diff --git a/services/harbor/helmrelease.yaml b/services/harbor/helmrelease.yaml
index 75f8be3..5b384d7 100644
--- a/services/harbor/helmrelease.yaml
+++ b/services/harbor/helmrelease.yaml
@@ -117,6 +117,21 @@ spec:
       existingSecret: harbor-core
       existingXsrfSecret: harbor-core
       existingXsrfSecretKey: CSRF_KEY
+      # OIDC config; client secret is stored out-of-band.
+      configureUserSettings: |
+        {
+          "auth_mode": "oidc_auth",
+          "oidc_name": "Keycloak",
+          "oidc_endpoint": "https://sso.bstein.dev/realms/atlas",
+          "oidc_client_id": "harbor",
+          "oidc_verify_cert": true,
+          "oidc_auto_onboard": true,
+          "oidc_scope": "openid,profile,email,groups",
+          "oidc_groups_claim": "groups",
+          "oidc_user_claim": "preferred_username",
+          "oidc_admin_group": "admin",
+          "oidc_logout": true
+        }
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution: