diff --git a/packages/frontend-2/middleware/requireValidSsoSession.ts b/packages/frontend-2/middleware/requireValidSsoSession.ts
new file mode 100644
index 0000000000..f0d1371c18
--- /dev/null
+++ b/packages/frontend-2/middleware/requireValidSsoSession.ts
@@ -0,0 +1,24 @@
+import { until } from '@vueuse/core'
+import { workspaceRoute, settingsWorkspaceRoutes } from '~/lib/common/helpers/route'
+import { useWorkspaceSsoStatus } from '~/lib/workspaces/composables/sso'
+
+/**
+ * Validate that a user has an active SSO session for the workspace
+ */
+export default defineNuxtRouteMiddleware(async (to) => {
+  // General settings can always bed accessed
+  if (to.name === settingsWorkspaceRoutes.general.name) {
+    return
+  }
+
+  const workspaceSlug = computed(() => to.params.slug as string)
+  if (!workspaceSlug.value) return
+
+  const { needsSsoLogin, loading } = useWorkspaceSsoStatus({ workspaceSlug })
+
+  await until(loading).toBe(false)
+
+  if (needsSsoLogin.value) {
+    return navigateTo(workspaceRoute(workspaceSlug.value))
+  }
+})
diff --git a/packages/frontend-2/nuxt.config.ts b/packages/frontend-2/nuxt.config.ts
index e2712a80a7..9c45169965 100644
--- a/packages/frontend-2/nuxt.config.ts
+++ b/packages/frontend-2/nuxt.config.ts
@@ -226,7 +226,8 @@ export default defineNuxtConfig({
         'auth',
         'settings',
         'requires-workspaces-enabled',
-        'require-valid-workspace'
+        'require-valid-workspace',
+        'require-valid-sso-session'
       ]
     },
     '/downloads': {