diff --git a/horizon/templates/etc/_local_settings.tpl b/horizon/templates/etc/_local_settings.tpl
index c146b808b0..7efbe3e548 100644
--- a/horizon/templates/etc/_local_settings.tpl
+++ b/horizon/templates/etc/_local_settings.tpl
@@ -177,21 +177,33 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 OPENSTACK_KEYSTONE_URL = "{{ tuple "identity" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}"
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 
+
+{{- if .Values.local_settings.auth.sso.enabled }}
 # Enables keystone web single-sign-on if set to True.
-#WEBSSO_ENABLED = False
+WEBSSO_ENABLED = True
 
 # Determines which authentication choice to show as default.
-#WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_INITIAL_CHOICE = "{{ .Values.local_settings.auth.sso.initial_choice }}"
 
 # The list of authentication mechanisms
 # which include keystone federation protocols.
 # Current supported protocol IDs are 'saml2' and 'oidc'
 # which represent SAML 2.0, OpenID Connect respectively.
 # Do not remove the mandatory credentials mechanism.
-#WEBSSO_CHOICES = (
-#    ("credentials", _("Keystone Credentials")),
-#    ("oidc", _("OpenID Connect")),
-#    ("saml2", _("Security Assertion Markup Language")))
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    ({{ $sso.name | quote }}, {{ $sso.label | quote }}),
+  {{- end }}
+)
+
+WEBSSO_IDP_MAPPING = {
+  {{- range $i, $sso := .Values.local_settings.auth.idp_mapping }}
+    {{ $sso.name | quote}}: ({{ $sso.idp | quote }}, {{ $sso.protocol | quote }}),
+  {{- end }}
+}
+
+{{- end }}
 
 # Disable SSL certificate checks (useful for self-signed certificates):
 #OPENSTACK_SSL_NO_VERIFY = True
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 84f3d6bb62..21f252e63f 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -66,6 +66,19 @@ local_settings:
     enable_firewall: "True"
     enable_vpn: "True"
     enable_fip_topology_check: "True"
+  auth:
+    sso:
+      enabled: False
+      initial_choice: "credentials"
+    idp_mapping:
+      - name: "acme_oidc"
+        label: "Acme Corporation - OpenID Connect"
+        idp: "myidp1"
+        protocol: "oidc"
+      - name: "acme_saml2"
+        label: "Acme Corporation - SAML2"
+        idp: "myidp2"
+        protocol: "saml2"
 
 conf:
   ceilometer_policy: