diff --git a/lam/HISTORY b/lam/HISTORY
index 3fa5fb212..bb2d9bd45 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -5,6 +5,7 @@ March 2024 8.7
   -> Cron job to deactivate inactive accounts based on lastBind overlay data (265)
   -> Request access: support Windows groups (266)
   -> Request access: usability improvements (278, 279)
+  -> Self service: passwordless SSO login supported for Okta and OpenID
  - Fixed bugs:
   -> User self registration creates accounts only with SSHA hash (287)
 
diff --git a/lam/docs/manual-sources/chapter-selfService.xml b/lam/docs/manual-sources/chapter-selfService.xml
index 87e96bb20..52c32de2c 100644
--- a/lam/docs/manual-sources/chapter-selfService.xml
+++ b/lam/docs/manual-sources/chapter-selfService.xml
@@ -202,7 +202,10 @@
               server is responsible to authenticate your users. LAM will use
               the given user name + password for the LDAP login. To setup HTTP
               authentication in Apache please see this <ulink
-              url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</entry>
+              url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.
+              If you use Okta or OpenID for 2FA then you can also select to
+              trust the 2FA provider. In this case the user does not need to
+              enter any password in LAM itself (SSO).</entry>
             </row>
 
             <row>