diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md
index 2a651b8..6d9e5e2 100644
--- a/Enabling-SSO-support-using-OpenId-Connect.md
+++ b/Enabling-SSO-support-using-OpenId-Connect.md
@@ -15,8 +15,9 @@ The following configurations are available
 - `SSO_SIGNUPS_MATCH_EMAIL`: On SSO Signup if a user with a matching email already exists make the association (default `true`)
 - `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`: Allow unknown email verification status (default `false`). Allowing this with `SSO_SIGNUPS_MATCH_EMAIL` open potential account takeover.
 - `SSO_AUTHORITY` : the OpenID Connect Discovery endpoint of your SSO
-  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+  - The URL must not include the `/.well-known/openid-configuration`
   - `${SSO_AUTHORITY}/.well-known/openid-configuration` must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an [HTTP status code 200 OK](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse:~:text=A%20successful%20response%20MUST%20use%20the%20200%20OK%20HTTP%20status%20code)!)
+  - `SSO_AUTHORITY` has to match the exact value of the `issuer` field that is returned by that JSON (so take the `issuer` value of the file if you are unsure whether to include a trailing slash or not).
 - `SSO_SCOPES` : Optional, allow to override scopes if needed (default `"email profile"`)
 - `SSO_AUTHORIZE_EXTRA_PARAMS` : Optional, allow to add extra parameter to the authorize redirection (default `""`)
 - `SSO_PKCE`: Activate PKCE for the Auth Code flow (default `true`).