feat(auth): add WorkOS and Keycloak SSO discovery

docs/guides/admin-guide.md

@@ -237,14 +237,23 @@ external clients. Authentication requires a valid BetterAuth session (cookie or
 
 ### SSO (Optional)
 
-| Variable                  | Description                    |
-| ------------------------- | ------------------------------ |
-| `AUTHENTIK_CLIENT_ID`     | Authentik OAuth2 client ID     |
-| `AUTHENTIK_CLIENT_SECRET` | Authentik OAuth2 client secret |
-| `AUTHENTIK_ISSUER`        | Authentik OIDC issuer URL      |
+| Variable                    | Description                                                                  |
+| --------------------------- | ---------------------------------------------------------------------------- |
+| `AUTHENTIK_CLIENT_ID`       | Authentik OAuth2 client ID                                                   |
+| `AUTHENTIK_CLIENT_SECRET`   | Authentik OAuth2 client secret                                               |
+| `AUTHENTIK_ISSUER`          | Authentik OIDC issuer URL                                                    |
+| `AUTHENTIK_TEAM_SYNC_CLAIM` | Optional claim used to derive team sync data (defaults to `groups`)          |
+| `WORKOS_CLIENT_ID`          | WorkOS OAuth client ID                                                       |
+| `WORKOS_CLIENT_SECRET`      | WorkOS OAuth client secret                                                   |
+| `WORKOS_ISSUER`             | WorkOS OIDC issuer URL                                                       |
+| `WORKOS_TEAM_SYNC_CLAIM`    | Optional claim used to derive team sync data (defaults to `organization_id`) |
+| `KEYCLOAK_CLIENT_ID`        | Keycloak OAuth client ID                                                     |
+| `KEYCLOAK_CLIENT_SECRET`    | Keycloak OAuth client secret                                                 |
+| `KEYCLOAK_ISSUER`           | Keycloak realm issuer URL                                                    |
+| `KEYCLOAK_TEAM_SYNC_CLAIM`  | Optional claim used to derive team sync data (defaults to `groups`)          |
+| `KEYCLOAK_SAML_LOGIN_URL`   | Optional SAML login URL used when OIDC is unavailable                        |
 
-All three Authentik variables must be set together. If only `AUTHENTIK_CLIENT_ID`
-is set, a warning is logged and SSO is disabled.
+Each OIDC provider requires its client ID, client secret, and issuer URL together. If only part of a provider configuration is set, gateway startup logs a warning and that provider is skipped. Keycloak can fall back to SAML when `KEYCLOAK_SAML_LOGIN_URL` is configured.
 
 ### Agent