diff --git a/app/controllers/api/v1/sessions_controller.rb b/app/controllers/api/v1/sessions_controller.rb
index 41eb19cbe6d249a5e6ea9d8c9cadb072f012c738..bbf1372a65fc3e5a07b976e2f87c6cd06b7950a0 100644
--- a/app/controllers/api/v1/sessions_controller.rb
+++ b/app/controllers/api/v1/sessions_controller.rb
@@ -20,6 +20,7 @@ module Api
   module V1
     class SessionsController < ApiController
       skip_before_action :ensure_authenticated, only: %i[index create]
+      before_action :ensure_unauthenticated, only: :create
 
       # GET /api/v1/sessions
       # Returns the current_user
@@ -43,7 +44,7 @@ module Api
         return render_error if user.blank?
 
         # Will return an error if the user is NOT from the current provider and if the user is NOT a super admin
-        return render_error if user.provider != current_provider && !user.super_admin?
+        return render_error status: :forbidden if !user.super_admin? && (user.provider != current_provider || external_auth?)
 
         # Password is not set (local user migrated from v2)
         if user.external_id.blank? && user.password_digest.blank?
diff --git a/app/controllers/concerns/authorizable.rb b/app/controllers/concerns/authorizable.rb
index cea926b72bafcc97168adbb15cbb75d380279ef8..4b8b404975c37a6a3f968dae027987e353a4abd0 100644
--- a/app/controllers/concerns/authorizable.rb
+++ b/app/controllers/concerns/authorizable.rb
@@ -29,6 +29,11 @@ module Authorizable
     render_error status: :unauthorized unless current_user
   end
 
+  # Ensures that the user is NOT logged in
+  def ensure_unauthenticated
+    render_error status: :unauthorized if current_user
+  end
+
   # PermissionsChecker service will return a true or false depending on whether the current_user's role has the provided permission_name
   def ensure_authorized(permission_names, user_id: nil, friendly_id: nil, record_id: nil)
     render_error status: :forbidden unless PermissionsChecker.new(
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index e2202d269981397f37c348a46177ecd0462bef2b..4b234930f825c49d9b475801804e4c9b0e0b4db4 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -54,46 +54,6 @@ RSpec.describe Api::V1::SessionsController, type: :controller do
       expect(session[:session_token]).to eq(user.session_token)
     end
 
-    it 'returns UnverifiedUser error if the user is not verified' do
-      unverified_user = create(:user, password: 'Password1!', verified: false)
-
-      post :create, params: {
-        session: {
-          email: unverified_user.email,
-          password: 'Password1!'
-        }
-      }
-
-      expect(response.parsed_body['data']).to eq(unverified_user.id)
-      expect(response.parsed_body['errors']).to eq('UnverifiedUser')
-    end
-
-    it 'returns BannedUser error if the user is banned' do
-      banned_user = create(:user, password: 'Password1!', status: :banned)
-
-      post :create, params: {
-        session: {
-          email: banned_user.email,
-          password: 'Password1!'
-        }
-      }
-
-      expect(response.parsed_body['errors']).to eq('BannedUser')
-    end
-
-    it 'returns Pending error if the user is banned' do
-      banned_user = create(:user, password: 'Password1!', status: :pending)
-
-      post :create, params: {
-        session: {
-          email: banned_user.email,
-          password: 'Password1!'
-        }
-      }
-
-      expect(response.parsed_body['errors']).to eq('PendingUser')
-    end
-
     it 'logs in with greenlight account before bn account' do
       post :create, params: { session: { email: user.email, password: 'Password1!' } }
       expect(response).to have_http_status(:ok)
@@ -107,6 +67,76 @@ RSpec.describe Api::V1::SessionsController, type: :controller do
       expect(response).to have_http_status(:ok)
       expect(session[:session_token]).to eq(super_admin.reload.session_token)
     end
+
+    context 'errors' do
+      it 'returns unauthorized if the user is already signed in' do
+        sign_in_user(user)
+
+        post :create, params: {
+          session: {
+            email: 'email@email.com',
+            password: 'Password1!',
+            extend_session: false
+          }
+        }, as: :json
+
+        expect(response).to be_unauthorized
+      end
+
+      it 'returns forbidden if the external auth is enabled' do
+        allow(controller).to receive(:external_auth?).and_return(true)
+
+        post :create, params: {
+          session: {
+            email: 'email@email.com',
+            password: 'Password1!',
+            extend_session: false
+          }
+        }, as: :json
+
+        expect(response).to be_forbidden
+      end
+
+      it 'returns UnverifiedUser error if the user is not verified' do
+        unverified_user = create(:user, password: 'Password1!', verified: false)
+
+        post :create, params: {
+          session: {
+            email: unverified_user.email,
+            password: 'Password1!'
+          }
+        }
+
+        expect(response.parsed_body['data']).to eq(unverified_user.id)
+        expect(response.parsed_body['errors']).to eq('UnverifiedUser')
+      end
+
+      it 'returns BannedUser error if the user is banned' do
+        banned_user = create(:user, password: 'Password1!', status: :banned)
+
+        post :create, params: {
+          session: {
+            email: banned_user.email,
+            password: 'Password1!'
+          }
+        }
+
+        expect(response.parsed_body['errors']).to eq('BannedUser')
+      end
+
+      it 'returns Pending error if the user is banned' do
+        banned_user = create(:user, password: 'Password1!', status: :pending)
+
+        post :create, params: {
+          session: {
+            email: banned_user.email,
+            password: 'Password1!'
+          }
+        }
+
+        expect(response.parsed_body['errors']).to eq('PendingUser')
+      end
+    end
   end
 
   describe '#destroy' do