diff --git a/roles/taiga/README.md b/roles/taiga/README.md
new file mode 100644
index 0000000..bc6ac8d
--- /dev/null
+++ b/roles/taiga/README.md
@@ -0,0 +1,19 @@
+# Taiga
+[Taiga](https://www.taiga.io/) is the project management tool for multi-functional agile teams
+
+# Description
+This role will install and configure taiga on a server. It'll install and configure the following components
+* RabbitMQ (unless an external AMQP server is specified)
+* PostgreSQL (unless an external database server is specified)
+* The taiga stack (back, events, async, protected)
+* nginx to expose the web interface
+
+# Compatibility
+The role is tested on the following distributions
+* AlmaLinux 8
+
+# Settings
+
+# Installation
+
+# Upgrades
diff --git a/roles/taiga/defaults/main.yml b/roles/taiga/defaults/main.yml
index d048451..ae3579e 100644
--- a/roles/taiga/defaults/main.yml
+++ b/roles/taiga/defaults/main.yml
@@ -2,6 +2,8 @@
 
 # Version to deploy
 taiga_version: 6.5.0
+# Should ansible handle upgrades ? If False, only the initial install will be done
+taiga_manage_upgrade: True
 # Where taiga will be installed
 taiga_root_dir: /opt/taiga
 # User under which taiga will run (will be created)
@@ -62,6 +64,8 @@ taiga_public_url: https://{{ inventory_hostname }}/
 
 # Registration enabled ?
 taiga_user_registration: False
+# If registration is enabled (or if oidc auth is enabled), you can restrict email domains accepted by taiga
+taiga_user_registration_allowed_domains: []
 # Max upload file size (in MB)
 taiga_max_upload_file_size: 20
 
@@ -74,3 +78,18 @@ taiga_smtp_ssl: "{{ (taiga_smtp_port == 465) | ternary(True, False) }}"
 # If your SMTP server requires an authentication, set the following variables
 #taiga_smtp_user: taiga@example.org
 #taiga_smtp_pass: p@ssw0rd
+
+# OIDC authentication
+taiga_oidc_auth: False
+taiga_oidc_auth_url: https://sso.{{ ansible_domain }}/oauth2/authorize
+taiga_oidc_user_url: https://sso.{{ ansible_domain }}/oauth2/userinfo
+taiga_oidc_token_url: https://sso.{{ ansible_domain }}/oauth2/token
+taiga_oidc_scope: openid email profile
+taiga_oidc_name: SSO ({{ ansible_domain }})
+taiga_oidc_client_id: taiga
+# taiga_oidc_client_secret must be provided
+# taiga_oidc_client_secret: S3cr3t.
+taiga_oidc_id_field: sub
+taiga_oidc_user_field: sub
+taiga_oidc_fullname_field: name
+taiga_oidc_email_field: email
diff --git a/roles/taiga/tasks/archive_pre.yml b/roles/taiga/tasks/archive_pre.yml
index 54f4eab..ca4bfcd 100644
--- a/roles/taiga/tasks/archive_pre.yml
+++ b/roles/taiga/tasks/archive_pre.yml
@@ -10,6 +10,16 @@
       - postgresql14
   tags: taiga
 
+- name: Stop services during upgrade
+  service: name={{ item }} state=stopped
+  loop:
+    - taiga-back
+    - taiga-async
+    - taiga-events
+    - taiga-protected
+  when: taiga_install_mode == 'upgrade'
+  tags: taiga
+
 - name: Archive previous version
   synchronize:
     src: "{{ taiga_root_dir }}/{{ item }}"
diff --git a/roles/taiga/tasks/conf.yml b/roles/taiga/tasks/conf.yml
index 7954e4f..ec4dd37 100644
--- a/roles/taiga/tasks/conf.yml
+++ b/roles/taiga/tasks/conf.yml
@@ -72,6 +72,8 @@
         command: createsuperuser --noinput --username admin --email admin@{{ ansible_domain }}
         app_path: "{{ taiga_root_dir }}/app/back"
         virtualenv: "{{ taiga_root_dir }}/venv"
+      environment:
+        DJANGO_SUPERUSER_PASSWORD: '{{ taiga_admin_pass }}'
 
     - name: load initial data
       django_manage:
@@ -80,9 +82,7 @@
         virtualenv: "{{ taiga_root_dir }}/venv"
 
   environment:
-    DJANGO_SUPERUSER_PASSWORD: '{{ taiga_admin_pass }}'
     DJANGO_SETTINGS_MODULE: settings.config
     CELERY_ENABLED: False
   become_user: "{{ taiga_user }}"
-  when: taiga_install_mode == 'install'
   tags: taiga
diff --git a/roles/taiga/tasks/install.yml b/roles/taiga/tasks/install.yml
index 39c7012..b904ec7 100644
--- a/roles/taiga/tasks/install.yml
+++ b/roles/taiga/tasks/install.yml
@@ -4,15 +4,9 @@
   package: name={{ taiga_packages }}
   tags: taiga
 
-- name: Stop services during upgrade
-  service: name={{ item }} state=stopped
-  loop:
-    - taiga-back
-    - taiga-async
-    - taiga-events
-    - taiga-protected
+- name: Wipe the venv during upgrades
+  file: path={{ taiga_root_dir }}/venv state=absent
   when: taiga_install_mode == 'upgrade'
-  tags: taiga
 
 - when: taiga_install_mode != 'none'
   block:
@@ -53,8 +47,6 @@
         state: "{{ (taiga_install_mode == 'upgrade') | ternary('latest', 'present') }}"
         virtualenv: "{{ taiga_root_dir }}/venv"
         virtualenv_command: /bin/python3.9 -m venv
-      #environment:
-      #  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/pgsql-14/bin/
     
