diff --git a/ext/central-controller-docker/migrations/0005_controller_log.down.sql b/ext/central-controller-docker/migrations/0005_controller_log.down.sql
deleted file mode 100644
index fecab6b5b..000000000
--- a/ext/central-controller-docker/migrations/0005_controller_log.down.sql
+++ /dev/null
@@ -1,3 +0,0 @@
-DROP INDEX IF EXISTS ctl_check_time_ix;
-DROP INDEX IF EXISTS ctl_id_ix;
-DROP TABLE IF EXISTS controller_log;
diff --git a/ext/central-controller-docker/migrations/0005_controller_log_and_sso.down.sql b/ext/central-controller-docker/migrations/0005_controller_log_and_sso.down.sql
new file mode 100644
index 000000000..86a2f1ff6
--- /dev/null
+++ b/ext/central-controller-docker/migrations/0005_controller_log_and_sso.down.sql
@@ -0,0 +1,6 @@
+DROP INDEX IF EXISTS ctl_check_time_ix;
+DROP INDEX IF EXISTS ctl_id_ix;
+DROP TABLE IF EXISTS controller_log;
+DROP INDEX IF EXISTS sso_expiry_network_member_ix;
+DROP TABLE IF EXISTS sso_expiry;
+DROP TABLE IF EXISTS oidc_config;
\ No newline at end of file
diff --git a/ext/central-controller-docker/migrations/0005_controller_log.up.sql b/ext/central-controller-docker/migrations/0005_controller_log_and_sso.up.sql
similarity index 64%
rename from ext/central-controller-docker/migrations/0005_controller_log.up.sql
rename to ext/central-controller-docker/migrations/0005_controller_log_and_sso.up.sql
index eafb9edec..58cdbc4b2 100644
--- a/ext/central-controller-docker/migrations/0005_controller_log.up.sql
+++ b/ext/central-controller-docker/migrations/0005_controller_log_and_sso.up.sql
@@ -11,9 +11,19 @@ CREATE TABLE IF NOT EXISTS sso_expiry (
 	nonce TEXT PRIMARY KEY,
 	nonce_expiration TIMESTAMP WITH TIME ZONE NOT NULL,
 	network_id CHARACTER(16) NOT NULL,
-	member_id CHARACTER(10) NOT NULL,
+	device_id CHARACTER(10) NOT NULL,
 	creation_time TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT (current_timestamp AT TIME ZONE 'UTC'),
 	email TEXT,
 	authentication_expiry_time TIMESTAMP WITH TIME ZONE,
-	FOREIGN KEY (network_id, member_id) REFERENCES network_memberships_ctl(network_id, device_id) ON DELETE CASCADE
+	FOREIGN KEY (network_id, device_id) REFERENCES network_memberships_ctl(network_id, device_id) ON DELETE CASCADE
 );
+CREATE INDEX IF NOT EXISTS sso_expiry_network_member_ix ON public.sso_expiry (network_id, device_id);
+
+CREATE TABLE IF NOT EXISTS oidc_config (
+	client_id TEXT NOT NULL,
+	issuer TEXT NOT NULL,
+	authorization_endpoint TEXT NOT NULL,
+	sso_impl_version BIGINT NOT NULL DEFAULT 1,
+	provider TEXT NOT NULL DEFAULT 'default',
+	PRIMARY KEY (client_id)
+);
\ No newline at end of file
diff --git a/nonfree/controller/CentralDB.cpp b/nonfree/controller/CentralDB.cpp
index 50deb49ad..c550dd8c0 100644
--- a/nonfree/controller/CentralDB.cpp
+++ b/nonfree/controller/CentralDB.cpp
@@ -510,14 +510,14 @@ AuthInfo CentralDB::getSSOAuthInfo(const nlohmann::json& member, const std::stri
 			// check if the member exists first.
 			pqxx::row count =
 				w.exec(
-					 "SELECT count(id) FROM ztc_member WHERE id = $1 AND network_id = $2 AND deleted = false",
+					 "SELECT count(id) FROM network_memberships_ctl WHERE device_id = $1 AND network_id = $2",
 					 pqxx::params { memberId, networkId })
 					.one_row();
 			if (count[0].as<int>() == 1) {
 				// get active nonce, if exists.
 				pqxx::result r = w.exec(
-					"SELECT nonce FROM ztc_sso_expiry "
-					"WHERE network_id = $1 AND member_id = $2 "
+					"SELECT nonce FROM sso_expiry "
+					"WHERE network_id = $1 AND device_id = $2 "
 					"AND ((NOW() AT TIME ZONE 'UTC') <= authentication_expiry_time) AND ((NOW() AT TIME ZONE 'UTC') <= "
 					"nonce_expiration)",
 					pqxx::params { networkId, memberId });
@@ -526,8 +526,8 @@ AuthInfo CentralDB::getSSOAuthInfo(const nlohmann::json& member, const std::stri
 					// no active nonce.
 					// find an unused nonce, if one exists.
 					pqxx::result r = w.exec(
-						"SELECT nonce FROM ztc_sso_expiry "
-						"WHERE network_id = $1 AND member_id = $2 "
+						"SELECT nonce FROM sso_expiry "
+						"WHERE network_id = $1 AND device_id = $2 "
 						"AND authentication_expiry_time IS NULL AND ((NOW() AT TIME ZONE 'UTC') <= nonce_expiration)",
 						pqxx::params { networkId, memberId });
 
