Yes, you can integrate Single Sign-On (SSO) using OpenID Connect (OIDC) when self-hosting Ory Kratos. Here are the steps to add a social sign-in provider: 1. Define the redirect URL in the following format:

http(s)://<domain-of-ory-kratos>:<public-port>/self-service/methods/oidc/callback/<social-signin-provider-id>

2. Create a client at your provider to get the Client ID and Client Secret. 3. Set the redirect URI to the URL that follows the pattern mentioned in step 1. 4. Create a [Jsonnet code snippet](https://www.ory.sh/docs/kratos/social-signin/data-mapping) to map the desired claims to the Ory Identity schema. 5. Encode the Jsonnet snippet with [Base64](https://www.base64encode.org/) or store it in a location available to your Ory Kratos instance. 6. Add the configuration for your [social sign-in provider](https://www.ory.sh/docs/kratos/social-signin/overview) to the Ory Kratos configuration. Add the Jsonnet snippet with mappings as a Base64 string or provide a path or an URL of the file. Here is an example configuration:

yaml selfservice:    methods:    oidc:    config:    providers:    - id: generic # this is `<provider-id>` in the Authorization callback URL. DO NOT CHANGE IT ONCE SET!    provider: generic    client_id: .... # Replace this with the Client ID    client_secret: .... # Replace this with the Client secret    issuer_url: <https://accounts.google.com> # Replace this with the providers issuer URL    mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"    # Alternatively, use an URL:    # mapper_url: <https://storage.googleapis.com/abc-cde-prd/9cac9717f007808bf17>    scope:    - email    # supported scopes can be found in your providers dev docs    enabled: true

For more details, you can refer to the [source documentation](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc).