diff --git a/sp-modules/gitea/config-paths-needed.json b/sp-modules/gitea/config-paths-needed.json
index b22677e..08ee684 100644
--- a/sp-modules/gitea/config-paths-needed.json
+++ b/sp-modules/gitea/config-paths-needed.json
@@ -11,6 +11,7 @@
   [ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-systemd-service" ],
+  [ "selfprivacy", "sso", "enable" ],
   [ "selfprivacy", "useBinds" ],
   [ "services", "forgejo", "group" ],
   [ "services", "forgejo", "package" ]
diff --git a/sp-modules/gitea/module.nix b/sp-modules/gitea/module.nix
index 97e0f13..b8fd07d 100644
--- a/sp-modules/gitea/module.nix
+++ b/sp-modules/gitea/module.nix
@@ -200,6 +200,13 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
+      assertions = [
+        {
+          assertion = cfg.enableSso -> sp.sso.enable;
+          message =
+            "SSO cannot be enabled for Forgejo when SSO is disabled globally.";
+        }
+      ];
       fileSystems = lib.mkIf sp.useBinds {
         "/var/lib/gitea" = {
           device = "/volumes/${cfg.location}/gitea";
diff --git a/sp-modules/nextcloud/config-paths-needed.json b/sp-modules/nextcloud/config-paths-needed.json
index 979bf4e..cc78e0d 100644
--- a/sp-modules/nextcloud/config-paths-needed.json
+++ b/sp-modules/nextcloud/config-paths-needed.json
@@ -11,6 +11,7 @@
   [ "selfprivacy", "passthru", "auth", "oauth2-discovery-url" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-systemd-service" ],
+  [ "selfprivacy", "sso", "enable" ],
   [ "selfprivacy", "useBinds" ],
   [ "services", "nextcloud" ],
   [ "services", "phpfpm", "pools", "nextcloud", "group" ],
diff --git a/sp-modules/nextcloud/module.nix b/sp-modules/nextcloud/module.nix
index 9110b9e..e26c3a7 100644
--- a/sp-modules/nextcloud/module.nix
+++ b/sp-modules/nextcloud/module.nix
@@ -152,6 +152,13 @@ in
   # config = lib.mkIf sp.modules.nextcloud.enable
   config = lib.mkIf sp.modules.nextcloud.enable (lib.mkMerge [
     {
+      assertions = [
+        {
+          assertion = cfg.enableSso -> sp.sso.enable;
+          message =
+            "SSO cannot be enabled for Nextcloud when SSO is disabled globally.";
+        }
+      ];
       fileSystems = lib.mkIf sp.useBinds {
         "/var/lib/nextcloud" = {
           device = "/volumes/${cfg.location}/nextcloud";
diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json
index a545298..5a893c4 100644
--- a/sp-modules/roundcube/config-paths-needed.json
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -9,5 +9,6 @@
   [ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
   [ "selfprivacy", "passthru", "auth", "oauth2-systemd-service" ],
   [ "selfprivacy", "passthru", "mailserver", "oauth-client-id" ],
-  [ "selfprivacy", "passthru", "mailserver", "oauth-client-secret-fp" ]
+  [ "selfprivacy", "passthru", "mailserver", "oauth-client-secret-fp" ],
+  [ "selfprivacy", "sso", "enable" ]
 ]
diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix
index cfb5ee0..b9653dd 100644
--- a/sp-modules/roundcube/module.nix
+++ b/sp-modules/roundcube/module.nix
@@ -57,6 +57,13 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
     {
+      assertions = [
+        {
+          assertion = cfg.enableSso -> config.selfprivacy.sso.enable;
+          message =
+            "SSO cannot be enabled for Roundcube when SSO is disabled globally.";
+        }
+      ];
       services.roundcube = {
         enable = true;
         # this is the url of the vhost, not necessarily the same as the fqdn of
diff --git a/sp-modules/simple-nixos-mailserver/config-paths-needed.json b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
index 2229673..2833470 100644
--- a/sp-modules/simple-nixos-mailserver/config-paths-needed.json
+++ b/sp-modules/simple-nixos-mailserver/config-paths-needed.json
@@ -15,6 +15,7 @@
   [ "selfprivacy", "passthru", "auth", "oauth2-systemd-service" ],
   [ "selfprivacy", "passthru", "roundcube", "oauth-client-id" ],
   [ "selfprivacy", "passthru", "roundcube", "oauth-client-secret-fp" ],
+  [ "selfprivacy", "sso", "enable" ],
   [ "selfprivacy", "useBinds" ],
   [ "selfprivacy", "username" ],
   [ "selfprivacy", "users" ],
diff --git a/sp-modules/simple-nixos-mailserver/config.nix b/sp-modules/simple-nixos-mailserver/config.nix
index 1d864f6..06678eb 100644
--- a/sp-modules/simple-nixos-mailserver/config.nix
+++ b/sp-modules/simple-nixos-mailserver/config.nix
@@ -71,6 +71,15 @@ let
 in
 lib.mkIf sp.modules.simple-nixos-mailserver.enable (lib.mkMerge [
   {
+    assertions = [
+      {
+        assertion =
+          config.selfprivacy.modules.simple-nixos-mailserver.enableSso
+          -> config.selfprivacy.sso.enable;
+        message =
+          "SSO cannot be enabled for Roundcube when SSO is disabled globally.";
+      }
+    ];
     fileSystems = lib.mkIf sp.useBinds
       {
         "/var/vmail" = {