diff --git a/.env.example b/.env.example
index 67e573fc3d..0184109765 100644
--- a/.env.example
+++ b/.env.example
@@ -173,12 +173,23 @@ LOGIN_PROVIDER=eloquent
 # It's also possible to change the way users are authenticated. You could use Authelia for example.
 # Authentication via the REMOTE_USER header is supported. Change the value below to "remote_user_guard".
 #
+# This will also allow Windows SSO.
+#
 # If you do this please read the documentation for instructions and warnings:
 # https://docs.firefly-iii.org/advanced-installation/authentication
 #
 # This function is available in Firefly III v5.3.0 and higher.
 AUTHENTICATION_GUARD=web
 
+#
+# By default, Firefly III uses the 'REMOTE_USER' header as per RFC 3875.
+# You can also use another header, like AUTH_USER when using Windows SSO.
+# Some systems use X-Auth headers. In that case, use HTTP_X_AUTH_USERNAME or HTTP_X_AUTH_EMAIL
+#
+# Firefly III won't be able to send emails when the header you use isn't an email address.
+#
+AUTHENTICATION_GUARD_HEADER=REMOTE_USER
+
 #
 # Likewise, it's impossible to log out users who's authentication is handled by an external system.
 # Enter a custom URL here that will force a logout (your authentication provider can tell you).
@@ -227,12 +238,6 @@ ADLDAP_LOGIN_FALLBACK=false
 ADLDAP_DISCOVER_FIELD=distinguishedname
 ADLDAP_AUTH_FIELD=distinguishedname
 
-# Will allow SSO if your server provides an AUTH_USER field.
-# You can set the following variables from a file by appending them with _FILE:
-WINDOWS_SSO_ENABLED=false
-WINDOWS_SSO_DISCOVER=samaccountname
-WINDOWS_SSO_KEY=AUTH_USER
-
 # field to sync as local username.
 # You can set the following variable from a file by appending it with _FILE:
 ADLDAP_SYNC_FIELD=userprincipalname