diff --git a/ee/modules/user/impluser/handler.go b/ee/modules/user/impluser/handler.go
index 9335bdba8e..6599c1e491 100644
--- a/ee/modules/user/impluser/handler.go
+++ b/ee/modules/user/impluser/handler.go
@@ -38,19 +38,21 @@ func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// the EE handler wrapper passes the feature flag value in context
-	ssoAvailable, ok := ctx.Value(types.SSOAvailable).(bool)
-	if !ok {
-		render.Error(w, errors.New(errors.TypeInternal, errors.CodeInternal, "failed to retrieve SSO availability"))
-		return
-	}
-
-	if ssoAvailable {
-		_, err := h.module.CanUsePassword(ctx, req.Email)
-		if err != nil {
-			render.Error(w, err)
+	if req.RefreshToken == "" {
+		// the EE handler wrapper passes the feature flag value in context
+		ssoAvailable, ok := ctx.Value(types.SSOAvailable).(bool)
+		if !ok {
+			render.Error(w, errors.New(errors.TypeInternal, errors.CodeInternal, "failed to retrieve SSO availability"))
 			return
 		}
+
+		if ssoAvailable {
+			_, err := h.module.CanUsePassword(ctx, req.Email)
+			if err != nil {
+				render.Error(w, err)
+				return
+			}
+		}
 	}
 
 	user, err := h.module.GetAuthenticatedUser(ctx, req.OrgID, req.Email, req.Password, req.RefreshToken)