diff --git a/howto/ldap.md b/howto/ldap.md
index f1b6f3a3651edf1ad2d8392d6e6dccd7ed164565..cb668df1069594137e14d289ff40dd7c38f8c5ee 100644
--- a/howto/ldap.md
+++ b/howto/ldap.md
@@ -2258,15 +2258,27 @@ using the [django-auth-ldap][] authentication plugin.
 
 ### Single-sign on
 
- * [Keycloak][]: single-sign-on interface which talks with LDAP
- * [FreeIPA][]: similar, except built on top of 389 DS, the Fedora
-   LDAP thing
- * [Authelia][]: single sign-on, 2fa, OIDC connect
- * [Authentik][]: single sign-on, 2fa, OIDC, SAML, LDAP, proxy,
-   metrics
- * [LemonLDAP-ng](https://lemonldap-ng.org/), [packaged in Debian](https://tracker.debian.org/pkg/lemonldap-ng)
- * [kanidm][]: SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline
-   support, web UI, CLI tools
+"Single-sign on" (SSO) is "an authentication scheme that allows a user
+to log in with a single ID to any of several related, yet independent,
+software systems." -- [Wikipedia](https://en.wikipedia.org/wiki/Single_sign-on)
+
+In our case, it's something that could allow all our applications that
+use a single source of truth for usernames and passwords. We could
+also have a single place to manage the 2FA configurations, so that
+users wouldn't have to enroll their 2FA setup in each application
+individually.
+
+Here's a list of the possible applications that could do this that
+we're aware of:
+
+| Application      | Features                                                                   | Notes                                       |
+|------------------|----------------------------------------------------------------------------|---------------------------------------------|
+| [Keycloak][]     | SSO, LDAP                                                                  |                                             |
+| [FreeIPA][]      | SSO, LDAP                                                                  | built on top of 389 DS (Fedora LDAP server) |
+| [Authelia][]     | SSO, 2FA, OIDC                                                             |                                             |
+| [Authentik][]    | SSO, 2FA, OIDC, SAML, LDAP, proxy, metrics                                 |                                             |
+| [LemonLDAP-ng][] |                                                                            | [packaged in Debian][]                      |
+| [kanidm][]       | SSO, 2FA, OIDC, LDAP, Radius, SSH, PAM + offline support, web/CLI UI, Rust |                                             |
 
 See also [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) for an Apache module supporting OIDC.
 
@@ -2278,6 +2290,8 @@ swap ud-ldap out if we need to, replacing bits of it as we go.
 [Authelia]: https://www.authelia.com/
 [Authentik]: https://goauthentik.io/
 [kanidm]: https://github.com/kanidm/kanidm
+[LemonLDAP-ng]: https://lemonldap-ng.org/
+[packaged in Debian]: https://tracker.debian.org/pkg/lemonldap-ng
 
 #### Keycloak