From 058ba7a6bd6b59941838ca7f031f2e191b677595 Mon Sep 17 00:00:00 2001
From: CEbbinghaus <git@cebbinghaus.com>
Date: Fri, 23 Jan 2026 21:41:45 +1100
Subject: [PATCH 1/2] Added Kanidm Sample configuration

---
 docs/setup/sso.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/docs/setup/sso.md b/docs/setup/sso.md
index 15d0212d7..e99fe901f 100644
--- a/docs/setup/sso.md
+++ b/docs/setup/sso.md
@@ -408,6 +408,37 @@ upstream_oauth2:
 ```
 
 
+### Kanidm
+
+
+Install and configure a Kanidm instance using the [Official Docs](https://kanidm.github.io/kanidm/stable/introduction_to_kanidm.html)
+
+Create a OAuth2 Client following the [OAuth2 Setup](https://kanidm.github.io/kanidm/stable/integrations/oauth2.html) guide
+
+> ⚠️ **Important**
+> Ensure you configure the client to prefer short usernames. This means instead of `user@domain.tld` it will return just `user` as the preferred username
+> You can configure this by running `kanidm system oauth2 prefer-short-username <client_id>`.
+
+```yaml
+upstream_oauth2:
+  providers:
+    - id: "[ulid]" # randomly generated ulid (https://www.ulidtools.com/)
+      issuer: "https://<kanidm_instance>/oauth2/openid/<client_id>" # TO BE FILLED
+      token_endpoint_auth_method: client_secret_basic
+      client_id: "<client-id>" # TO BE FILLED
+      client_secret: "<client-secret>" # TO BE FILLED
+      scope: "openid profile email" # Add any additional scopes
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ user.preferred_username }}"
+        displayname:
+          action: suggest
+          template: "{{ user.name }}"
+        email:
+          action: suggest
+          template: "{{ user.email }}"
+```
 ### Keycloak
 
 

From 8930759ab8034581afd95ce19fad1d15330c38df Mon Sep 17 00:00:00 2001
From: CEbbinghaus <git@cebbinghaus.com>
Date: Wed, 28 Jan 2026 11:08:35 +1100
Subject: [PATCH 2/2] Added signing alg setting to provider yaml

---
 docs/setup/sso.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/setup/sso.md b/docs/setup/sso.md
index e99fe901f..b461315fc 100644
--- a/docs/setup/sso.md
+++ b/docs/setup/sso.md
@@ -423,6 +423,7 @@ Create a OAuth2 Client following the [OAuth2 Setup](https://kanidm.github.io/kan
 upstream_oauth2:
   providers:
     - id: "[ulid]" # randomly generated ulid (https://www.ulidtools.com/)
+      id_token_signed_response_alg: ES256 # This is important since Kanidm doesn't support RS256 by default  
       issuer: "https://<kanidm_instance>/oauth2/openid/<client_id>" # TO BE FILLED
       token_endpoint_auth_method: client_secret_basic
       client_id: "<client-id>" # TO BE FILLED