From acb669b40cfc22f7d185c5575a33e5f0526e7186 Mon Sep 17 00:00:00 2001
From: Saphira Mathis <12089035+inhinias@users.noreply.github.com>
Date: Fri, 10 Apr 2026 12:06:21 +0200
Subject: [PATCH] Updated SSO Docs according to information gathered in the
 discussion #7073

---
 Enabling-SSO-support-using-OpenId-Connect.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md
index 39050cd..e9ed89b 100644
--- a/Enabling-SSO-support-using-OpenId-Connect.md
+++ b/Enabling-SSO-support-using-OpenId-Connect.md
@@ -31,6 +31,8 @@ The following configurations are available
 
 The callback URL is [automatically generated](https://github.com/dani-garcia/vaultwarden/blob/1e1f9957cd037fad87e5cd33245720f865942016/src/config.rs#L1333) from the `DOMAIN`. If you set `DOMAIN=https://vaultwarden.example.tld` your callback URL will be `https://vaultwarden.example.tld/identity/connect/oidc-signin`.
 
+If you are using a private certificate authority or self signed certificates on your SSO authority, you need to add your root certificate to `/etc/ssl/certs` or point the `SSL_CERT_DIR` or `SSL_CERT_FILE` environment variables to it.
+
 ## Account and Email handling
 
 When logging in with SSO an identifier (`{iss}/{sub}` claims from the IdToken) is saved in a separate table (`sso_users`).