@@ -544,8 +544,8 @@ AuthInfo CentralDB::getSSOAuthInfo(const nlohmann::json& member, const std::stri
 						nonce = std::string(nonceBuf);
 
 						pqxx::result ir = w.exec(
-							"INSERT INTO ztc_sso_expiry "
-							"(nonce, nonce_expiration, network_id, member_id) VALUES "
+							"INSERT INTO sso_expiry "
+							"(nonce, nonce_expiration, network_id, device_id) VALUES "
 							"($1, TO_TIMESTAMP($2::double precision/1000), $3, $4)",
 							pqxx::params { nonce, OSUtils::now() + 300000, networkId, memberId });
 
@@ -568,15 +568,11 @@ AuthInfo CentralDB::getSSOAuthInfo(const nlohmann::json& member, const std::stri
 				}
 
 				r = w.exec(
-					"SELECT oc.client_id, oc.authorization_endpoint, oc.issuer, oc.provider, oc.sso_impl_version "
-					"FROM ztc_network AS n "
-					"INNER JOIN ztc_org o "
-					"  ON o.owner_id = n.owner_id "
-					"LEFT OUTER JOIN ztc_network_oidc_config noc "
-					"  ON noc.network_id = n.id "
-					"LEFT OUTER JOIN ztc_oidc_config oc "
-					"  ON noc.client_id = oc.client_id AND oc.org_id = o.org_id "
-					"WHERE n.id = $1 AND n.sso_enabled = true",
+					"SELECT oc.client_id, oc.authorization_endpoint, oc.issuer, oc.provider, 1 AS sso_impl_version "
+					"FROM oidc_config oc "
+					"INNER JOIN networks_ctl n "
+					" ON oc.client_id = n.configuration->'ssoConfig'->>'ssoClientId' "
+					"WHERE n.id = $1 AND n.configuration->>'ssoEnabled' = 'true' ",
 					pqxx::params { networkId });
 
 				std::string client_id = "";
diff --git a/nonfree/controller/protobuf/sso.proto b/nonfree/controller/protobuf/sso.proto
new file mode 100644
index 000000000..1474b89b8
--- /dev/null
+++ b/nonfree/controller/protobuf/sso.proto
@@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package pbmessages;
+
+message SSOUpdate
+{
+	// Enum for the type of SSO nonce update message
+	enum MessageType {
+		UNKNOWN = 0;
+
+		// From Controller to CV1/CV2 to update nonce information
+		CTL_NONCE_UPDATE = 1;
+
+		// From CV1/CV2 to Controller to update authentication status
+		CV1_AUTH_UPDATE = 2;
+	}
+
+	message NonceUpdate
+	{
+		string nonce = 1;
+		uint64 nonce_expiration = 2;
+		string network_id = 3;
+		string device_id = 4;
+	}
+
+	message AuthUpdate
+	{
+		string nonce = 1;
+		uint64 authentication_expiry = 2;
+		string network_id = 3;
+		string device_id = 4;
+		string email = 5;
+	}
+
+	MessageType message_type = 1;
+	optional SSOUpdate.NonceUpdate nonce_update = 2;
+	optional SSOUpdate.AuthUpdate auth_update = 3;
+}
\ No newline at end of file