diff --git a/backend/app/api/handlers/v1/controller.go b/backend/app/api/handlers/v1/controller.go
index a37d170..ff9fd7a 100644
--- a/backend/app/api/handlers/v1/controller.go
+++ b/backend/app/api/handlers/v1/controller.go
@@ -55,6 +55,12 @@ func WithHeaderSSOAllowedIP(headerSSOAllowedIP string) func(*V1Controller) {
 	}
 }
 
+func WithHeaderSSOAutoRegister(headerSSOAutoRegister bool) func(*V1Controller) {
+	return func(ctrl *V1Controller) {
+		ctrl.headerSSOAutoRegister = headerSSOAutoRegister
+	}
+}
+
 func WithHeaderSSOHeaderName(headerSSOHeaderName string) func(*V1Controller) {
 	return func(ctrl *V1Controller) {
 		ctrl.headerSSOHeaderName = headerSSOHeaderName
@@ -75,6 +81,7 @@ type V1Controller struct {
 	allowRegistration           bool
 	headerSSOEnabled            bool
 	headerSSOAllowedIP          string
+	headerSSOAutoRegister       bool
 	headerSSOHeaderName			string
 	headerSSOHeaderEmail		string
 }
diff --git a/backend/app/api/handlers/v1/v1_ctrl_auth.go b/backend/app/api/handlers/v1/v1_ctrl_auth.go
index 70458aa..fd404c4 100644
--- a/backend/app/api/handlers/v1/v1_ctrl_auth.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_auth.go
@@ -115,6 +115,10 @@ func (ctrl *V1Controller) HandleSsoHeaderLogin() errchain.HandlerFunc {
 		_, err := ctrl.repo.Users.GetOneEmail(r.Context(), email)
 
 		if err != nil {
+			if !ctrl.headerSSOAutoRegister {
+				return validate.NewRequestError(errors.New("authentication failed. User not found but SSO autoregister is disabled"), http.StatusInternalServerError)
+			}
+			
 			// user not found -> create it
 			// if the name header does not exist then the empty string will be used as name
 			var username = r.Header.Get(ctrl.headerSSOHeaderName)
diff --git a/backend/app/api/routes.go b/backend/app/api/routes.go
index b9c80a5..6af6ce2 100644
--- a/backend/app/api/routes.go
+++ b/backend/app/api/routes.go
@@ -56,6 +56,7 @@ func (a *app) mountRoutes(r *chi.Mux, chain *errchain.ErrChain, repos *repo.AllR
 		v1.WithDemoStatus(a.conf.Demo), // Disable Password Change in Demo Mode
 		v1.WithHeaderSSO(a.conf.Options.HeaderSSOEnabled),
 		v1.WithHeaderSSOAllowedIP(a.conf.Options.HeaderSSOAllowedIP),
+		v1.WithHeaderSSOAutoRegister(a.conf.Options.HeaderSSOAutoRegister),
 		v1.WithHeaderSSOHeaderEmail(a.conf.Options.HeaderSSOHeaderEmail),
 		v1.WithHeaderSSOHeaderName(a.conf.Options.HeaderSSOHeaderName),
 	)
diff --git a/backend/internal/sys/config/conf.go b/backend/internal/sys/config/conf.go
index 4978075..edce89c 100644
--- a/backend/internal/sys/config/conf.go
+++ b/backend/internal/sys/config/conf.go
@@ -30,6 +30,7 @@ type Options struct {
 	AutoIncrementAssetID    bool `yaml:"auto_increment_asset_id" conf:"default:true"`
 	HeaderSSOEnabled        bool `yaml:"header_sso_enabled" conf:"default:false"`
 	HeaderSSOAllowedIP      string `yaml:"header_sso_allowed_ip" conf:"default:0.0.0.0"`
+	HeaderSSOAutoRegister   bool `yaml:"header_sso_autoregister" conf:"default:true"`
 	HeaderSSOHeaderName     string `yaml:"header_sso_header_name" conf:"default:Remote-Name"`
 	HeaderSSOHeaderEmail    string `yaml:"header_sso_header_email" conf:"default:Remote-Email"`
 }
diff --git a/docs/docs/quick-start.md b/docs/docs/quick-start.md
index 7d08464..2221663 100644
--- a/docs/docs/quick-start.md
+++ b/docs/docs/quick-start.md
@@ -49,6 +49,7 @@ volumes:
 | HBOX_OPTIONS_AUTO_INCREMENT_ASSET_ID | true                   | auto increments the asset_id field for new items                                   |
 | HBOX_OPTIONS_HEADER_SSO_ENABLED      | false                  | allow login via trusted SSO HTTP headers                                           |
 | HBOX_OPTIONS_HEADER_SSO_ALLOWED_IP   |                        | request IP being allowed to send trusted SSO HTTP headers                          |
+| HBOX_OPTIONS_HEADER_SSO_AUTOREGISTER |                        | automatically register unknown users                                               |
 | HBOX_OPTIONS_HEADER_SSO_HEADER_NAME  |                        | name of the HTTP header that contains the name when using SSO HTTP headers         |
 | HBOX_OPTIONS_HEADER_SSO_HEADER_EMAIL |                        | name of the HTTP header that contains the email when using SSO HTTP headers        |
 | HBOX_WEB_MAX_UPLOAD_SIZE             | 10                     | maximum file upload size supported in MB                                           |
@@ -93,6 +94,9 @@ volumes:
         --options-auto-increment-asset-id/$HBOX_OPTIONS_AUTO_INCREMENT_ASSET_ID  <bool>    (default: true)
         --options-header-sso-enabled/$HBOX_OPTIONS_HEADER_SSO_ENABLED            <bool>    (default: false)
         --options-header-sso-allowed_ip/$HBOX_OPTIONS_HEADER_SSO_ALLOWED_IP      <string>
+        --options-header-sso-autoregsiter/$HBOX_OPTIONS_HEADER_SSO_AUTOREGISTER  <bool>    (default: true)
+        --options-header-sso-allowed_ip/$HBOX_OPTIONS_HEADER_SSO_HEADER_EMAIL    <string>  (default: Remote-Email)
+        --options-header-sso-allowed_ip/$HBOX_OPTIONS_HEADER_SSO_HEADER_NAME     <string>  (default: Remote-Name)
         --help/-h
         display this help message
       ```