diff --git a/testserver/docker_grafana/Documentation.md b/testserver/docker_grafana/Documentation.md
index 771c3e47088f4569e0c2ee16539394f2bc05cc48..139bda49c09e26d08f75a2ec90dcdbe67cc1d3c0 100644
--- a/testserver/docker_grafana/Documentation.md
+++ b/testserver/docker_grafana/Documentation.md
@@ -27,7 +27,7 @@ Create Groups:
 
 Create a Service / OAuth Client: 
 
-Only Users with goup grafana_access can access Wordpress 
+Only Users with goup grafana_access can access Grafana 
 
 Client-ID: grafana
 Client-Secret: from file oauth_client_secret on the server
diff --git a/testserver/docker_tandoor/Documentation.md b/testserver/docker_tandoor/Documentation.md
index 074a7865d9cdf3f624633a600b9448df40d0df7c..87af86d029c64ce528282c361c380e8f6f4f10be 100644
--- a/testserver/docker_tandoor/Documentation.md
+++ b/testserver/docker_tandoor/Documentation.md
@@ -1,4 +1,32 @@
 
-After initial Setup, the initial superuser 'tandooradmin' must be created in the unser interface. 
-The Password is stored on the Server in the file ```secrets/tandooradmin_user_pass``` within the data directory. 
+# Overview 
+
+* Authentication to Tandoor is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'tandoor_access' can access the Application 
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup in Tandoor
+
+All setup is done in the docker-compose.yml
+References: 
+* https://docs.tandoor.dev/features/authentication/
+
+## Setup in uffd
+
+Create Groups:
+
+- tandoor_access: General Access to Tandoor
+
+Create a Service / OAuth Client: 
+
+Only Users with goup grafana_access can access Tandoor 
+
+Client-ID: tandoor
+Client-Secret: from file openid_client_secret on the server
+Redirect-URIs: 
+* https://tandoor.test-warpzone.de/accounts/oidc/uffd/login/callback/
 
diff --git a/testserver/docker_tandoor/tasks/main.yml b/testserver/docker_tandoor/tasks/main.yml
index 28fc83e7993b3c9e583a45fad66ceb04de9a1464..6c0629fad12138fca891f93f14cdcdfcd5ec3330 100644
--- a/testserver/docker_tandoor/tasks/main.yml
+++ b/testserver/docker_tandoor/tasks/main.yml
@@ -5,6 +5,7 @@
     - { path: "{{ basedir }}/secrets/secret_key",  length: 32 }
     - { path: "{{ basedir }}/secrets/postgres_user_pass",  length: 24 }
     - { path: "{{ basedir }}/secrets/tandooradmin_user_pass",  length: 24 }
+    - { path: "{{ basedir }}/secrets/openid_client_secret",  length: 32 }
 
 
 - name: "create folder struct for {{ servicename }}"
diff --git a/testserver/docker_tandoor/templates/docker-compose.yml b/testserver/docker_tandoor/templates/docker-compose.yml
index 68a281dea4f75fc9f70651f2a3902b084517f090..0f9d348bc8f9ea20d467a7e32028cae3caa4aafe 100644
--- a/testserver/docker_tandoor/templates/docker-compose.yml
+++ b/testserver/docker_tandoor/templates/docker-compose.yml
@@ -34,6 +34,10 @@ services:
       POSTGRES_PORT: 5432
       POSTGRES_USER: tandoor
       POSTGRES_PASSWORD: "{{ postgres_user_pass }}"
+      SOCIAL_PROVIDERS: allauth.socialaccount.providers.openid_connect
+      SOCIALACCOUNT_PROVIDERS: '{"openid_connect":{"APPS":[{"provider_id":"uffd","name":"uffd","client_id":"tandoor","secret":"{{ openid_client_secret }}","settings":{"server_url":"{{ oidc_global.provider_url }}/.well-known/openid-configuration"}}]}}'
+      SOCIAL_DEFAULT_GROUP: "warpzone"
+      ENABLE_SIGNUP: "False"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)