diff --git a/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml
new file mode 100644
index 0000000..ff082e3
--- /dev/null
+++ b/template/stacks/core/argocd/argocd-sso/argocd-secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/part-of: argocd
+  name: keycloak-oidc
+  namespace: argocd
+type: Opaque
+data:
+  clientSecret: h37eb29EbQIVCMc9Fj82IqAQs1qvvv1R
+immutable: false
diff --git a/template/stacks/core/argocd/argocd-sso/cm.yml b/template/stacks/core/argocd/argocd-sso/cm.yml
new file mode 100644
index 0000000..d44078f
--- /dev/null
+++ b/template/stacks/core/argocd/argocd-sso/cm.yml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://factory-192-168-198-2.traefik.me/argocd
+  oidc.config: |
+    name: Keycloak
+    issuer: https://factory-192-168-198-2.traefik.me/keycloak/realms/cnoe
+    clientID: argocd
+    clientSecret: $keycloak-oidc:clientSecret
+    requestedScopes: ["openid", "profile", "email", "groups"]
\ No newline at end of file
diff --git a/template/stacks/core/argocd/values.yaml b/template/stacks/core/argocd/values.yaml
index 3fb3ddf..729db4c 100644
--- a/template/stacks/core/argocd/values.yaml
+++ b/template/stacks/core/argocd/values.yaml
@@ -5,6 +5,7 @@ configs:
   params:
     server.insecure: true
     server.basehref: /argocd
+    server.rootpath: /argocd
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
diff --git a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
index 6c8d603..0c54e99 100644
--- a/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
+++ b/template/stacks/ref-implementation/keycloak/manifests/keycloak-config.yaml
@@ -219,6 +219,44 @@ data:
       ]
     }
 
+  argocd-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "argocd",
+      "name": "ArgoCD Client",
+      "description": "Used for ArgoCD SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://{{{ .Env.DOMAIN_GITEA }}}/*"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+            "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "offline_access",
+        "roles",
+        "profile",
+        "groups",
+        "email"
+      ]
+    }  
+
 ---
 apiVersion: batch/v1
 kind: Job
@@ -406,6 +444,23 @@ spec:
               BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
                 -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
                 -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+
+              echo "creating ArgoCD client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/argocd-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argocd") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              ARGOCD_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')  
               
               ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
               
@@ -426,6 +481,8 @@ spec:
                 BACKSTAGE_CLIENT_ID: backstage
                 GRAFANA_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
                 GRAFANA_CLIENT_ID: grafana
+                ARGOCD_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
+                ARGOCD_CLIENT_ID: argocd
               " > /tmp/secret.yaml
               
               ./kubectl apply -f /tmp/secret.yaml