element-hq · sandhose · Oct 25, 2024 · Oct 21, 2024
diff --git a/docs/setup/sso.md b/docs/setup/sso.md
@@ -68,6 +68,62 @@ If there is only one upstream provider configured and the local password databas
 
 This section contains sample configurations for popular OIDC providers.
 
+### Authelia
+
+These instructions assume that you have already enabled the OIDC provider support in [Authelia](https://www.authelia.com/).
+
+Add a client for MAS to Authelia's `configuration.yaml` (see the [Authelia OIDC documentation](https://www.authelia.com/configuration/identity-providers/openid-connect/clients/) for full details):
+
+```yaml
+identity_providers:
+  oidc:
+    clients:
+      - client_id: "<client-id>" # TO BE FILLED
+          client_name: Matrix
+          client_secret: "<client-secret>" # TO BE FILLED
+          public: false
+          redirect_uris:
+            - https://<mas-fqdn>/upstream/callback/<id>
+          scopes:
+            - openid
+            - groups
+            - profile
+            - email
+          grant_types:
+            - 'refresh_token'
+            - 'authorization_code'
+          response_types:
+            - code
+```
+
+Authentication service configuration:
+
+```yaml
+upstream_oauth2:
+  providers:
+    providers:
+    - id: <id>
+      human_name: Authelia
+      issuer: "https://<authelia-fqdn>" # TO BE FILLED W/O ANY TRAILING SLASHES
+      client_id: "<client-id>" # TO BE FILLED
+      client_secret: "<client-secret>" # TO BE FILLED
+      token_endpoint_auth_method: client_secret_basic
+      scope: "openid profile email"
+      discovery_mode: insecure
+      claims_imports:
+          localpart:
+            action: require
+            template: "{{ user.preferred_username }}"
+          displayname:
+            action: suggest
+            template: "{{ user.name }}"
+          email:
+            action: suggest
+            template: "{{ user.email }}"
+            set_email_verification: always
+```
+
+
 ### Authentik
 
 [Authentik](https://goauthentik.io/) is an open-source IdP solution.
@@ -266,8 +322,8 @@ upstream_oauth2:
 ### Microsoft Azure Active Directory
 
 Azure AD can act as an OpenID Connect Provider.
-Register a new application under *App registrations* in the Azure AD management console. 
-The `RedirectURI` for your application should point to your authentication service instance: 
+Register a new application under *App registrations* in the Azure AD management console.
+The `RedirectURI` for your application should point to your authentication service instance:
 `https://<auth-service-domain>/upstream/callback/<id>` where `<id>` is the same as in the config file.
 
 Go to *Certificates & secrets* and register a new client secret.
@@ -297,4 +353,3 @@ upstream_oauth2:
           template: "{{ user.email }}"
           set_email_verification: always
 ```
-