Docs and .env.example: document OIDC_ONLY

.env.example

@@ -31,6 +31,10 @@ ASSOCIATION_NAME="Sportsclub XYZ"
 # OIDC_ADMIN_GROUP_NAME=admin
 # OIDC_GROUPS_CLAIM=groups
 
+# Optional: Show only OIDC sign-in on login page (hide password form).
+# When set to true and OIDC is configured, users see only the Single Sign-On button.
+# OIDC_ONLY=true
+
 # Optional: Vereinfacht accounting integration (finance-contacts sync)
 # If set, these override values from Settings UI; those fields become read-only.
 # VEREINFACHT_API_URL=https://api.verein.visuel.dev/api/v1

docs/admin-bootstrap-and-oidc-role-sync.md

@@ -33,6 +33,10 @@
 - `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups").
 - Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0).
 
+### Sign-in page (OIDC-only mode)
+
+- `OIDC_ONLY` (or Settings → OIDC → "Only OIDC sign-in") – When set to true/1/yes and OIDC is configured, the sign-in page shows only the Single Sign-On button (password login is hidden). ENV takes precedence over Settings.
+
 ### Sync Logic
 
 - Mv.OidcRoleSync.apply_admin_role_from_user_info(user, user_info) – If admin group configured, sets user role to Admin or Mitglied based on user_info groups.