diff --git a/public/integrazioniext.html b/public/integrazioniext.html
index 7c76c56..af4fbb2 100644
--- a/public/integrazioniext.html
+++ b/public/integrazioniext.html
@@ -264,6 +264,8 @@
             <tr><th>Metodo</th><th>Endpoint</th><th>Scope</th><th>Descrizione</th></tr>
         </thead>
         <tbody>
+            <tr><td><span class="method-post">POST</span></td><td><code>/token</code></td><td>read:all</td><td>Token exchange: API Key → JWT 15 min. lg231 usa questo JWT per le chiamate successive.</td></tr>
+            <tr><td><span class="method-post">POST</span></td><td><code>/sso</code></td><td>sso:login (o read:all)</td><td>SSO federato: passa email + ruolo + responsabilità → JWT NIS2 2h. Utente creato se non esiste. Auditato.</td></tr>
             <tr><td><span class="method-get">GET</span></td><td><code>/status</code></td><td>—</td><td>Health check piattaforma, versione, DB. Nessuna auth.</td></tr>
             <tr><td><span class="method-get">GET</span></td><td><code>/compliance-summary</code></td><td>read:compliance</td><td>Score NIS2 aggregato (0-100), domain scores Art.21, rischi aperti, incidenti</td></tr>
             <tr><td><span class="method-get">GET</span></td><td><code>/risks/feed</code></td><td>read:risks</td><td>Registro rischi con livello ISO 27005, status, area. Filtri: <code>?level=high,critical&status=open</code></td></tr>
@@ -394,6 +396,37 @@ $incidents = Nis2Client::get(<span class="str">'/incidents/feed'</span>, $apiKey
     <span class="cmt">// reference_id: $inc['id']</span>
 }</div>
 
+    <div class="section-title">3b. SSO federato — apertura diretta NIS2 da lg231</div>
+    <div class="callout">
+        Quando un utente lg231 clicca "Apri NIS2" dal suo dashboard, lg231 chiama
+        <code>POST /api/services/sso</code> e redirige l'utente su NIS2 già autenticato,
+        portando con sé ruolo e responsabilità. Ogni accesso SSO è tracciato nell'audit trail.
+    </div>
+    <div class="code-block"><span class="cmt">// In lg231, quando l'utente clicca "Apri NIS2 Agile":</span>
+$ssoResp = Nis2Client::post(<span class="str">'/sso'</span>, $apiKey, [
+    <span class="str">'user_email'</span>      => $currentUser[<span class="str">'email'</span>],
+    <span class="str">'user_name'</span>       => $currentUser[<span class="str">'first_name'</span>] . <span class="str">' '</span> . $currentUser[<span class="str">'last_name'</span>],
+    <span class="str">'user_role'</span>       => <span class="str">'compliance_manager'</span>,   <span class="cmt">// mappa da ruolo lg231</span>
+    <span class="str">'caller_system'</span>   => <span class="str">'lg231'</span>,
+    <span class="str">'caller_user_id'</span>  => $currentUser[<span class="str">'id'</span>],
+    <span class="str">'responsibilities'</span> => [
+        [<span class="str">'area'</span> => <span class="str">'MOG 231'</span>, <span class="str">'scope'</span> => <span class="str">'art.24-bis criminalità informatica'</span>],
+        [<span class="str">'area'</span> => <span class="str">'OdV'</span>,    <span class="str">'scope'</span> => <span class="str">'monitoraggio cyber risk'</span>],
+    ],
+]);
+
+<span class="kw">if</span> ($ssoResp[<span class="str">'success'</span>]) {
+    $jwt         = $ssoResp[<span class="str">'data'</span>][<span class="str">'data'</span>][<span class="str">'token'</span>];
+    $redirectUrl = $ssoResp[<span class="str">'data'</span>][<span class="str">'data'</span>][<span class="str">'redirect_url'</span>];
+    <span class="cmt">// Redirect con token nel fragment (sicuro, non nel server log)</span>
+    header(<span class="str">'Location: '</span> . $redirectUrl . <span class="str">'#sso_token='</span> . urlencode($jwt));
+}</div>
+    <div class="callout">
+        <strong>NIS2 lato frontend</strong>: in <code>dashboard.html</code> aggiungere:<br>
+        <code>const ssoToken = location.hash.match(/#sso_token=([^&]+)/)?.[1];</code><br>
+        <code>if (ssoToken) { localStorage.setItem('nis2_token', ssoToken); location.hash = ''; }</code>
+    </div>
+
     <div class="section-title">Checklist implementazione lg231</div>
     <ul class="checklist">
         <li>company-ms: aggiungere <code>nis2_api_key</code>, <code>nis2_org_id</code>, <code>nis2_enabled</code> a provider-config</li>