diff --git a/docker/start.sh b/docker/start.sh
index 1f50883d..4fac4514 100755
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -26,11 +26,4 @@ elif [ -d /etc/bitwarden_rs.d ]; then
     done
 fi
 
-# Toggle the SSO Link
-if [ "$SSO_ENABLED" = "true" ]; then
-    sed -i 's#a\[routerlink="/sso"\]#a\[routerlink="/sso-sed"\]#' /web-vault/app/main.*.css
-else
-    sed -i 's#a\[routerlink="/sso-sed"\]#a\[routerlink="/sso"\]#' /web-vault/app/main.*.css
-fi
-
 exec /vaultwarden "${@}"
diff --git a/playwright/tests/sso_login.spec.ts b/playwright/tests/sso_login.spec.ts
index b7d10253..efbe8c68 100644
--- a/playwright/tests/sso_login.spec.ts
+++ b/playwright/tests/sso_login.spec.ts
@@ -38,8 +38,7 @@ test('Non SSO login', async ({ page }) => {
     await expect(page).toHaveTitle(/Vaultwarden Web/);
 });
 
-
-test('Non SSO login Failure', async ({ page, browser }, testInfo: TestInfo) => {
+test('Non SSO login impossible', async ({ page, browser }, testInfo: TestInfo) => {
     await utils.restartVaultwarden(page, testInfo, {
         SSO_ENABLED: true,
         SSO_ONLY: true
diff --git a/src/api/web.rs b/src/api/web.rs
index edbffbbd..5ce3ae82 100644
--- a/src/api/web.rs
+++ b/src/api/web.rs
@@ -54,12 +54,14 @@ fn not_found() -> ApiResult<Html<String>> {
 #[get("/css/vaultwarden.css")]
 fn vaultwarden_css() -> Cached<Css<String>> {
     let css_options = json!({
-        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
-        "mail_enabled": CONFIG.mail_enabled(),
-        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
         "emergency_access_allowed": CONFIG.emergency_access_allowed(),
-        "sends_allowed": CONFIG.sends_allowed(),
         "load_user_scss": true,
+        "mail_enabled": CONFIG.mail_enabled(),
+        "sends_allowed": CONFIG.sends_allowed(),
+        "signup_disabled": !CONFIG.signups_allowed() && CONFIG.signups_domains_whitelist().is_empty(),
+        "sso_disabled": !CONFIG.sso_enabled(),
+        "sso_only": CONFIG.sso_enabled() && CONFIG.sso_only(),
+        "yubico_enabled": CONFIG._enable_yubico() && (CONFIG.yubico_client_id().is_some() == CONFIG.yubico_secret_key().is_some()),
     });
 
     let scss = match CONFIG.render_template("scss/vaultwarden.scss", &css_options) {
diff --git a/src/static/templates/scss/vaultwarden.scss.hbs b/src/static/templates/scss/vaultwarden.scss.hbs
index 42c4d8dc..0ea820e9 100644
--- a/src/static/templates/scss/vaultwarden.scss.hbs
+++ b/src/static/templates/scss/vaultwarden.scss.hbs
@@ -20,11 +20,6 @@ a[href$="/settings/sponsored-families"] {
   @extend %vw-hide;
 }
 
-/* Hide the `Enterprise Single Sign-On` button on the login page */
-a[routerlink="/sso"] {
-  @extend %vw-hide;
-}
-
 /* Hide Two-Factor menu in Organization settings */
 bit-nav-item[route="settings/two-factor"],
 a[href$="/settings/two-factor"] {
@@ -100,6 +95,20 @@ app-login form div + div + div + div + hr + p {
 }
 {{/if}}
 
+{{#if sso_only}}
+/* Hide Master password login */
+.master-password-login {
+  @extend %vw-hide;
+}
+{{/if}}
+
+{{#if sso_disabled}}
+/* Hide the `Enterprise Single Sign-On` button on the login page */
+a[routerlink="/sso"] {
+  @extend %vw-hide;
+}
+{{/if}}
+
 {{#unless mail_enabled}}
 /* Hide `Email` 2FA if mail is not enabled */
 app-two-factor-setup ul.list-group.list-group-2fa li.list-group-item:nth-child(1) {