diff --git a/apps/docs/mint.json b/apps/docs/mint.json
index f48338c30..2f4a047f8 100644
--- a/apps/docs/mint.json
+++ b/apps/docs/mint.json
@@ -62,11 +62,14 @@
         {
           "icon": "bolt",
           "group": "Get Started",
-          "pages": ["self-hosting/docker-compose"]
+          "pages": [
+            "self-hosting/docker-compose",
+            "self-hosting/single-sign-on",
+            "self-hosting/configuration-options"
+          ]
         },
         "self-hosting/pricing",
-        "self-hosting/managed-hosting",
-        "self-hosting/configuration-options"
+        "self-hosting/managed-hosting"
       ]
     },
     {
diff --git a/apps/docs/self-hosting/configuration-options.mdx b/apps/docs/self-hosting/configuration-options.mdx
index 350158fe9..2a3c7e2ca 100644
--- a/apps/docs/self-hosting/configuration-options.mdx
+++ b/apps/docs/self-hosting/configuration-options.mdx
@@ -69,48 +69,6 @@ These variables need to be configured to let Rallly send out transactional email
   Enable TLS for your SMTP connection
 </ParamField>
 
-### Single Sign On (SSO) with OpenID Connect (OIDC)
+### Single Sign On (SSO)
 
-To enable SSO with an OIDC compliant identity provider you will need to configure the following variables.
-
-<ParamField path="OIDC_ENABLED">
-  Must be set to `true` to enable OIDC Login
-</ParamField>
-
-<ParamField path="OIDC_NAME" default="OpenID Connect">
-  The user-facing name of your provider as it will be shown on the login page
-</ParamField>
-
-<ParamField path="OIDC_DISCOVERY_URL">
-  URL of the `.well-known/openid-configuration` endpoint for your OIDC provider
-</ParamField>
-
-<ParamField path="OIDC_CLIENT_ID">
-  The client ID of your OIDC application
-</ParamField>
-
-<ParamField path="OIDC_CLIENT_SECRET">
-  The client secret of your OIDC application
-</ParamField>
-
-#### Required Scopes
-
-The following scopes are required for OIDC to function properly.
-
-- `openid`: Essential for OIDC to function, used to perform authentication.
-- `profile`: Access to the user's personal information such as name and picture.
-- `email`: Access to the user's email address.
-
-#### Callback URL / Redirect URI
-
-The callback URL for your OIDC application must be set to:
-
-```
-{NEXT_PUBLIC_BASE_URL}/api/auth/callback/oidc
-```
-
-<Info>
-  Replace `{NEXT_PUBLIC_BASE_URL}` with the base URL of your Rallly instance.
-</Info>
-
-Ensure this URL is added to the list of allowed redirect URIs in your OIDC provider's application settings.
+Go to [Single Sign On](/self-hosting/sso) for information on how to configure SSO.
diff --git a/apps/docs/self-hosting/single-sign-on.mdx b/apps/docs/self-hosting/single-sign-on.mdx
new file mode 100644
index 000000000..1ddbcf12c
--- /dev/null
+++ b/apps/docs/self-hosting/single-sign-on.mdx
@@ -0,0 +1,62 @@
+---
+icon: key
+title: Single Sign On (SSO)
+description: How to use your own identity provider
+---
+
+<Info>Available in v3.4.0 and later.</Info>
+
+<Warning>
+#### Account Linking
+
+Accounts using the same email are linked together. This assumes
+that you are using a trusted identity provider that uses verified email
+addresses.
+
+</Warning>
+
+## OpenID Connect (OIDC)
+
+If your identity provider supports OAuth 2.0 based authentication with OpenID Connect (OIDC), you can use it to authenticate users on your Rallly instance.
+
+### Required Scopes
+
+Your OAuth 2.0 application needs to be configured with the following scopes:
+
+- `openid`: Essential for OIDC to function, used to perform authentication.
+- `profile`: Access to the user's personal information such as name and picture.
+- `email`: Access to the user's email address.
+
+### Callback URL / Redirect URI
+
+Your identity provider will redirect the user back to the following URL:
+
+```
+{BASE_URL}/api/auth/callback/oidc
+```
+
+<Info>
+  Replace `{BASE_URL}` with the base URL of your Rallly instance and add it to
+  the list of allowed redirect URIs.
+</Info>
+
+### Configuration
+
+The following configuration options are available for OIDC.
+All required fields must be set for OIDC to be enabled.
+
+<ParamField path="OIDC_NAME" default="OpenID Connect">
+  The user-facing name of your provider as it will be shown on the login page
+</ParamField>
+
+<ParamField path="OIDC_DISCOVERY_URL" required>
+  URL of the `.well-known/openid-configuration` endpoint for your OIDC provider
+</ParamField>
+
+<ParamField path="OIDC_CLIENT_ID" required>
+  The client ID of your OIDC application
+</ParamField>
+
+<ParamField path="OIDC_CLIENT_SECRET" required>
+  The client secret of your OIDC application
+</ParamField>
diff --git a/apps/web/declarations/environment.d.ts b/apps/web/declarations/environment.d.ts
index ed96abbe1..c1f850939 100644
--- a/apps/web/declarations/environment.d.ts
+++ b/apps/web/declarations/environment.d.ts
@@ -64,10 +64,6 @@ declare global {
        * Determines what email provider to use. "smtp" or "ses"
        */
       EMAIL_PROVIDER?: "smtp" | "ses";
-      /**
-       * Set to "true" to enable OIDC authentication
-       */
-      OIDC_ENABLED?: string;
       /**
        * Name of the oidc provider
        */
diff --git a/apps/web/src/utils/constants.ts b/apps/web/src/utils/constants.ts
index 7af61492c..fe72560ca 100644
--- a/apps/web/src/utils/constants.ts
+++ b/apps/web/src/utils/constants.ts
@@ -13,6 +13,10 @@ export const monthlyPriceUsd = 7;
 export const annualPriceUsd = 42;
 export const appVersion = process.env.NEXT_PUBLIC_APP_VERSION;
 
-export const isOIDCEnabled = process.env.OIDC_ENABLED === "true";
+export const isOIDCEnabled = Boolean(
+  process.env.OIDC_DISCOVERY_URL &&
+    process.env.OIDC_CLIENT_ID &&
+    process.env.OIDC_CLIENT_SECRET,
+);
 
 export const oidcName = process.env.OIDC_NAME ?? "OpenID Connect";
diff --git a/turbo.json b/turbo.json
index 36b2783e8..519d7ae20 100644
--- a/turbo.json
+++ b/turbo.json
@@ -85,7 +85,6 @@
     "NEXT_PUBLIC_VERCEL_URL",
     "NODE_ENV",
     "NOREPLY_EMAIL",
-    "OIDC_ENABLED",
     "OIDC_NAME",
     "OIDC_DISCOVERY_URL",
     "OIDC_CLIENT_ID",