diff --git a/.env.template b/.env.template
index a12559ad..bfa37729 100644
--- a/.env.template
+++ b/.env.template
@@ -494,6 +494,9 @@
 ## Prevent users from logging in directly without going through SSO
 # SSO_ONLY=false
 
+## Allow SSO flow to create account. You probably want to disable it when using a public provider.
+# SSO_SIGNUPS_ALLOWED=true
+
 ## On SSO Signup if a user with a matching email already exists make the association
 # SSO_SIGNUPS_MATCH_EMAIL=true
 
diff --git a/src/api/identity.rs b/src/api/identity.rs
index 3962827d..985841bd 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -220,6 +220,24 @@ async fn sso_login(
                     }
                 )
             }
+            Some((user, None))
+                if user.private_key.is_none()
+                    && !CONFIG.sso_signups_allowed()
+                    && !CONFIG.is_email_domain_allowed(&user.email)
+                    && !CONFIG.mail_enabled()
+                    && Invitation::find_by_mail(&user.email, conn).await.is_none() =>
+            {
+                error!(
+                    "Login failure ({}), no invitation with email ({}) was found",
+                    user_infos.identifier, user.email
+                );
+                err_silent!(
+                    "Missing invitation",
+                    ErrorEvent {
+                        event: EventType::UserFailedLogIn
+                    }
+                )
+            }
             Some((user, None)) if user.private_key.is_some() && !CONFIG.sso_signups_match_email() => {
                 error!(
                     "Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
@@ -267,13 +285,22 @@ async fn sso_login(
     // Will trigger 2FA flow if needed
     let (user, mut device, twofactor_token, sso_user) = match user_with_sso {
         None => {
-            if !CONFIG.is_email_domain_allowed(&user_infos.email) {
-                err!(
-                    "Email domain not allowed",
-                    ErrorEvent {
-                        event: EventType::UserFailedLogIn
-                    }
-                );
+            if !CONFIG.sso_signups_allowed() {
+                if CONFIG.signups_domains_whitelist().is_empty() {
+                    err!(
+                        "Signups are disabled. You will need an invitation",
+                        ErrorEvent {
+                            event: EventType::UserFailedLogIn
+                        }
+                    );
+                } else if !CONFIG.is_email_domain_allowed(&user_infos.email) {
+                    err!(
+                        "Email domain not allowed",
+                        ErrorEvent {
+                            event: EventType::UserFailedLogIn
+                        }
+                    );
+                }
             }
 
             match user_infos.email_verified {
diff --git a/src/config.rs b/src/config.rs
index 5c826fe9..d37043e6 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -801,6 +801,8 @@ make_config! {
         sso_enabled:                    bool,   true,   def,    false;
         /// Only SSO login |> Disable Email+Master Password login
         sso_only:                       bool,   true,   def,    false;
+        /// Allow SSO flow to create account |> You probably want to disable it when using a public provider
+        sso_signups_allowed:            bool,   true,   def,    true;
         /// Allow email association |> Associate existing non-SSO user based on email
         sso_signups_match_email:        bool,   true,   def,    true;
         /// Allow unknown email verification status |> Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.