diff --git a/README.md b/README.md
index 04fedd92b6fedf4944595f5da4482c3a6ab81238..9860c165f121c91edbd45fdea16addcb0f2ef33a 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,8 @@ attributes:
     * `cert`: path to the client certificate
     * `key`: path to the private key
     * `ca`: path to the CA used to validate the server
+* `keystore_enable_groups`: (a list) if set, the keystore will only be
+  enabled for users that are members of these groups
 * `u2f_app_id`: set the U2F AppID - if unset, it will be autodetected
   based on the domain name in the request
 * `url_path_prefix`: URL path prefix of the SSO server application
diff --git a/server/http_test.go b/server/http_test.go
index a65b21a4e62d084dce8f6890b31feb6ccc86a5e4..c3fa9a6fcaa19273cbbd5fd752dd154da7ab2f2c 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -24,11 +24,12 @@ type fakeAuthClient struct{}
 
 func (c *fakeAuthClient) Authenticate(_ context.Context, req *auth.Request) (*auth.Response, error) {
 	p := string(req.Password)
+	info := &auth.UserInfo{Shard: "shard1"}
 	switch {
 	case req.Username == "testuser" && p == "password":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password" && req.OTP == "123456":
-		return &auth.Response{Status: auth.StatusOK}, nil
+		return &auth.Response{Status: auth.StatusOK, UserInfo: info}, nil
 	case req.Username == "test2fa" && p == "password":
 		return &auth.Response{
 			Status:    auth.StatusInsufficientCredentials,
diff --git a/server/login.go b/server/login.go
index 3685e8cefffcd1021598fc0bc90eef428c9ecf00..e2145aaf4edc28d8e673c05963e356ee4f9e78e9 100644
--- a/server/login.go
+++ b/server/login.go
@@ -135,7 +135,9 @@ func (l *loginHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 		switch newState {
 		case loginStateSuccess:
-			// Successful login. Delete the login session.
+			// Successful login. Delete the login session and invoke
+			// the login callback, before redirecting to the
+			// original URL.
 			httpSession.Options.MaxAge = -1
 			if err := httpSession.Save(req, w); err != nil {
 				log.Printf("login error saving session: %v", err)