diff --git a/.env.example b/.env.example
index c2eb5936fe..d61960b959 100644
--- a/.env.example
+++ b/.env.example
@@ -155,4 +155,5 @@ LDAP_TIME_LIM=600
 IMPORT_TIME_LIMIT=600
 IMPORT_MEMORY_LIMIT=500M
 REPORT_TIME_LIMIT=12000
+REQUIRE_SAML=false
 
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 65b11e35b9..3e256c564e 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -68,6 +68,12 @@ class LoginController extends Controller
             return redirect()->intended('/');
         }
 
+        //If the environment is set to ALWAYS require SAML, go straight to the SAML route.
+        //We don't need to check other settings, as this should override those.
+        if(config('app.require_saml')) {
+            return redirect()->route('saml.login');
+        }
+
         if ($this->saml->isEnabled() && Setting::getSettings()->saml_forcelogin == '1' && ! ($request->has('nosaml') || $request->session()->has('error'))) {
             return redirect()->route('saml.login');
         }
@@ -229,6 +235,11 @@ class LoginController extends Controller
      */
     public function login(Request $request)
     {
+        //If the environment is set to ALWAYS require SAML, return access denied
+        if(config('app.require_saml')) {
+            return view('errors.403');
+        }
+
         if (Setting::getSettings()->login_common_disabled == '1') {
             return view('errors.403');
         }
diff --git a/config/app.php b/config/app.php
index ab6d62004a..796fa74e7a 100755
--- a/config/app.php
+++ b/config/app.php
@@ -250,8 +250,21 @@ return [
 
     'enable_csp' => env('ENABLE_CSP', false),
 
+    /*
+    |--------------------------------------------------------------------------
+    | Require SAML Login
+    |--------------------------------------------------------------------------
+    |
+    | Disable the ability to login via form login, and disables the 'nosaml'
+    | workaround. It requires all logins to process via SAML login.
+    | (This is for high security setups. If your SAML configuration is not
+    | working, this option should be set to false. This option is not needed
+    | to successfully configure SAML authentication.)
+    |
+    */
 
-
+    'require_saml' => env('REQUIRE_SAML', false),
+    
 
     /*
     |--------------------------------------------------------------------------
diff --git a/resources/lang/en-GB/admin/settings/general.php b/resources/lang/en-GB/admin/settings/general.php
index 80497c6c64..959e82191e 100644
--- a/resources/lang/en-GB/admin/settings/general.php
+++ b/resources/lang/en-GB/admin/settings/general.php
@@ -139,7 +139,7 @@ return array(
     'saml_idp_metadata_help'    => 'You can specify the IdP metadata using a URL or XML file.',
     'saml_attr_mapping_username' => 'Attribute Mapping - Username',
     'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.',
-    'saml_forcelogin_label'     => 'SAML Force Login',
+    'saml_forcelogin_label'     => 'SAML Default Login',
     'saml_forcelogin'           => 'Make SAML the primary login',
     'saml_forcelogin_help'      => 'You can use \'/login?nosaml\' to get to the normal login page.',
     'saml_slo_label'            => 'SAML Single Log Out',
diff --git a/resources/lang/en-ID/admin/settings/general.php b/resources/lang/en-ID/admin/settings/general.php
index 4ccf1b0fa4..9202b2fca8 100644
--- a/resources/lang/en-ID/admin/settings/general.php
+++ b/resources/lang/en-ID/admin/settings/general.php
@@ -139,7 +139,7 @@ return array(
     'saml_idp_metadata_help'    => 'You can specify the IdP metadata using a URL or XML file.',
     'saml_attr_mapping_username' => 'Attribute Mapping - Username',
     'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.',
-    'saml_forcelogin_label'     => 'SAML Force Login',
+    'saml_forcelogin_label'     => 'SAML Default Login',
     'saml_forcelogin'           => 'Make SAML the primary login',
     'saml_forcelogin_help'      => 'You can use \'/login?nosaml\' to get to the normal login page.',
     'saml_slo_label'            => 'SAML Single Log Out',
diff --git a/resources/lang/en/admin/settings/general.php b/resources/lang/en/admin/settings/general.php
index c402b0dfed..07a247e6ce 100644
--- a/resources/lang/en/admin/settings/general.php
+++ b/resources/lang/en/admin/settings/general.php
@@ -173,7 +173,7 @@ return [
     'saml_idp_metadata_help'    => 'You can specify the IdP metadata using a URL or XML file.',
     'saml_attr_mapping_username' => 'Attribute Mapping - Username',
     'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.',
-    'saml_forcelogin_label'     => 'SAML Force Login',
+    'saml_forcelogin_label'     => 'SAML Default Login',
     'saml_forcelogin'           => 'Make SAML the primary login',
     'saml_forcelogin_help'      => 'You can use \'/login?nosaml\' to get to the normal login page.',
     'saml_slo_label'            => 'SAML Single Log Out',
diff --git a/resources/views/settings/saml.blade.php b/resources/views/settings/saml.blade.php
index c6b34f6c36..09990db2e9 100644
--- a/resources/views/settings/saml.blade.php
+++ b/resources/views/settings/saml.blade.php
@@ -39,7 +39,7 @@
                 <div class="box-header with-border">
                     <h2 class="box-title">
                         <i class="fas fa-sign-in-alt"></i> {{ trans('admin/settings/general.saml') }}
-                    </h4>
+                    </h2>
                 </div>
                 <div class="box-body">