diff --git a/seahub/auth/views.py b/seahub/auth/views.py
index 31b0242fa1..9486e6169d 100644
--- a/seahub/auth/views.py
+++ b/seahub/auth/views.py
@@ -1,8 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
-import hashlib
 import logging
 import jwt
-from datetime import datetime
 from django.conf import settings
 # Avoid shadowing the login() view below.
 from django.views.decorators.csrf import csrf_protect
@@ -10,7 +8,7 @@ from django.urls import reverse
 from django.contrib import messages
 from django.shortcuts import render
 from django.contrib.sites.shortcuts import get_current_site
-from django.http import HttpResponseRedirect, Http404
+from django.http import HttpResponseRedirect
 
 from urllib.parse import quote
 from django.utils.http import base36_to_int, url_has_allowed_host_and_scheme
@@ -43,6 +41,7 @@ from seahub.utils.two_factor_auth import two_factor_auth_enabled, handle_two_fac
 from seahub.utils.user_permissions import get_user_role
 from seahub.utils.auth import get_login_bg_image_path
 from seahub.organizations.models import OrgSAMLConfig
+from seahub.organizations.utils import can_use_sso_in_multi_tenancy
 
 from constance import config
 
@@ -536,6 +535,11 @@ def multi_adfs_sso(request):
             if not org:
                 render_data['error_msg'] = "Cannot find an ADFS/SAML config for the team related to domain %s." % domain
                 return render(request, template_name, render_data)
+
+            if not can_use_sso_in_multi_tenancy(org_id):
+                render_data['error_msg'] = _(f"Team {domain} does not have permission to use ADFS/SAML SSO.")
+                return render(request, template_name, render_data)
+
         except Exception as e:
             logger.error(e)
             render_data['error_msg'] = 'Error, please contact administrator.'
diff --git a/seahub/organizations/utils.py b/seahub/organizations/utils.py
index ca663fc552..86ed62a135 100644
--- a/seahub/organizations/utils.py
+++ b/seahub/organizations/utils.py
@@ -2,8 +2,12 @@
 from django.core.cache import cache
 from django.urls import reverse
 
+from seaserv import ccnet_api
+
 from seahub.invitations.models import Invitation
+from seahub.organizations.models import OrgSettings
 from seahub.utils import gen_token, get_service_url
+from seahub.role_permissions.utils import get_enabled_role_permissions_by_role
 
 
 def get_or_create_invitation_link(org_id):
@@ -50,3 +54,10 @@ def generate_org_reactivate_link(org_id):
     url = reverse('org_reactivate', args=[i.token])
     url = f'{service_url}{url}'
     return url
+
+
+def can_use_sso_in_multi_tenancy(org_id):
+    org = ccnet_api.get_org_by_id(org_id)
+    org_role = OrgSettings.objects.get_role_by_org(org)
+    perm_dict = get_enabled_role_permissions_by_role(org_role)
+    return perm_dict.get('can_use_sso_in_multi_tenancy', True)
diff --git a/seahub/organizations/views.py b/seahub/organizations/views.py
index 0d4208221b..62dd952889 100644
--- a/seahub/organizations/views.py
+++ b/seahub/organizations/views.py
@@ -35,7 +35,8 @@ from seahub.organizations.settings import ORG_AUTO_URL_PREFIX, \
         ORG_MEMBER_QUOTA_ENABLED, ORG_ENABLE_ADMIN_INVITE_USER_VIA_WEIXIN, \
         ORG_ENABLE_ADMIN_CUSTOM_LOGO, ORG_ENABLE_ADMIN_CUSTOM_NAME, \
         ORG_ENABLE_ADMIN_INVITE_USER
-from seahub.organizations.utils import get_or_create_invitation_link
+from seahub.organizations.utils import get_or_create_invitation_link, \
+        can_use_sso_in_multi_tenancy
 from seahub.subscription.utils import subscription_check
 from seahub.billing.settings import ENABLE_EXTERNAL_BILLING_SERVICE
 from registration.models import RegistrationProfile
@@ -298,7 +299,7 @@ def react_fake_view(request, **kwargs):
         'org_enable_admin_invite_user': ORG_ENABLE_ADMIN_INVITE_USER,
         'group_id': group_id,
         'invitation_link': invitation_link,
-        'enable_multi_adfs': ENABLE_MULTI_ADFS,
+        'enable_multi_adfs': ENABLE_MULTI_ADFS and can_use_sso_in_multi_tenancy(org.org_id),
         'enable_subscription': subscription_check(),
         'enable_external_billing_service': ENABLE_EXTERNAL_BILLING_SERVICE,
         'sys_enable_user_clean_trash': config.ENABLE_USER_CLEAN_TRASH,
diff --git a/seahub/role_permissions/settings.py b/seahub/role_permissions/settings.py
index d535548299..faa173b0d1 100644
--- a/seahub/role_permissions/settings.py
+++ b/seahub/role_permissions/settings.py
@@ -51,6 +51,7 @@ DEFAULT_ENABLED_ROLE_PERMISSIONS = {
         'monthly_rate_limit_per_user': '',
         'can_choose_office_suite': True,
         'monthly_ai_credit_per_user': -1,
+        'can_use_sso_in_multi_tenancy': True,
     },
     GUEST_USER: {
         'can_add_repo': False,
@@ -77,6 +78,7 @@ DEFAULT_ENABLED_ROLE_PERMISSIONS = {
         'monthly_rate_limit': '',
         'monthly_rate_limit_per_user': '',
         'can_choose_office_suite': False,
+        'can_use_sso_in_multi_tenancy': False,
     },
 }
 
diff --git a/tests/seahub/role_permissions/test_utils.py b/tests/seahub/role_permissions/test_utils.py
index 2c21539e99..582d12e107 100644
--- a/tests/seahub/role_permissions/test_utils.py
+++ b/tests/seahub/role_permissions/test_utils.py
@@ -11,4 +11,4 @@ class UtilsTest(BaseTestCase):
         assert DEFAULT_USER in get_available_roles()
 
     def test_get_enabled_role_permissions_by_role(self):
-        assert len(list(get_enabled_role_permissions_by_role(DEFAULT_USER).keys())) == 25
+        assert len(list(get_enabled_role_permissions_by_role(DEFAULT_USER).keys())) == 26