diff --git a/manifests/apache.pp b/manifests/apache.pp
index 52b1548..b3c60f0 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -10,6 +10,21 @@ class etherpad_lite::apache (
   $ssl_key_file            = '',
   $ssl_key_file_contents   = '', # If left empty puppet will not create file.
   $vhost_name              = $::fqdn,
+  # Table containing openid auth details. If undef not enabled
+  # Example dict:
+  # {
+  #   banner         => "Welcome",
+  #   singleIdp      => "https://openstackid.org",
+  #   trusted        => '^https://openstackid.org/.*$',
+  #   any_valid_user => false,
+  #   users          => ['https://openstackid.org/foo',
+  #                      'https://openstackid.org/bar'],
+  # }
+  # Note that if you care which users get access set any_valid_user to false
+  # and then provide an explicit list of openids in the users list. Otherwise
+  # set any_valid_user to true and any successfully authenticated user will
+  # get access.
+  $auth_openid             = undef,
 ) {
 
   package { 'ssl-cert':
@@ -40,6 +55,19 @@ class etherpad_lite::apache (
       ensure => present,
     }
   }
+  if ($auth_openid != undef) {
+    if !defined(Package['libapache2-mod-auth-openid']) {
+      package { 'libapache2-mod-auth-openid':
+        ensure => present,
+      }
+    }
+    if !defined(Mod['auth_openid']) {
+      httpd::mod { 'auth_openid':
+        ensure  => present,
+        require => Package['libapache2-mod-auth-openid'],
+      }
+    }
+  }
 
   file { '/etc/apache2':
     ensure => directory,
diff --git a/templates/etherpadlite.vhost.erb b/templates/etherpadlite.vhost.erb
index c579e43..e20fe09 100644
--- a/templates/etherpadlite.vhost.erb
+++ b/templates/etherpadlite.vhost.erb
@@ -38,6 +38,26 @@
   # MSIE 7 and newer should be able to use keepalive
   BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
+  <% if @auth_openid != nil %>
+  <Location /p/>
+      AuthType OpenID
+      AuthName "<%= @auth_openid['banner'] %>"
+      AuthOpenIDSecureCookie On
+      AuthOpenIDCookieLifespan 3600
+      AuthOpenIDTrustRoot <%= @vhost_name %>
+      AuthOpenIDServerName <%= @vhost_name %>
+      AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
+      AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
+      <% if @auth_openid['any_valid_user'] %>
+      Require valid-user
+      <% elsif !@auth_openid['users'].empty? %>
+      <% @auth_openid['users'].each do |user| -%>
+      Require user <%= user %>
+      <% end -%>
+      <% end %>
+  </Location>
+  <% end %>
+
   <IfModule mod_proxy.c>
       # The following redirects "nice" urls such as https://etherpad.example.org/padname
       # to https://etherpad.example.org/p/padname. It was problematic directly