diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 62016a421..9e6baaa0c 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -3,10 +3,12 @@
 module Users
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     include UsersGenerator
+    include ApplicationHelper
 
     skip_before_action :verify_authenticity_token
     before_action :sign_up_with_provider_enabled?,
                   only: :linkedin
+    before_action :check_sso_status, only: %i(customazureactivedirectory okta)
 
     # You should configure your model like this:
     # devise :omniauthable, omniauth_providers: [:twitter]
@@ -200,6 +202,10 @@ module Users
       render_403 unless Rails.configuration.x.linkedin_signin_enabled
     end
 
+    def check_sso_status
+      render_403 unless sso_enabled?
+    end
+
     def generate_initials(full_name)
       initials = full_name.titleize.scan(/[A-Z]+/).join
       initials = initials.strip.blank? ? 'PLCH' : initials[0..3]
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index a9f5f1fdb..6b965dd04 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -219,6 +219,10 @@ module ApplicationHelper
     'icon_small/missing.png'
   end
 
+  def sso_enabled?
+    ENV['SSO_ENABLED'] == 'true'
+  end
+
   def okta_configured?
     ApplicationSettings.instance.values['okta'].present?
   end
diff --git a/app/views/users/shared/_links.html.erb b/app/views/users/shared/_links.html.erb
index db7ce9d64..11ffd9c9a 100644
--- a/app/views/users/shared/_links.html.erb
+++ b/app/views/users/shared/_links.html.erb
@@ -27,7 +27,7 @@
     <div data-hook="omniauth-sign-in-links"></div>
   <% end -%>
 
-  <%- if devise_mapping.omniauthable? && okta_configured? %>
+  <%- if sso_enabled? && okta_configured? %>
     <div class="okta-sign-in-actions">
       <%= form_tag omniauth_authorize_path(resource_name, :okta), method: :post do %>
         <%= submit_tag t('devise.okta.sign_in_label'), class: 'btn btn-okta' %>
@@ -41,7 +41,7 @@
     <% end -%>
   <% end -%>
 
-  <% if devise_mapping.omniauthable? && azure_ad_configured? %>
+  <% if sso_enabled? && azure_ad_configured? %>
     <div class="azure-sign-in-actions">
       <%= render partial: "users/shared/azure_sign_in_links", locals: { resource_name: resource_name } %>
     </div>