diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py
index f050811ab..df713dca8 100644
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@@ -740,6 +740,8 @@ def authenticate(email, password, for_change_password=False):
             "email": email,
             **r
         }
+    if config("enforce_SSO", cast=bool, default=False) and helper.is_saml2_available():
+        return {"errors": ["must sign-in with SSO, enforced by admin"]}
     return None