diff --git a/config.py b/config.py
index fd3403356..fb299620c 100644
--- a/config.py
+++ b/config.py
@@ -279,6 +279,10 @@ class DefaultConfig(ImmutableConfig):
   # Feature Flag: If set to true, autocompletion will apply to partial usernames.
   FEATURE_PARTIAL_USER_AUTOCOMPLETE = True
 
+  # Feature Flag: If set to true, users can confirm (and modify) their initial usernames when
+  # logging in via OIDC or a non-database internal auth provider.
+  FEATURE_USERNAME_CONFIRMATION = True
+
   # If a namespace is defined in the public namespace list, then it will appear on *all*
   # user's repository list pages, regardless of whether that user is a member of the namespace.
   # Typically, this is used by an enterprise customer in configuring a set of "well-known"
diff --git a/data/model/user.py b/data/model/user.py
index 099afc9e9..836ec9c20 100644
--- a/data/model/user.py
+++ b/data/model/user.py
@@ -456,9 +456,12 @@ def _get_login_service(service_id):
 
 def create_federated_user(username, email, service_id, service_ident,
                           set_password_notification, metadata={},
-                          email_required=True, prompts=tuple()):
+                          email_required=True, confirm_username=True,
+                          prompts=tuple()):
   prompts = set(prompts)
-  prompts.add(UserPromptTypes.CONFIRM_USERNAME)
+
+  if confirm_username:
+    prompts.add(UserPromptTypes.CONFIRM_USERNAME)
 
   new_user = create_user_noverify(username, email, email_required=email_required, prompts=prompts)
   new_user.verified = True
diff --git a/data/users/federated.py b/data/users/federated.py
index 1ce4fcd88..15ada9b78 100644
--- a/data/users/federated.py
+++ b/data/users/federated.py
@@ -133,6 +133,7 @@ class FederatedUsers(object):
                                                    username,
                                                    set_password_notification=False,
                                                    email_required=self._requires_email,
+                                                   confirm_username=features.USERNAME_CONFIRMATION,
                                                    prompts=prompts)
       except model.InvalidEmailAddressException as iae:
         return (None, iae.message)
diff --git a/endpoints/api/user.py b/endpoints/api/user.py
index de5e23850..fc68019ea 100644
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@@ -392,7 +392,8 @@ class User(ApiResource):
         new_username = user_data.get('username')
         previous_username = user.username
 
-        rename_allowed = features.USER_RENAME or confirm_username
+        rename_allowed = (features.USER_RENAME or 
+                          (confirm_username and features.USERNAME_CONFIRMATION))
         username_changing = new_username and new_username != previous_username
 
         if rename_allowed and username_changing:
diff --git a/endpoints/oauth/login.py b/endpoints/oauth/login.py
index 3a0e1cc2b..642cd068b 100644
--- a/endpoints/oauth/login.py
+++ b/endpoints/oauth/login.py
@@ -110,6 +110,7 @@ def _conduct_oauth_login(auth_system, login_service, lid, lusername, lemail, met
     user_obj = model.user.create_federated_user(new_username, lemail, service_id, lid,
                                                 set_password_notification=requires_password,
                                                 metadata=metadata or {},
+                                                confirm_username=features.USERNAME_CONFIRMATION,
                                                 prompts=prompts,
                                                 email_required=features.MAILING)
 
diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html
index 629e3b45f..148ea14d9 100644
--- a/static/directives/config/config-setup-tool.html
+++ b/static/directives/config/config-setup-tool.html
@@ -1350,6 +1350,18 @@
               </div>
             </td>
           </tr>
+          <tr>
+            <td class="non-input">Allow username confirmation:</td>
+            <td colspan="2">
+                <div class="config-bool-field" binding="config.FEATURE_USERNAME_CONFIRMATION">
+                  Allow username confirmation
+                </div>
+                <div class="help-text">
+                    If disabled, users logging in will be locked into the username granted by
+                    the registry.
+                </div>
+            </td>
+          </tr>
           <tr ng-show="config.FEATURE_MAILING">
             <td class="non-input">Team Invitations:</td>
             <td colspan="2">
diff --git a/util/config/configutil.py b/util/config/configutil.py
index 20ddf6814..45c032a2c 100644
--- a/util/config/configutil.py
+++ b/util/config/configutil.py
@@ -22,6 +22,7 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
   config_obj['FEATURE_DIRECT_LOGIN'] = config_obj.get('FEATURE_DIRECT_LOGIN', True)
   config_obj['FEATURE_APP_SPECIFIC_TOKENS'] = config_obj.get('FEATURE_APP_SPECIFIC_TOKENS', True)
   config_obj['FEATURE_PARTIAL_USER_AUTOCOMPLETE'] = config_obj.get('FEATURE_PARTIAL_USER_AUTOCOMPLETE', True)
+  config_obj['FEATURE_USERNAME_CONFIRMATION'] = config_obj.get('FEATURE_USERNAME_CONFIRMATION', True)
 
   # Default features that are off.
   config_obj['FEATURE_MAILING'] = config_obj.get('FEATURE_MAILING', False)
diff --git a/util/config/schema.py b/util/config/schema.py
index db38b8872..d594d7dd2 100644
--- a/util/config/schema.py
+++ b/util/config/schema.py
@@ -909,6 +909,13 @@ CONFIG_SCHEMA = {
       'description': 'If set to true, users can rename their own namespace. Defaults to False',
       'x-example': True,
     },
+
+    # Feature Flag: Username confirmation.
+    'FEATURE_USERNAME_CONFIRMATION': {
+      'type': 'boolean',
+      'description': 'If set to true, users can confirm their generated usernames. Defaults to True',
+      'x-example': False,
+    },
  },
 }