diff --git a/.env.sample b/.env.sample
index fd1bb24..4eca4ae 100644
--- a/.env.sample
+++ b/.env.sample
@@ -16,3 +16,13 @@ SANDBOX_DOMAIN=sandbox.cryptpad.example.com
 ## Domain aliases
 #EXTRA_DOMAINS=', `www.cryptpad.example.com`'
 LETS_ENCRYPT_ENV=production
+
+## SSO / OIDC (optional — requires SSO_ENABLED=true)
+SSO_ENABLED=false
+SSO_ENFORCED=false
+SSO_PROVIDER_NAME=Authentik
+SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
+SSO_CLIENT_ID=cryptpad
+SSO_CLIENT_SECRET=
+SSO_JWT_ALG=RS256
+SSO_PLUGIN_VERSION=0.4.0
diff --git a/abra.sh b/abra.sh
index c38f188..bf63893 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,3 +1,5 @@
 export CONFIG_VERSION=v2
 export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
+export SSO_ENTRYPOINT_VERSION=v2
+export SSO_JS_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 6a48081..bb6519f 100644
--- a/compose.yml
+++ b/compose.yml
@@ -4,6 +4,8 @@ version: "3.8"
 services:
   app:
     image: cryptpad/cryptpad:version-2026.2.0
+    entrypoint: ["/bin/bash", "/sso-entrypoint.sh"]
+    command: ["npm", "start"]
     networks:
       - backend
     environment:
@@ -15,6 +17,15 @@ services:
       - "CPAD_HTTP2_DISABLE=true"
       - "CPAD_TRUST_PROXY=1"
       - "CPAD_CONF=/cryptpad/config/config.js"
+      # SSO plugin
+      - SSO_PLUGIN_VERSION
+      - SSO_ENABLED
+      - SSO_ENFORCED
+      - SSO_PROVIDER_NAME
+      - SSO_OIDC_URL
+      - SSO_CLIENT_ID
+      - SSO_CLIENT_SECRET
+      - SSO_JWT_ALG
 
     volumes:
       - cryptpad_blob:/cryptpad/blob
@@ -23,9 +34,15 @@ services:
       - cryptpad_data:/cryptpad/data
       - cryptpad_files:/cryptpad/datastore
       - cryptpad_config:/cryptpad/config/
+      - cryptpad_plugins:/cryptpad/lib/plugins
     configs:
       - source: config_js
         target: /cryptpad/config/config.js
+      - source: sso_entrypoint
+        target: /sso-entrypoint.sh
+        mode: 0755
+      - source: sso_js
+        target: /sso.js.tmpl
 
     deploy:
       restart_policy:
@@ -77,6 +94,7 @@ volumes:
   cryptpad_data:
   cryptpad_files:
   cryptpad_config:
+  cryptpad_plugins:
 
 configs:
   config_js:
@@ -87,3 +105,10 @@ configs:
     name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION}
     file: nginx.conf.tmpl
     template_driver: golang
+  sso_entrypoint:
+    name: ${STACK_NAME}_sso_entrypoint_${SSO_ENTRYPOINT_VERSION}
+    file: sso-entrypoint.sh
+  sso_js:
+    name: ${STACK_NAME}_sso_js_${SSO_JS_VERSION}
+    file: sso.js.tmpl
+    template_driver: golang
diff --git a/sso-entrypoint.sh b/sso-entrypoint.sh
new file mode 100644
index 0000000..750c515
--- /dev/null
+++ b/sso-entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e
+
+# SSO plugin installer — runs before the original CryptPad entrypoint.
+# Clones the cryptpad/sso plugin into the plugins volume if not already present
+# or if the version has changed, then delegates to the real entrypoint.
+
+PLUGIN_DIR="/cryptpad/lib/plugins/sso"
+VERSION_FILE="${PLUGIN_DIR}/.version"
+SSO_PLUGIN_VERSION="${SSO_PLUGIN_VERSION:-0.4.0}"
+
+# Copy SSO config template into place (mounted as Docker config)
+if [ -f /sso.js.tmpl ]; then
+  cp /sso.js.tmpl /cryptpad/config/sso.js
+  echo "[sso-entrypoint] Copied sso.js config into /cryptpad/config/sso.js"
+fi
+
+# Install/update the SSO plugin
+if [ -f "${VERSION_FILE}" ] && [ "$(cat "${VERSION_FILE}")" = "${SSO_PLUGIN_VERSION}" ]; then
+  echo "[sso-entrypoint] SSO plugin ${SSO_PLUGIN_VERSION} already installed"
+else
+  echo "[sso-entrypoint] Installing SSO plugin ${SSO_PLUGIN_VERSION} ..."
+  rm -rf "${PLUGIN_DIR}"
+  git clone --depth 1 --branch "${SSO_PLUGIN_VERSION}" \
+    https://github.com/cryptpad/sso.git "${PLUGIN_DIR}"
+  echo "${SSO_PLUGIN_VERSION}" > "${VERSION_FILE}"
+  echo "[sso-entrypoint] SSO plugin installed"
+fi
+
+# Hand off to the original CryptPad entrypoint
+exec /bin/bash /cryptpad/docker-entrypoint.sh "$@"
diff --git a/sso.js.tmpl b/sso.js.tmpl
new file mode 100644
index 0000000..74d983d
--- /dev/null
+++ b/sso.js.tmpl
@@ -0,0 +1,15 @@
+// CryptPad SSO configuration — generated from environment variables
+// See https://github.com/cryptpad/sso for documentation
+
+module.exports = {
+    enabled: "{{ env "SSO_ENABLED" }}" === "true",
+    enforced: "{{ env "SSO_ENFORCED" }}" === "true",
+    protocol: "oidc",
+    providerName: "{{ env "SSO_PROVIDER_NAME" }}",
+    oidcConfig: {
+        url: "{{ env "SSO_OIDC_URL" }}",
+        clientID: "{{ env "SSO_CLIENT_ID" }}",
+        clientSecret: "{{ env "SSO_CLIENT_SECRET" }}",
+        algorithm: "{{ env "SSO_JWT_ALG" }}"
+    }
+};