diff --git a/docs/deploy.md b/docs/deploy.md
index 1afad69..832bb3b 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -108,6 +108,12 @@ docker compose -f /srv/mnemosyne/docker-compose.yaml \
 docker compose -f /srv/mnemosyne/docker-compose.yaml \
     run --rm app \
     python manage.py seed_signing_key --kid daedalus-1 --retire-other
+
+# Create Django groups for SSO role mapping (View Only / Staff / SME / Admin).
+# Safe to re-run — idempotent.
+docker compose -f /srv/mnemosyne/docker-compose.yaml \
+    run --rm app \
+    python manage.py create_sso_groups
 ```
 
 The `seed_signing_key` command prints the generated secret once to stdout — it
@@ -218,6 +224,25 @@ relevant service `environment:` blocks. The per-service scoping is defined in
 |----------|-----------------|
 | `MCP_REQUIRE_AUTH` | `True` |
 
+### SSO / Casdoor — `app` only
+
+| Variable | Example / default | Notes |
+|----------|-------------------|-------|
+| `CASDOOR_ENABLED` | `True` | Set `False` to disable SSO and show only local login |
+| `CASDOOR_ORIGIN` | `https://casdoor.ouranos.helu.ca` | Backend URL used for OIDC discovery (`/.well-known/openid-configuration`) |
+| `CASDOOR_ORIGIN_FRONTEND` | `https://casdoor.ouranos.helu.ca` | Frontend URL shown to the browser (may differ behind a reverse proxy) |
+| `CASDOOR_CLIENT_ID` | `{{ vault_mnemosyne_casdoor_client_id }}` | OAuth client ID from the Casdoor application |
+| `CASDOOR_CLIENT_SECRET` | `{{ vault_mnemosyne_casdoor_client_secret }}` | OAuth client secret from the Casdoor application |
+| `CASDOOR_ORG_NAME` | `ouranos` | Default organisation slug in Casdoor |
+| `CASDOOR_SSL_VERIFY` | `true` | `true` in production; `false` only in sandboxes with self-signed certs |
+| `ALLOW_LOCAL_LOGIN` | `False` | Show the local username/password form to non-superusers. Superusers always see it regardless of this flag. |
+
+Register the OIDC callback URL in the Casdoor application before enabling SSO:
+
+```
+https://mnemosyne.ouranos.helu.ca/accounts/oidc/casdoor/login/callback/
+```
+
 ### LLM API encryption — `app`, `worker`
 
 | Variable | Notes |
@@ -377,3 +402,5 @@ will report as a failure.
 | `vault_rabbitmq_password` | embedded in `CELERY_BROKER_URL` |
 | `vault_mnemosyne_llm_encryption_key` | `LLM_API_SECRETS_ENCRYPTION_KEY` |
 | `vault_mnemosyne_daedalus_service_password` | passed to `ensure_service_user --password` |
+| `vault_mnemosyne_casdoor_client_id` | `CASDOOR_CLIENT_ID` |
+| `vault_mnemosyne_casdoor_client_secret` | `CASDOOR_CLIENT_SECRET` |