diff --git a/group_vars/all/vault_security_tracker.yml b/group_vars/all/vault_security_tracker.yml
index 8523e20d99fba8b00f946f5281b9332fd8f16ad1..a17c50338f2208340e9126518eb29b94b8547ae0 100644
--- a/group_vars/all/vault_security_tracker.yml
+++ b/group_vars/all/vault_security_tracker.yml
@@ -1,10 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-62386537326331346332353038653137616430366531626637653762636135353232653835333831
-6431393138396537373937663963646365313464326565380a386266316266316463663163343434
-62333165643134663564366136633238613238373636353033303136653662343465326665616239
-3161326364306430350a343138653566363464333366353131383430336431363964613831303561
-34636163313064643830336665386635396231646533356163623938323165626236336633393863
-63313338316639333033393239336131306231346237353934393838323861646264656361346533
-32363864663436613333373130383462656134386632636337376539323562366137313762623433
-34663561626265626165383736656566353135336630656638373139353238636262313035366265
-61653965636331626162323539353635626337313830616634323236656463316331
+62336563323762646634643633386665333866653263363636326665396132653433336635366439
+6138343537306135663332306465643337333733613530390a353331666236633437666237383536
+39373036373963633234663234386164373663366530323963363732393061333562363636303431
+6530353331613734330a343065366162346263396262316133323362656234343036623861626164
+32316337666433386162656534376533383064666365303261393534306134643831666265656637
+33353239623830323039343237303164316636636431346361336437333037356635363461366434
+36326365313663363939393565663535396130383961303763303461303961636639623136623039
+31646630613161633835613636613339303038633961383930623165646366396361343933396464
+38623937623633326463303734623738663535393332356361646136313331656135383639623866
+37386332653964323636333063323439653436386436383263316465313262633532393839636633
+65346336346264343730323330633333336366633065336230316234386661373235356330346339
+61353835646665396363336232633733626661336361623364623433303065383131373062663965
+34353033396636343165373061653834653862343962373630636630373164646139
diff --git a/roles/security_tracker/defaults/main.yml b/roles/security_tracker/defaults/main.yml
index ca08715d3fa432a413891c1569b2cab4933dc294..f89ec06174bf9b900791f280c86c5cc5048d55c9 100644
--- a/roles/security_tracker/defaults/main.yml
+++ b/roles/security_tracker/defaults/main.yml
@@ -1,2 +1,2 @@
 ---
-security_tracker_version: "780b05c5d7d47b3f298f801df6cbe16a56746379"
+security_tracker_version: "8ce112b697b81a6df5a3f8c8650344549a124614"
diff --git a/roles/security_tracker/tasks/main.yml b/roles/security_tracker/tasks/main.yml
index 3b0bf6c149f22233b634e0a932e2b79b9d7720d3..4828bc11606e08cd8156bd7f0e94d78cd2135c43 100644
--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -16,7 +16,8 @@
       - git
       - make
       - python
-      - python-sqlalchemy1.3
+      - python-authlib
+      - python-sqlalchemy
       - python-sqlalchemy-continuum
       - python-flask
       - python-flask-sqlalchemy
@@ -29,6 +30,7 @@
       - python-feedgen
       - python-pytz
       - python-email-validator
+      - python-markupsafe
       - pyalpm
       - sqlite
       - expac
@@ -102,7 +104,7 @@
 - name: deploy new release
   become: true
   become_user: security
-  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
+  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=security group=http mode=0644
   when: release.changed
 
 - name: start and enable security-tracker timer
diff --git a/roles/security_tracker/templates/20-user.local.conf.j2 b/roles/security_tracker/templates/20-user.local.conf.j2
index 7e582d5aa76941108637d09aa749f254bfceb1b6..56ea0b3bf6adfabe660a0723e51fa75d86971663 100644
--- a/roles/security_tracker/templates/20-user.local.conf.j2
+++ b/roles/security_tracker/templates/20-user.local.conf.j2
@@ -1,2 +1,11 @@
 [flask]
 secret_key = '{{ vault_security_tracker.secret_key }}'
+
+[sso]
+enabled = yes
+metadata_url = https://accounts.archlinux.org/auth/realms/archlinux/.well-known/openid-configuration
+client_id = openid_security_tracker
+client_secret = {{ vault_security_tracker_openid_client_secret }}
+administrator_group = /Arch Linux Staff/Security Team/Admins
+security_team_group = /Arch Linux Staff/Security Team/Members
+reporter_group = /External Contributors/Security Team/Reporters
diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 8ec2ad06409f2dcc14051f6784d501dc5e1828b8..8b1ac4b385b4c365458565986fcde1f638a1a3d5 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -46,6 +46,12 @@ data "external" "vault_matrix" {
   "--format", "json"]
 }
 
+data "external" "vault_security_tracker" {
+  program = ["${path.module}/../misc/get_key.py", "${path.module}/../group_vars/all/vault_security_tracker.yml",
+    "vault_security_tracker_openid_client_secret",
+  "--format", "json"]
+}
+
 provider "keycloak" {
   client_id = "admin-cli"
   username  = data.external.vault_keycloak.result.vault_keycloak_admin_user
@@ -855,3 +861,27 @@ resource "keycloak_openid_client" "gluebuddy_openid_client" {
     "https://gitlab.archlinux.org/"
   ]
 }
+
+resource "keycloak_openid_client" "security_tracker_openid_client" {
+  realm_id      = "archlinux"
+  client_id     = "openid_security_tracker"
+  client_secret = data.external.vault_security_tracker.result.vault_security_tracker_openid_client_secret
+
+  name    = "Security Tracker"
+  enabled = true
+
+  access_type           = "CONFIDENTIAL"
+  standard_flow_enabled = true
+  valid_redirect_uris   = [
+    "https://security.archlinux.org/*",
+  ]
+  web_origins           = []
+}
+
+resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
+  realm_id  = "archlinux"
+  client_id = keycloak_openid_client.security_tracker_openid_client.id
+  name      = "group-membership-mapper"
+
+  claim_name = "groups"
+}