diff --git a/roles/matrix-synapse/defaults/main.yml b/roles/matrix-synapse/defaults/main.yml
index 0dc71646c..fa8676409 100644
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -426,3 +426,43 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi
 # Holds the final Synapse configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`.
 matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}"
+
+
+# oidc / sso
+
+# Set to false if you need only SSO auth
+matrix_synapse_password_config_enabled: true
+
+
+# Configure open id connect
+matrix_synapse_oidc_enabled: false
+matrix_synapse_oidc_issuer: ""
+matrix_synapse_oidc_client_id: ""
+matrix_synapse_oidc_client_secret: ""
+matrix_synapse_oidc_scopes: ["openid"]
+matrix_synapse_oidc_allow_existing_users: false
+matrix_synapse_oidc_client_auth_method: client_secret_basic
+matrix_synapse_oidc_subject_claim: "sub"
+matrix_synapse_oidc_localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+matrix_synapse_oidc_display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+
+
+# see https://github.com/matrix-org/synapse/blob/develop/docs/openid.md
+matrix_synapse_oidc_config:
+  enabled: "{{ matrix_synapse_oidc_enabled }}"
+  issuer: "{{ matrix_synapse_oidc_issuer }}"
+  client_id: "{{ matrix_synapse_oidc_client_id }}"
+  client_secret: "{{ matrix_synapse_oidc_client_secret }}"
+  scopes: "{{ matrix_synapse_oidc_scopes }}"
+  allow_existing_users: "{{ matrix_synapse_oidc_allow_existing_users }}"
+  client_auth_method: "{{ matrix_synapse_oidc_client_auth_method }}"
+  user_mapping_provider:
+    config:
+      subject_claim: "{{ matrix_synapse_oidc_subject_claim }}"
+      localpart_template: "{{ matrix_synapse_oidc_localpart_template }}"
+      display_name_template: "{{ matrix_synapse_oidc_display_name_template }}"
+
+# Set trusted SSO resources, e.g. [ "https://element.matrix.domain" ]
+matrix_synapse_sso:
+  client_whitelist: ["{{https://element.matrix.domain}}"]
+
diff --git a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 41b28c88e..5892bfa26 100644
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1660,6 +1660,7 @@ saml2_config:
   #idp_entityid: 'https://our_idp/entityid'
 
 
+{% if not matrix_synapse_oidc_config.enabled %}
 # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
@@ -1793,8 +1794,10 @@ oidc_config:
       #
       #extra_attributes:
         #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}"
-
-
+{% endif %}
+{% if matrix_synapse_oidc_config.enabled %}
+oidc_config: {{ matrix_synapse_oidc_config }}
+{% endif %}
 
 # Enable Central Authentication Service (CAS) for registration and login.
 #
@@ -1849,7 +1852,7 @@ sso:
     #
     # By default, this list is empty.
     #
-    #client_whitelist:
+    client_whitelist: {{ matrix_synapse_sso.client_whitelist|to_json }}
     #  - https://riot.im/develop
     #  - https://my.custom.client/
 
@@ -1974,7 +1977,7 @@ sso:
 password_config:
    # Uncomment to disable password login
    #
-   #enabled: false
+   enabled: {{ matrix_synapse_password_config_enabled|to_json }}
 
    # Uncomment to disable authentication against the local password
    # database. This is ignored if `enabled` is false, and is only useful