+</code></pre></notextile>
+
+Then put that value in the @secret_token@ field.
+
+h3(#authentication_methods). Authentication methods
+
+Three authentication methods are supported: google OAuth2, ldap, local accounts.
+
+h3(#google_oauth2). google_oauth2 authentication
+
+Google OAuth2 authentication can be configured with these options.
+
+<pre>
+ # Google API tokens required for OAuth2 login.
+ #
+ # See https://github.com/zquestz/omniauth-google-oauth2
+ #
+ # and https://developers.google.com/accounts/docs/OAuth2
+ google_oauth2_client_id: false
+ google_oauth2_client_secret: false
+
+ # Set this to your OpenId 2.0 realm to enable migration from Google OpenId
+ # 2.0 to Google OAuth2 OpenId Connect (Google will provide OpenId 2.0 user
+ # identifiers via the openid.realm parameter in the OAuth2 flow until 2017).
+ google_openid_realm: false
+</pre>
+
+h3(#ldap). ldap authentication
+
+LDAP authentication can be configured with these options. Make sure to preserve the indentation of the fields beyond @use_ldap@.
+
+<pre>
+ # Enable LDAP support.
+ #
+ # If you want to use LDAP, you need to provide
+ # the following set of fields under the use_ldap key.
+ #
+ # use_ldap: false
+ # title: Example LDAP
+ # host: ldap.example.com
+ # port: 636
+ # method: ssl
+ # base: "ou=Users, dc=example, dc=com"
+ # uid: uid
+ # email_domain: example.com
+ # #bind_dn: "some_user"
+ # #password: "some_password"
+ use_ldap: false
+</pre>
+
+h3(#local_accounts). local account authentication
+
+If neither Google OAuth2 nor LDAP are enabled, the SSO server automatically
+falls back to local accounts. There are two configuration options for local
+accounts:
+
+<pre>
+ # If true, allow new creation of new accounts in the SSO server's internal
+ # user database.
+ allow_account_registration: false
+
+ # If true, send an email confirmation before activating new accounts in the
+ # SSO server's internal user database.
+ require_email_confirmation: false
+</pre>
+
+You can also create local accounts on the SSO server from the rails console:
+
+<notextile>
+<pre><code>~/sso-devise-omniauth-provider$ <span class="userinput">RAILS_ENV=production bundle exec rails console</span>
+:001 > <span class="userinput">user = User.new(:email => "test@example.com")</span>
+:002 > <span class="userinput">user.password = "passw0rd"</span>
+:003 > <span class="userinput">user.save!</span>
+:004 > <span class="userinput">quit</span>