diff --git a/ee/api/chalicelib/core/reset_password.py b/ee/api/chalicelib/core/reset_password.py
index 6f1af14b6..5566ad27f 100644
--- a/ee/api/chalicelib/core/reset_password.py
+++ b/ee/api/chalicelib/core/reset_password.py
@@ -1,3 +1,5 @@
+from decouple import config
+
 import schemas
 from chalicelib.core import users
 from chalicelib.utils import email_helper, captcha, helper
@@ -15,6 +17,8 @@ def reset(data: schemas.ForgetPasswordPayloadSchema):
         # ---FOR SSO
         if a_user.get("origin") is not None and a_user.get("hasPassword", False) is False:
             return {"errors": ["Please use your SSO to login"]}
+        if config("enforce_SSO", cast=bool, default=False) and not a_user["superAdmin"]:
+            return {"errors": ["Please use your SSO to login, enforced by admin"]}
         # ----------
         invitation_link = users.generate_new_invitation(user_id=a_user["id"])
         email_helper.send_forgot_password(recipient=data.email, invitation_link=invitation_link)
diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py
index 423b7621c..14f7052e5 100644
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@@ -741,6 +741,9 @@ def authenticate(email, password, for_change_password=False):
         if for_change_password:
             return True
         r = helper.dict_to_camel_case(r)
+        if config("enforce_SSO", cast=bool, default=False) and not r["superAdmin"]:
+            return {"errors": ["must sign-in with SSO, enforced by admin"]}
+
         jwt_iat = change_jwt_iat(r['userId'])
         iat = TimeUTC.datetime_to_timestamp(jwt_iat)
         return {
diff --git a/scripts/helmcharts/vars.yaml b/scripts/helmcharts/vars.yaml
index c24f8feb3..a44402040 100644
--- a/scripts/helmcharts/vars.yaml
+++ b/scripts/helmcharts/vars.yaml
@@ -149,6 +149,7 @@ chalice:
     # idp_sls_url: ''
     # idp_name: ''
     # idp_tenantKey: ''
+    # enforce_SSO: 'false'
 
 # If you want to override something
 # chartname: