diff --git a/client/src/components/Login/Login.jsx b/client/src/components/Login/Login.jsx
index 84e6a9d0..6f547ee2 100755
--- a/client/src/components/Login/Login.jsx
+++ b/client/src/components/Login/Login.jsx
@@ -68,6 +68,7 @@ const Login = React.memo(
     isSubmittingUsingOidc,
     error,
     withOidc,
+    isOidcEnforced,
     onAuthenticate,
     onAuthenticateUsingOidc,
     onMessageDismiss,
@@ -107,8 +108,10 @@ const Login = React.memo(
     }, [onAuthenticate, data]);
 
     useEffect(() => {
-      emailOrUsernameField.current.focus();
-    }, []);
+      if (!isOidcEnforced) {
+        emailOrUsernameField.current.focus();
+      }
+    }, [isOidcEnforced]);
 
     useEffect(() => {
       if (wasSubmitting && !isSubmitting && error) {
@@ -159,51 +162,57 @@ const Login = React.memo(
                         onDismiss={onMessageDismiss}
                       />
                     )}
-                    <Form size="large" onSubmit={handleSubmit}>
-                      <div className={styles.inputWrapper}>
-                        <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
-                        <Input
-                          fluid
-                          ref={emailOrUsernameField}
-                          name="emailOrUsername"
-                          value={data.emailOrUsername}
-                          readOnly={isSubmitting}
-                          className={styles.input}
-                          onChange={handleFieldChange}
-                        />
-                      </div>
-                      <div className={styles.inputWrapper}>
-                        <div className={styles.inputLabel}>{t('common.password')}</div>
-                        <Input.Password
-                          fluid
-                          ref={passwordField}
-                          name="password"
-                          value={data.password}
-                          readOnly={isSubmitting}
-                          className={styles.input}
-                          onChange={handleFieldChange}
+                    {!isOidcEnforced && (
+                      <Form size="large" onSubmit={handleSubmit}>
+                        <div className={styles.inputWrapper}>
+                          <div className={styles.inputLabel}>{t('common.emailOrUsername')}</div>
+                          <Input
+                            fluid
+                            ref={emailOrUsernameField}
+                            name="emailOrUsername"
+                            value={data.emailOrUsername}
+                            readOnly={isSubmitting}
+                            className={styles.input}
+                            onChange={handleFieldChange}
+                          />
+                        </div>
+                        <div className={styles.inputWrapper}>
+                          <div className={styles.inputLabel}>{t('common.password')}</div>
+                          <Input.Password
+                            fluid
+                            ref={passwordField}
+                            name="password"
+                            value={data.password}
+                            readOnly={isSubmitting}
+                            className={styles.input}
+                            onChange={handleFieldChange}
+                          />
+                        </div>
+                        <Form.Button
+                          primary
+                          size="large"
+                          icon="right arrow"
+                          labelPosition="right"
+                          content={t('action.logIn')}
+                          floated="right"
+                          loading={isSubmitting}
+                          disabled={isSubmitting || isSubmittingUsingOidc}
                         />
-                      </div>
-                      <Form.Button
-                        primary
-                        size="large"
-                        icon="right arrow"
-                        labelPosition="right"
-                        content={t('action.logIn')}
-                        floated="right"
-                        loading={isSubmitting}
-                        disabled={isSubmitting || isSubmittingUsingOidc}
-                      />
-                    </Form>
+                      </Form>
+                    )}
                     {withOidc && (
                       <Button
                         type="button"
+                        fluid={isOidcEnforced}
+                        primary={isOidcEnforced}
+                        size={isOidcEnforced ? 'large' : undefined}
+                        icon={isOidcEnforced ? 'right arrow' : undefined}
+                        labelPosition={isOidcEnforced ? 'right' : undefined}
+                        content={t('action.logInWithSSO')}
                         loading={isSubmittingUsingOidc}
                         disabled={isSubmitting || isSubmittingUsingOidc}
                         onClick={onAuthenticateUsingOidc}
-                      >
-                        {t('action.logInWithSSO')}
-                      </Button>
+                      />
                     )}
                   </div>
                 </div>
@@ -242,6 +251,7 @@ Login.propTypes = {
   isSubmittingUsingOidc: PropTypes.bool.isRequired,
   error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
   withOidc: PropTypes.bool.isRequired,
+  isOidcEnforced: PropTypes.bool.isRequired,
   onAuthenticate: PropTypes.func.isRequired,
   onAuthenticateUsingOidc: PropTypes.func.isRequired,
   onMessageDismiss: PropTypes.func.isRequired,
diff --git a/client/src/components/UsersModal/UsersModal.jsx b/client/src/components/UsersModal/UsersModal.jsx
index 280cd08a..68f0f82f 100755
--- a/client/src/components/UsersModal/UsersModal.jsx
+++ b/client/src/components/UsersModal/UsersModal.jsx
@@ -10,6 +10,7 @@ import Item from './Item';
 const UsersModal = React.memo(
   ({
     items,
+    canAdd,
     onUpdate,
     onUsernameUpdate,
     onUsernameUpdateMessageDismiss,
@@ -130,11 +131,13 @@ const UsersModal = React.memo(
             </Table.Body>
           </Table>
         </Modal.Content>
-        <Modal.Actions>
-          <UserAddPopupContainer>
-            <Button positive content={t('action.addUser')} />
-          </UserAddPopupContainer>
-        </Modal.Actions>
+        {canAdd && (
+          <Modal.Actions>
+            <UserAddPopupContainer>
+              <Button positive content={t('action.addUser')} />
+            </UserAddPopupContainer>
+          </Modal.Actions>
+        )}
       </Modal>
     );
   },
@@ -142,6 +145,7 @@ const UsersModal = React.memo(
 
 UsersModal.propTypes = {
   items: PropTypes.array.isRequired, // eslint-disable-line react/forbid-prop-types
+  canAdd: PropTypes.bool.isRequired,
   onUpdate: PropTypes.func.isRequired,
   onUsernameUpdate: PropTypes.func.isRequired,
   onUsernameUpdateMessageDismiss: PropTypes.func.isRequired,
diff --git a/client/src/containers/LoginContainer.js b/client/src/containers/LoginContainer.js
index fc7ec217..881b65b0 100755
--- a/client/src/containers/LoginContainer.js
+++ b/client/src/containers/LoginContainer.js
@@ -20,6 +20,7 @@ const mapStateToProps = (state) => {
     isSubmittingUsingOidc,
     error,
     withOidc: !!oidcConfig,
+    isOidcEnforced: oidcConfig && oidcConfig.isEnforced,
   };
 };
 
diff --git a/client/src/containers/UsersModalContainer.js b/client/src/containers/UsersModalContainer.js
index 53503f5b..0e294211 100755
--- a/client/src/containers/UsersModalContainer.js
+++ b/client/src/containers/UsersModalContainer.js
@@ -6,10 +6,12 @@ import entryActions from '../entry-actions';
 import UsersModal from '../components/UsersModal';
 
 const mapStateToProps = (state) => {
+  const oidcConfig = selectors.selectOidcConfig(state);
   const users = selectors.selectUsersExceptCurrent(state);
 
   return {
     items: users,
+    canAdd: !oidcConfig || !oidcConfig.isEnforced,
   };
 };
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 01016dc9..24c9cfc9 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,6 +50,7 @@ services:
       # - OIDC_ROLES_ATTRIBUTE=groups
       # - OIDC_IGNORE_USERNAME=true
       # - OIDC_IGNORE_ROLES=true
+      # - OIDC_ENFORCED=true
     depends_on:
       - postgres
 
diff --git a/server/.env.sample b/server/.env.sample
index 31f2342b..8d962b64 100644
--- a/server/.env.sample
+++ b/server/.env.sample
@@ -33,6 +33,7 @@ SECRET_KEY=notsecretkey
 # OIDC_ROLES_ATTRIBUTE=groups
 # OIDC_IGNORE_USERNAME=true
 # OIDC_IGNORE_ROLES=true
+# OIDC_ENFORCED=true
 
 ## Do not edit this
 
diff --git a/server/api/controllers/access-tokens/create.js b/server/api/controllers/access-tokens/create.js
index c12c4f89..ed9eb8cb 100755
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@@ -46,8 +46,11 @@ module.exports = {
   },
 
   async fn(inputs) {
-    const remoteAddress = getRemoteAddress(this.req);
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.USE_SINGLE_SIGN_ON;
+    }
 
+    const remoteAddress = getRemoteAddress(this.req);
     const user = await sails.helpers.users.getOneByEmailOrUsername(inputs.emailOrUsername);
 
     if (!user) {
diff --git a/server/api/controllers/show-config.js b/server/api/controllers/show-config.js
index a580a7c0..5349149a 100644
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@@ -10,6 +10,7 @@ module.exports = {
           response_mode: 'fragment',
         }),
         endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
+        isEnforced: sails.config.custom.oidcEnforced,
       };
     }
 
diff --git a/server/api/controllers/users/create.js b/server/api/controllers/users/create.js
index 5652ad5e..7d40c975 100755
--- a/server/api/controllers/users/create.js
+++ b/server/api/controllers/users/create.js
@@ -1,6 +1,9 @@
 const zxcvbn = require('zxcvbn');
 
 const Errors = {
+  NOT_ENOUGH_RIGHTS: {
+    notEnoughRights: 'Not enough rights',
+  },
   EMAIL_ALREADY_IN_USE: {
     emailAlreadyInUse: 'Email already in use',
   },
@@ -56,6 +59,9 @@ module.exports = {
   },
 
   exits: {
+    notEnoughRights: {
+      responseType: 'forbidden',
+    },
     emailAlreadyInUse: {
       responseType: 'conflict',
     },
@@ -65,6 +71,10 @@ module.exports = {
   },
 
   async fn(inputs) {
+    if (sails.config.custom.oidcEnforced) {
+      throw Errors.NOT_ENOUGH_RIGHTS;
+    }
+
     const values = _.pick(inputs, [
       'email',
       'password',
diff --git a/server/config/custom.js b/server/config/custom.js
index afd60ec4..d33db095 100644
--- a/server/config/custom.js
+++ b/server/config/custom.js
@@ -44,6 +44,7 @@ module.exports.custom = {
   oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
   oidcIgnoreUsername: process.env.OIDC_IGNORE_USERNAME === 'true',
   oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
+  oidcEnforced: process.env.OIDC_ENFORCED === 'true',
 
   // TODO: move client base url to environment variable?
   oidcRedirectUri: `${