     - name: Install the contrib-protected plugin
       pip:
@@ -62,6 +54,22 @@
         virtualenv: "{{ taiga_root_dir }}/venv"
         virtualenv_command: /bin/python3.9 -m venv
 
+    - name: Clone the openid-auth plugin
+      git:
+        repo: https://github.com/robrotheram/taiga-contrib-openid-auth.git
+        dest: "{{ taiga_root_dir }}/app/back/taiga-contrib-openid-auth"
+
+    - name: Install the openid-auth backend plugin
+      command: "{{ taiga_root_dir }}/venv/bin/pip3 install -e ."
+      args:
+        chdir: "{{ taiga_root_dir }}/app/back/taiga-contrib-openid-auth/back"
+
+    - name: Create the front plugin dir
+      file: path={{ taiga_root_dir }}/app/front/dist/plugins/ state=directory
+      
+    - name: Install the openid-auth front plugin
+      copy: src={{ taiga_root_dir }}/tmp/taiga-contrib-openid-auth/front/dist/ dest={{ taiga_root_dir }}/app/front/dist/plugins/openid-auth/ remote_src=True
+
     - name: Install dependencies for taiga-events
       npm:
         path: "{{ taiga_root_dir }}/app/events/"
diff --git a/roles/taiga/templates/back/config.py.j2 b/roles/taiga/templates/back/config.py.j2
index 78fc7f5..6ac45f2 100644
--- a/roles/taiga/templates/back/config.py.j2
+++ b/roles/taiga/templates/back/config.py.j2
@@ -9,9 +9,9 @@ from .common import *
 
 DEBUG = False
 
-#ADMINS = (
-#    ("Admin", "example@example.com"),
-#)
+ADMINS = (
+    ("Admin", "{{ system_admin_email | default('admin@' ~ ansible_domain) }}"),
+)
 
 DATABASES = {
   'default': {
@@ -128,7 +128,7 @@ ENABLE_TELEMETRY = False
 ##  REGISTRATION
 #########################################
 
-PUBLIC_REGISTER_ENABLED = False
+PUBLIC_REGISTER_ENABLED = {{ (taiga_user_registration or taiga_oidc_auth) | ternary('True', 'False') }}
 
 #########################################
 ## THROTTLING
@@ -156,6 +156,15 @@ PUBLIC_REGISTER_ENABLED = False
 # LIMIT ALLOWED DOMAINS FOR REGISTER AND INVITE
 # None or [] values in USER_EMAIL_ALLOWED_DOMAINS means allow any domain
 #USER_EMAIL_ALLOWED_DOMAINS = None
+{% if taiga_user_registration_allowed_domains | length > 0 %}
+USER_EMAIL_ALLOWED_DOMAINS=[
+{% for domain in taiga_user_registration_allowed_domains %}
+  '{{ domain }}'
+{% endfor %}
+]
+{% else %}
+USER_EMAIL_ALLOWED_DOMAINS = None
+{% endif %}
 
 # PUCLIC OR PRIVATE NUMBER OF PROJECT PER USER
 #MAX_PRIVATE_PROJECTS_PER_USER = None # None == no limit
@@ -218,3 +227,16 @@ FEEDBACK_ENABLED = False
 #    "cert": "XXXXXX_get_a_valid_cert_from_jira_XXXXXX",
 #    "pub_cert": "XXXXXX_get_a_valid_pub_cert_from_jira_XXXXXX"
 #}
+
+{% if taiga_oidc_auth %}
+INSTALLED_APPS += ["taiga_contrib_openid_auth"]
+OPENID_USER_URL = "{{ taiga_oidc_user_url }}"
+OPENID_TOKEN_URL = "{{ taiga_oidc_token_url }}"
+OPENID_CLIENT_ID = "{{ taiga_oidc_client_id }}"
+OPENID_CLIENT_SECRET = "{{ taiga_oidc_client_secret }}"
+OPENID_SCOPE = "{{ taiga_oidc_scope }}"
+OPENID_ID_FIELD = "{{ taiga_oidc_id_field }}"
+OPENID_USERNAME_FIELD = "{{ taiga_oidc_user_field }}"
+OPENID_FULLNAME_FIELD = "{{ taiga_oidc_fullname_field }}"
+OPENID_EMAIL_FIELD = "{{ taiga_oidc_email_field }}"
+{% endif %}
diff --git a/roles/taiga/templates/front/conf.json.j2 b/roles/taiga/templates/front/conf.json.j2
index 169a426..e5377a1 100644
--- a/roles/taiga/templates/front/conf.json.j2
+++ b/roles/taiga/templates/front/conf.json.j2
@@ -16,7 +16,7 @@
     "supportUrl": "https://resources.taiga.io",
     "privacyPolicyUrl": null,
     "termsOfServiceUrl": null,
-    "maxUploadFileSize": {{ taiga_max_upload_file_size }},
+    "maxUploadFileSize": {{ taiga_max_upload_file_size * 1024 * 1024 }},
     "contribPlugins": [],
     "tagManager": { "accountId": null },
     "tribeHost": null,
@@ -25,5 +25,14 @@
     "enableJiraImporter": false,
     "enableTrelloImporter": false,
     "gravatar": false,
+{% if taiga_oidc_auth %}
+    "openidAuth" : "{{ taiga_oidc_auth_url }}",
+    "openidScope": "{{ taiga_oidc_scope }}",
+    "openidName" : "{{ taiga_oidc_name }}",
+    "openidClientId": "{{ taiga_oidc_client_id }}",
+    "contribPlugins": [
+      "/plugins/openid-auth/openid-auth.json"
+    ],
+{% endif %}
     "rtlLanguages": ["ar", "fa", "he"]
 }