diff --git a/.env.template b/.env.template
index 049afcd9..ca710a43 100644
--- a/.env.template
+++ b/.env.template
@@ -29,6 +29,12 @@ HTTPS_PORT=443
 # EMAIL_USER=
 # EMAIL_PASSWORD=
 
+# Optional: configure Single Sign-on with OpenID Connect
+# OIDC_ENABLED=
+# OIDC_ISSUER_URL=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+
 # Optional: configure error reporting
 # SENTRY_ORG_SUBDOMAIN=
 # SENTRY_KEY=
diff --git a/docker-compose.yml b/docker-compose.yml
index 4a640b31..28755a1b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -64,6 +64,10 @@ services:
       - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
       - EMAIL_USER=${EMAIL_USER:-''}
       - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
+      - OIDC_ENABLED=${OIDC_ENABLED:-false}
+      - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-''}
+      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
+      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
@@ -74,6 +78,8 @@ services:
   nginx:
     build:
       context: .
+      args:
+        - OIDC_ENABLED=${OIDC_ENABLED:-false}
       dockerfile: nginx.dockerfile
     depends_on:
       - service
diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh
index 6122c321..041cdac6 100755
--- a/files/prebuild/build-frontend.sh
+++ b/files/prebuild/build-frontend.sh
@@ -1,4 +1,4 @@
 #!/bin/bash -eu
 cd client
 npm clean-install --no-audit --fund=false --update-notifier=false
-npm run build
+VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build
diff --git a/files/service/config.json.template b/files/service/config.json.template
index 1e1f9d53..c4500224 100644
--- a/files/service/config.json.template
+++ b/files/service/config.json.template
@@ -33,6 +33,12 @@
       "domain": "${BASE_URL}",
       "sysadminAccount": "${SYSADMIN_EMAIL}"
     },
+    "oidc": {
+      "enabled": ${OIDC_ENABLED},
+      "issuerUrl": "${OIDC_ISSUER_URL}",
+      "clientId": "${OIDC_CLIENT_ID}",
+      "clientSecret": "${OIDC_CLIENT_SECRET}"
+    },
     "external": {
       "sentry": {
         "orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}",
diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
index 86a6b35b..dd92d804 100755
--- a/files/service/scripts/start-odk.sh
+++ b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json
 
diff --git a/nginx.dockerfile b/nginx.dockerfile
index b07979d7..cced9345 100644
--- a/nginx.dockerfile
+++ b/nginx.dockerfile
@@ -2,7 +2,8 @@ FROM node:18.17 as intermediate
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
-RUN files/prebuild/build-frontend.sh
+ARG OIDC_ENABLED
+RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh
 
 # when upgrading, look for upstream changes to redirector.conf
 # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location