diff --git a/roles/matrix-synapse/vars/workers.yml b/roles/matrix-synapse/vars/workers.yml
index a3b50dc4..3adfd9c3 100644
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@@ -51,7 +51,6 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$
   - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$
   - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/
-  - ^/_synapse/client/password_reset/email/submit_token$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|unstable)/login$
@@ -86,28 +85,33 @@ matrix_synapse_workers_generic_worker_endpoints:
   # to use SSO (you only need to include the ones for whichever SSO provider you're
   # using):
 
+  # for all SSO providers
+  # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
+  # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect
+  # ^/_synapse/client/pick_idp$
+  # ^/_synapse/client/pick_username
+  # ^/_synapse/client/new_user_consent$
+  # ^/_synapse/client/sso_register$
+
   # OpenID Connect requests.
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$
-  # ^/_synapse/oidc/callback$
+  # ^/_synapse/client/oidc/callback$
 
   # SAML requests.
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect$
-  # ^/_matrix/saml2/authn_response$
+  # ^/_synapse/client/saml2/authn_response$
 
   # CAS requests.
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/login/(cas|sso)/redirect$
   # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$
 
-  # Note that a HTTP listener with `client` and `federation` resources must be
-  # configured in the `worker_listeners` option in the worker config.
-
-  # Ensure that all SSO logins go to a single process (usually the main process). 
+  # Ensure that all SSO logins go to a single process.
   # For multiple workers not handling the SSO endpoints properly, see
   # [#7530](https://github.com/matrix-org/synapse/issues/7530).
 
+  # Note that a HTTP listener with `client` and `federation` resources must be
+  # configured in the `worker_listeners` option in the worker config.
+
   # #### Load balancing
 
   # It is possible to run multiple instances of this worker app, with incoming requests