diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt
index 37b494eecdefe37383e757c9b8fad69a4a461228..452c3fe06303d4d50ae376b8c23cb229673fb69b 100644
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -115,3 +115,13 @@ PLATFORM ONE ANCHORE WARNING:
   Your SSO configuration will be ignored, the Anchore UI is only available for enterprise deployments.
 {{- end }}
 {{- end }}
+
+{{- if and $.Values.eckoperator.enabled $.Values.logging.enabled }}
+  {{- if $.Values.logging.sso.enabled }}
+    {{- if and (not $.Values.logging.license.trial) (not $.Values.logging.license.keyJSON) }}
+PLATFORM ONE LOGGING WARNING:
+  You have enabled SSO but not provided an enterprise license configuration to use. SSO is not functional without a license.
+  Edit the values for the eck-operator to specify a license key JSON or use the trial license for development.
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
index 649b48246aa5566a0ca2c14196da3e362a1679e9..b874b6cca9404f27b4d44d5d620246f539394cf1 100644
--- a/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
+++ b/chart/templates/logging/eck-operator/eck-operator-helmrelease.yaml
@@ -42,6 +42,10 @@ spec:
       valuesKey: "eckoperator.yaml"
 
   values:
+    license:
+      trial: {{ .Values.logging.license.trial }}
+      keyJSON: |
+        {{ .Values.logging.license.keyJSON | nindent 8 }}
     podAnnotations:
       sidecar.istio.io/inject: "true"
       traffic.sidecar.istio.io/includeInboundPorts: "*"
diff --git a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
index e735bc26f1decddfa0542d923087252b70cbdd3c..3d926df610a2157e3279b55b94a56ea72beb5278 100644
--- a/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/ek-helmrelease.yaml
@@ -45,6 +45,15 @@ spec:
     hostname: {{ .Values.hostname }}
     istio:
       enabled: {{ .Values.istio.enabled }}
+    {{- if .Values.logging.sso.enabled }}
+    sso:
+      enabled: {{ .Values.logging.sso.enabled }}
+      client_id: {{ .Values.logging.sso.client_id }}
+      client_secret: {{ .Values.logging.sso.client_secret }}
+      oidc:
+        host: {{ .Values.sso.oidc.host }}
+        realm: {{ .Values.sso.oidc.realm }}
+    {{- end }}
     kibana:
       version: 7.9.2
       imagePullSecrets:
diff --git a/chart/templates/logging/elasticsearch-kibana/namespace.yaml b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
index c75283668b8519d69778e5ff60e9fe2557f3adf5..d7d8fd036059540e2a3d268336ba064e25955557 100644
--- a/chart/templates/logging/elasticsearch-kibana/namespace.yaml
+++ b/chart/templates/logging/elasticsearch-kibana/namespace.yaml
@@ -1,4 +1,13 @@
 {{- if or .Values.logging.enabled .Values.clusterAuditor.enabled }}
+{{- /* Default to istio being turned on, but disable if user sets istio to disable in the custom passthrough values.
+We have to do it this way because ownership of "istio.enabled" is owned by the chart but also BigBang.  Sourcing values from the passthrough values also means
+  we get to simplify the api space of BigBang just a little bit more.
+*/ -}}
+{{- $istio := .Values.logging.values.istio | default dict }}
+{{- $istioInjection := "enabled" }}
+{{- if and (hasKey $istio "enabled") (not $istio.enabled) }}
+{{- $istioInjection = "disabled" }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -8,6 +17,7 @@ metadata:
     app.kubernetes.io/name: logging
     app.kubernetes.io/component: "core"
     {{- include "commonLabels" . | nindent 4}}
+    istio-injection: {{ $istioInjection }}
 ---
 {{- if ( include "imagePullSecret" . ) }}
 apiVersion: v1
diff --git a/chart/values.yaml b/chart/values.yaml
index b854e0365e1f75d7c4c57ecbe33a73878208357f..99ad02dd2b57a776ae2a665471814852124b7dd7 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -165,6 +165,24 @@ logging:
     path: "./chart"
     tag: "0.1.4-bb.3"
 
+  sso:
+    # -- Toggle OIDC SSO for Kibana/Elasticsearch on and off.
+    # Enabling this option will auto-create any required secrets.
+    enabled: false
+
+    # -- Elasticsearch/Kibana OIDC client ID
+    client_id: ""
+
+    # -- Elasticsearch/Kibana OIDC client secret
+    client_secret: ""
+
+  license:
+    # -- Toggle trial license installation of elasticsearch.  Note that enterprise (non trial) is required for SSO to work.
+    trial: false
+
+    # -- Elasticsearch license in json format seen here: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana#enterprise-license
+    keyJSON: ""
+
   # -- Values to passthrough to the elasticsearch-kibana chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/elasticsearch-kibana.git
   values: {}
 
@@ -174,9 +192,7 @@ eckoperator:
   git:
     repo: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
     path: "./chart"
-    tag: "1.3.0-bb.3"
-
-  # -- Values to passthrough to the eck-operator chart: https://repo1.dso.mil/platform-one/big-bang/apps/core/eck-operator.git
+    tag: "1.3.0-bb.4"
   values: {}
 
 fluentbit: