diff --git a/config/routes/sulu_admin.yaml b/config/routes/sulu_admin.yaml
index d0ccf7e9b8d..0b19447d89f 100644
--- a/config/routes/sulu_admin.yaml
+++ b/config/routes/sulu_admin.yaml
@@ -113,9 +113,3 @@ sulu_audience_targeting_api:
     type: rest
     resource: "@SuluAudienceTargetingBundle/Resources/config/routing_api.yml"
     prefix: /admin/api
-
-sulu_admin_single_sign_on:
-    path: /openid
-    controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
-    defaults:
-        route: sulu_admin
diff --git a/src/Sulu/Bundle/AdminBundle/Controller/AdminController.php b/src/Sulu/Bundle/AdminBundle/Controller/AdminController.php
index 44981eff2e0..987ab30e481 100644
--- a/src/Sulu/Bundle/AdminBundle/Controller/AdminController.php
+++ b/src/Sulu/Bundle/AdminBundle/Controller/AdminController.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /*
  * This file is part of Sulu.
  *
@@ -252,7 +250,7 @@ public function indexAction()
             'translations' => $this->urlGenerator->generate('sulu_admin.translation'),
             'generateUrl' => $this->urlGenerator->generate('sulu_page.post_resourcelocator', ['action' => 'generate']),
             'routing' => $this->urlGenerator->generate('fos_js_routing_js'),
-            'single_sign_on' => $this->hasSingleSignOnProvider,
+            'has_single_sign_on' => $this->hasSingleSignOnProvider,
         ];
 
         try {
@@ -271,7 +269,7 @@ public function indexAction()
                 'password_info_translation_key' => $this->passwordInfoTranslationKey,
                 'sulu_version' => $this->suluVersion,
                 'app_version' => $this->appVersion,
-                'single_sign_on' => $this->hasSingleSignOnProvider,
+                'has_single_sign_on' => $this->hasSingleSignOnProvider,
             ]
         ));
     }
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/Input.js b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/Input.js
index c551189d02b..d0cb09a08d0 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/Input.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/Input.js
@@ -14,12 +14,12 @@ const LOADER_SIZE = 20;
 export default class Input<T: ?string | ?number> extends React.PureComponent<InputProps<T>> {
     static defaultProps = {
         alignment: 'left',
+        autoFocus: false,
         collapsed: false,
         disabled: false,
         skin: 'default',
         type: 'text',
         valid: true,
-        autoFocus: false,
     };
 
     setInputRef = (ref: ?ElementRef<'input'>) => {
@@ -58,6 +58,7 @@ export default class Input<T: ?string | ?number> extends React.PureComponent<Inp
         const {
             alignment,
             autocomplete,
+            autoFocus,
             headline,
             id,
             inputClass,
@@ -87,7 +88,6 @@ export default class Input<T: ?string | ?number> extends React.PureComponent<Inp
             min,
             max,
             step,
-            autoFocus,
         } = this.props;
 
         const inputContainerClass = classNames(
@@ -146,6 +146,7 @@ export default class Input<T: ?string | ?number> extends React.PureComponent<Inp
 
                     <input
                         autoComplete={autocomplete}
+                        autoFocus={autoFocus}
                         className={inputClass}
                         disabled={disabled}
                         id={id}
@@ -161,7 +162,6 @@ export default class Input<T: ?string | ?number> extends React.PureComponent<Inp
                         ref={inputRef ? this.setInputRef : undefined}
                         step={step}
                         type={type}
-                        autoFocus={autoFocus}
                         value={value == null ? '' : value}
                     />
 
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/Input.test.js b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/Input.test.js
index 94bf0cd3b30..a002fa18770 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/Input.test.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/Input.test.js
@@ -15,6 +15,12 @@ test('Input should render', () => {
     expect(container).toMatchSnapshot();
 });
 
+test('Input should render with autoFocus', () => {
+    const onChange = jest.fn();
+    const {container} = render(<Input autoFocus={true} onBlur={jest.fn()} onChange={onChange} value="My value" />);
+    expect(container).toMatchSnapshot();
+});
+
 test('Input should render with autocomplete off', () => {
     const onChange = jest.fn();
     const {container} = render(<Input autocomplete="off" disabled={true} onChange={onChange} value="My value" />);
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/__snapshots__/Input.test.js.snap b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/__snapshots__/Input.test.js.snap
index e2a6b25962c..8373601ee53 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/__snapshots__/Input.test.js.snap
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/tests/__snapshots__/Input.test.js.snap
@@ -168,6 +168,19 @@ exports[`Input should render with a segment counter 1`] = `
 </div>
 `;
 
+exports[`Input should render with autoFocus 1`] = `
+<div>
+  <div
+    class="input default left"
+  >
+    <input
+      type="text"
+      value="My value"
+    />
+  </div>
+</div>
+`;
+
 exports[`Input should render with autocomplete off 1`] = `
 <div>
   <div
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/types.js b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/types.js
index 7d0ec21b56a..1498767e7db 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/types.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/components/Input/types.js
@@ -4,6 +4,7 @@ import type {ElementRef} from 'react';
 export type InputProps<T: ?string | ?number> = {|
     alignment?: 'left' | 'center' | 'right',
     autocomplete?: string,
+    autoFocus?: boolean,
     collapsed?: boolean,
     disabled: boolean,
     headline?: boolean,
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/Login.js b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/Login.js
index 157987fffbf..cf980fdee18 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/Login.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/Login.js
@@ -1,6 +1,6 @@
 // @flow
 import React from 'react';
-import {action, computed, observable} from 'mobx';
+import {action, autorun, computed, observable} from 'mobx';
 import {observer} from 'mobx-react';
 import Icon from '../../components/Icon/index';
 import {translate} from '../../utils/index';
@@ -25,11 +25,27 @@ type Props = {|
 
 @observer
 class Login extends React.Component<Props> {
+    redirectDisposer: () => void;
+
     static defaultProps = {
         backLink: '/',
         initialized: false,
     };
 
+    constructor(props: Props) {
+        super(props);
+
+        this.redirectDisposer = autorun(() => {
+            if (userStore.redirectUrl !== '') {
+                window.location.href = userStore.redirectUrl;
+            }
+        });
+    }
+
+    componentWillUnmount() {
+        this.redirectDisposer();
+    }
+
     @observable visibleForm: FormTypes = this.props.router.attributes.forgotPasswordToken ? 'reset-password' : 'login';
 
     @computed get loginFormVisible(): boolean {
@@ -70,7 +86,7 @@ class Login extends React.Component<Props> {
 
     handleLoginFormSubmit = (data: LoginFormData) => {
         userStore.login(data).then(() => {
-            if (userStore.hasJsonLogin) {
+            if (userStore.loginMethod === 'json_login') {
                 return;
             }
 
@@ -139,8 +155,9 @@ class Login extends React.Component<Props> {
                             <LoginForm
                                 error={userStore.loginError}
                                 loading={userStore.loading}
-                                hasSingleSignOn={userStore.hasSingleSignOn()}
-                                hasOnlyPassword={userStore.hasJsonLogin}
+                                mode={userStore.hasSingleSignOn() ? (
+                                    userStore.loginMethod === 'json_login' ? 'password_only' : 'username_only'
+                                ) : 'username_password'}
                                 onChangeForm={this.handleChangeToForgotPasswordForm}
                                 onSubmit={this.handleLoginFormSubmit}
                             />
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/LoginForm.js b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/LoginForm.js
index e2c076ffc63..d7a01df3981 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/LoginForm.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/LoginForm.js
@@ -14,8 +14,7 @@ import type {LoginFormData} from './types';
 type Props = {|
     error: boolean,
     loading: boolean,
-    hasSingleSignOn: boolean,
-    hasOnlyPassword: boolean,
+    mode: string,
     onChangeForm: () => void,
     onSubmit: (data: LoginFormData) => void,
 |};
@@ -25,8 +24,7 @@ class LoginForm extends React.Component<Props> {
     static defaultProps = {
         error: false,
         loading: false,
-        hasSingleSignOn: false,
-        hasOnlyPassword: false,
+        mode: 'username_password',
     };
 
     @observable inputRef: ?ElementRef<*>;
@@ -35,7 +33,9 @@ class LoginForm extends React.Component<Props> {
     @observable password: ?string;
 
     @computed get submitButtonDisabled(): boolean {
-        return !(this.user && this.password) && !((this.user || this.password) && this.props.hasSingleSignOn);
+        return !(this.user && this.password)
+            && !((this.user || this.password)
+                && this.props.mode !== 'username_password');
     }
 
     @action setInputRef = (ref: ?ElementRef<*>) => {
@@ -59,12 +59,12 @@ class LoginForm extends React.Component<Props> {
     @action handleSubmit = (event: SyntheticEvent<HTMLFormElement>) => {
         event.preventDefault();
 
-        if (this.user && this.props.hasSingleSignOn) {
+        if (this.user && this.props.mode !== 'username_password') {
             const {onSubmit} = this.props;
 
             onSubmit({
                 username: this.user,
-                password: this.password,
+                password: this.password ?? '',
             });
 
             if (this.user && this.password) {
@@ -104,13 +104,14 @@ class LoginForm extends React.Component<Props> {
                 </Header>
                 <form className={formStyles.form} onSubmit={this.handleSubmit}>
                     <fieldset>
-                        {(!this.props.hasOnlyPassword) && (
+                        {(this.props.mode !== 'password_only') && (
                             <label className={inputFieldClass}>
                                 <div className={formStyles.labelText}>
                                     {translate('sulu_admin.username_or_email')}
                                 </div>
                                 <Input
                                     autocomplete="username"
+                                    autoFocus={this.props.mode === 'username_only'}
                                     icon="su-user"
                                     inputRef={this.setInputRef}
                                     onChange={this.handleUserChange}
@@ -119,35 +120,35 @@ class LoginForm extends React.Component<Props> {
                                 />
                             </label>
                         )}
-                        {(!this.props.hasSingleSignOn || (this.props.hasSingleSignOn && this.props.hasOnlyPassword)) && (
+                        {(this.props.mode !== 'username_only') && (
                             <label className={inputFieldClass}>
                                 <div className={formStyles.labelText}>
                                     {translate('sulu_admin.password')}
                                 </div>
                                 <Input
                                     autocomplete="current-password"
+                                    autoFocus={this.props.mode === 'password_only'}
                                     icon="su-lock"
                                     onChange={this.handlePasswordChange}
                                     type="password"
                                     valid={!this.props.error}
                                     value={this.password}
-                                    autoFocus={this.props.hasOnlyPassword}
                                 />
                             </label>
                         )}
-                            <div className={formStyles.buttons}>
-                                    <Button onClick={this.props.onChangeForm} skin="link">
-                                        {translate('sulu_admin.forgot_password')}
-                                    </Button>
-                                <Button
-                                    disabled={this.submitButtonDisabled}
-                                    loading={this.props.loading}
-                                    skin="primary"
-                                    type="submit"
-                                >
-                                    {translate('sulu_admin.login')}
-                                </Button>
-                            </div>
+                        <div className={formStyles.buttons}>
+                            <Button onClick={this.props.onChangeForm} skin="link">
+                                {translate('sulu_admin.forgot_password')}
+                            </Button>
+                            <Button
+                                disabled={this.submitButtonDisabled}
+                                loading={this.props.loading}
+                                skin="primary"
+                                type="submit"
+                            >
+                                {translate('sulu_admin.login')}
+                            </Button>
+                        </div>
                     </fieldset>
                 </form>
             </Fragment>
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/tests/Login.test.js b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/tests/Login.test.js
index fcc0e7ec7a3..7cc0c6731b0 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/tests/Login.test.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/containers/Login/tests/Login.test.js
@@ -27,8 +27,9 @@ const mockUserStoreTwoFactorError = jest.fn();
 const mockUserStoreSetResetSuccess = jest.fn();
 const mockUserStoreLoading = jest.fn().mockReturnValue(false);
 const mockUserStoreForgotPasswordSuccess = jest.fn().mockReturnValue(false);
-const mockUserStoreHasJsonLogin = jest.fn().mockReturnValue(false);
-const mockUserStoreHasSingleSignOn = jest.fn().mockReturnValue(false);
+const mockUserStoreLoginMethod = jest.fn().mockReturnValue(false);
+const mockUserStoreHasSingleSignOn = jest.fn();
+const mockUserStoreRedirectUrl = jest.fn().mockReturnValue('');
 
 jest.mock('../../../stores/userStore', () => {
     return new class {
@@ -68,12 +69,16 @@ jest.mock('../../../stores/userStore', () => {
             return mockUserStoreSetResetSuccess(value);
         }
 
+        get loginMethod() {
+            return mockUserStoreLoginMethod();
+        }
+
         hasSingleSignOn() {
             return mockUserStoreHasSingleSignOn();
         }
 
-        get hasJsonLogin() {
-            return mockUserStoreHasJsonLogin();
+        redirectUrl() {
+            return mockUserStoreRedirectUrl();
         }
 
         get loading() {
@@ -260,22 +265,24 @@ test('Should not call the submit handler of the reset password view with not mat
 
 test('Should render the Login with only username/email', () => {
     const router = new Router();
-    mockUserStoreHasSingleSignOn.mockReturnValueOnce(true);
+    mockUserStoreHasSingleSignOn.mockReturnValue(true);
+    mockUserStoreLoginMethod.mockReturnValueOnce('');
 
     const loginForm = mount(
         <Login initialized={true} onLoginSuccess={jest.fn()} router={router} />
     );
 
-    expect(loginForm.render()).toMatchSnapshot()
+    expect(loginForm.render()).toMatchSnapshot();
 });
 
 test('Should render the Login with only password', () => {
     const router = new Router();
-    mockUserStoreHasJsonLogin.mockReturnValue(true);
+    mockUserStoreHasSingleSignOn.mockReturnValue(true);
+    mockUserStoreLoginMethod.mockReturnValue('json_login');
 
     const loginForm = mount(
         <Login initialized={true} onLoginSuccess={jest.fn()} router={router} />
     );
 
-    expect(loginForm.render()).toMatchSnapshot()
+    expect(loginForm.render()).toMatchSnapshot();
 });
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/js/stores/userStore/userStore.js b/src/Sulu/Bundle/AdminBundle/Resources/js/stores/userStore/userStore.js
index 4cb56407d26..44b1553d50d 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/js/stores/userStore/userStore.js
+++ b/src/Sulu/Bundle/AdminBundle/Resources/js/stores/userStore/userStore.js
@@ -19,10 +19,11 @@ class UserStore {
     @observable loggedIn: boolean = false;
     @observable loading: boolean = false;
     @observable loginError: boolean = false;
-    @observable hasJsonLogin: boolean = false;
+    @observable loginMethod: string = '';
     @observable forgotPasswordSuccess: boolean = false;
     @observable twoFactorMethods: Array<string> = [];
     @observable twoFactorError: boolean = false;
+    @observable redirectUrl: string = '';
 
     @action clear() {
         this.persistentSettings = new Map();
@@ -31,10 +32,11 @@ class UserStore {
         this.user = undefined;
         this.contact = undefined;
         this.loginError = false;
-        this.hasJsonLogin = false;
+        this.loginMethod = '';
         this.forgotPasswordSuccess = false;
         this.twoFactorMethods = [];
         this.twoFactorError = false;
+        this.redirectUrl = '';
     }
 
     @computed get systemLocale() {
@@ -53,8 +55,8 @@ class UserStore {
         this.loginError = loginError;
     }
 
-    @action setHasJsonLogin(hasJsonLogin: boolean) {
-        this.hasJsonLogin = hasJsonLogin;
+    @action setLoginMethod(loginMethod: string) {
+        this.loginMethod = loginMethod;
     }
 
     @action setForgotPasswordSuccess(forgotPasswordSuccess: boolean) {
@@ -69,6 +71,10 @@ class UserStore {
         this.twoFactorError = twoFactorError;
     }
 
+    @action setRedirectUrl(redirectUrl: string) {
+        this.redirectUrl = redirectUrl;
+    }
+
     @computed get contentLocale(): string {
         const contentLocale = this.persistentSettings.get(CONTENT_LOCALE_SETTING_KEY);
 
@@ -113,13 +119,13 @@ class UserStore {
         this.setTwoFactorMethods([]);
 
         if (data.method === 'redirect' && data.url) {
-            window.location.href = data.url;
+            this.setRedirectUrl(data.url);
 
-            return
+            return;
         }
 
         if (data.method === 'json_login') {
-            this.setHasJsonLogin(true);
+            this.setLoginMethod(data.method);
             this.setLoading(false);
 
             return;
@@ -149,7 +155,7 @@ class UserStore {
             this.clear();
         }
 
-        if (this.hasJsonLogin) {
+        if (this.loginMethod === 'json_login') {
             this.clear();
         }
 
@@ -170,7 +176,7 @@ class UserStore {
                     return Promise.reject(error);
                 }
 
-                if (this.hasJsonLogin)  {
+                if (this.loginMethod === 'json_login') {
                     this.clear();
                 }
 
@@ -199,9 +205,9 @@ class UserStore {
         return Requester.post(Config.endpoints.forgotPasswordReset, data)
             .then((data) => {
                 if (data.method === 'redirect' && data.url) {
-                    window.location.href = data.url;
+                    this.setRedirectUrl(data.url);
 
-                    return
+                    return;
                 }
 
                 this.setLoading(false);
@@ -269,7 +275,7 @@ class UserStore {
     }
 
     hasSingleSignOn() {
-        return Config.endpoints.single_sign_on;
+        return Config.endpoints.has_single_sign_on;
     }
 }
 
diff --git a/src/Sulu/Bundle/AdminBundle/Resources/views/Admin/main.html.twig b/src/Sulu/Bundle/AdminBundle/Resources/views/Admin/main.html.twig
index a3dee096fe7..dae76f00500 100644
--- a/src/Sulu/Bundle/AdminBundle/Resources/views/Admin/main.html.twig
+++ b/src/Sulu/Bundle/AdminBundle/Resources/views/Admin/main.html.twig
@@ -21,7 +21,7 @@
         appVersion: app_version,
         passwordPattern: password_pattern,
         passwordInfoTranslationKey: password_info_translation_key,
-        SingleSignOn: single_sign_on
+        hasSingleSignOn: has_single_sign_on,
     } -%}
 
     {% block application -%}
diff --git a/src/Sulu/Bundle/AdminBundle/Tests/Functional/Controller/AdminControllerTest.php b/src/Sulu/Bundle/AdminBundle/Tests/Functional/Controller/AdminControllerTest.php
index 2fcfaca7917..44b8904308b 100644
--- a/src/Sulu/Bundle/AdminBundle/Tests/Functional/Controller/AdminControllerTest.php
+++ b/src/Sulu/Bundle/AdminBundle/Tests/Functional/Controller/AdminControllerTest.php
@@ -127,11 +127,13 @@ public function testTemplateConfig(): void
                 'translations' => '/admin/translations',
                 'generateUrl' => '/admin/api/resourcelocators?action=generate',
                 'routing' => '/admin/js/routing',
+                'has_single_sign_on' => false,
             ],
             'suluVersion' => '_._._',
             'appVersion' => null,
             'passwordPattern' => null,
             'passwordInfoTranslationKey' => null,
+            'hasSingleSignOn' => false,
         ], $config);
     }
 
diff --git a/src/Sulu/Bundle/SecurityBundle/DependencyInjection/SuluSecurityExtension.php b/src/Sulu/Bundle/SecurityBundle/DependencyInjection/SuluSecurityExtension.php
index 862c7363037..7ca2771459a 100644
--- a/src/Sulu/Bundle/SecurityBundle/DependencyInjection/SuluSecurityExtension.php
+++ b/src/Sulu/Bundle/SecurityBundle/DependencyInjection/SuluSecurityExtension.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /*
  * This file is part of Sulu.
  *
@@ -20,9 +18,6 @@
 use Sulu\Bundle\SecurityBundle\Exception\RoleNameAlreadyExistsException;
 use Sulu\Bundle\SecurityBundle\Security\Exception\EmailNotUniqueException;
 use Sulu\Bundle\SecurityBundle\Security\Exception\UsernameNotUniqueException;
-use Sulu\Bundle\SecurityBundle\SingleSignOn\Adapter\OpenId\OpenIdSingleSignOnAdapter;
-use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnAdapterFactory;
-use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnAdapterFactoryInterface;
 use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnAdapterInterface;
 use Sulu\Component\HttpKernel\SuluKernel;
 use Sulu\Component\Security\Authentication\RoleRepositoryInterface;
diff --git a/src/Sulu/Bundle/SecurityBundle/Resources/config/routing.yml b/src/Sulu/Bundle/SecurityBundle/Resources/config/routing.yml
index 95805fc0a21..d4a040efe4f 100644
--- a/src/Sulu/Bundle/SecurityBundle/Resources/config/routing.yml
+++ b/src/Sulu/Bundle/SecurityBundle/Resources/config/routing.yml
@@ -7,3 +7,9 @@ sulu_security.reset_password.reset:
     path: reset
     defaults:
         _controller: sulu_security.resetting_controller::resetAction
+
+sulu_security.single_sign_on:
+    path: /openid
+    controller: Symfony\Bundle\FrameworkBundle\Controller\RedirectController::redirectAction
+    defaults:
+        route: sulu_admin
diff --git a/src/Sulu/Bundle/SecurityBundle/Resources/config/services.xml b/src/Sulu/Bundle/SecurityBundle/Resources/config/services.xml
index 7e85fbb0407..ef1842d693e 100644
--- a/src/Sulu/Bundle/SecurityBundle/Resources/config/services.xml
+++ b/src/Sulu/Bundle/SecurityBundle/Resources/config/services.xml
@@ -400,6 +400,7 @@
             <argument type="service" id="sulu.repository.contact"/>
             <argument type="service" id="sulu.repository.role"/>
             <argument type="service" id="router"/>
+            <argument>%sulu_core.translations%</argument>
 
             <tag name="sulu_security.single_sign_on_factory"/>
         </service>
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapter.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapter.php
index b033555fa1c..01e9c0c2430 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapter.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapter.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /*
  * This file is part of Sulu.
  *
@@ -36,18 +34,22 @@ class OpenIdSingleSignOnAdapter implements SingleSignOnAdapterInterface
 {
     final public const OPEN_ID_ATTRIBUTES = '_sulu_security_open_id_attributes';
 
+    /**
+     * @param array<string> $translations
+     */
     public function __construct(
         private HttpClientInterface $httpClient,
-        private readonly UserRepositoryInterface $userRepository,
-        private readonly EntityManagerInterface $entityManager,
-        private readonly ContactRepositoryInterface $contactRepository,
-        private readonly RoleRepositoryInterface $roleRepository,
-        private readonly UrlGeneratorInterface $urlGenerator,
+        private UserRepositoryInterface $userRepository,
+        private EntityManagerInterface $entityManager,
+        private ContactRepositoryInterface $contactRepository,
+        private RoleRepositoryInterface $roleRepository,
+        private UrlGeneratorInterface $urlGenerator,
         private string $endpoint,
         private string $clientId,
         #[\SensitiveParameter]
         private string $clientSecret,
         private string $userRole,
+        private array $translations,
     ) {
     }
 
@@ -167,15 +169,15 @@ public function createOrUpdateUser(string $token): UserBadge
         $accessToken = $data['access_token'];
 
         /** @var array{
-         * sub?: string,
-         * name?: string,
-         * given_name?: string,
-         * family_name?: string,
-         * picture?: string,
-         * email?: string,
-         * email_verified?: bool,
-         * locale?: string,
-         * hd?: string,
+         *     sub?: string,
+         *     name?: string,
+         *     given_name?: string,
+         *     family_name?: string,
+         *     picture?: string,
+         *     email?: string,
+         *     email_verified?: bool,
+         *     locale?: string,
+         *     hd?: string,
          * } $attributes
          */
         $attributes = $this->httpClient->request('GET', $userinfoEndpoint, [
@@ -270,7 +272,8 @@ private function createOrUpdateAdminUser(string $email, array $attributes): void
         $contact = $user->getContact();
         $contact->setFirstName($attributes['given_name'] ?? '');
         $contact->setLastName($attributes['family_name'] ?? '');
-        $user->setLocale((isset($attributes['locale']) && 'de' === $attributes['locale']) ? 'de' : 'en');
+        $locale = (isset($attributes['locale']) && \in_array($attributes['locale'], $this->translations, true)) ? $attributes['locale'] : 'en';
+        $user->setLocale($locale);
 
         $this->entityManager->flush();
     }
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterFactory.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterFactory.php
index 6352d3b3276..c5b83e15f1e 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterFactory.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterFactory.php
@@ -27,13 +27,17 @@
  */
 class OpenIdSingleSignOnAdapterFactory implements SingleSignOnAdapterFactoryInterface
 {
+    /**
+     * @param array<string> $translations
+     */
     public function __construct(
         private HttpClientInterface $httpClient,
-        private readonly UserRepositoryInterface $userRepository,
-        private readonly EntityManagerInterface $entityManager,
-        private readonly ContactRepositoryInterface $contactRepository,
-        private readonly RoleRepositoryInterface $roleRepository,
-        private readonly UrlGeneratorInterface $urlGenerator,
+        private UserRepositoryInterface $userRepository,
+        private EntityManagerInterface $entityManager,
+        private ContactRepositoryInterface $contactRepository,
+        private RoleRepositoryInterface $roleRepository,
+        private UrlGeneratorInterface $urlGenerator,
+        private array $translations
     ) {
     }
 
@@ -58,6 +62,7 @@ public function createAdapter(#[\SensitiveParameter] array $dsn, string $userRol
             $clientId,
             $clientSecret,
             $userRole,
+            $this->translations,
         );
     }
 
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnAdapterProvider.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnAdapterProvider.php
index 3ec374744e0..ea92eed6e37 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnAdapterProvider.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnAdapterProvider.php
@@ -23,7 +23,7 @@
 class SingleSignOnAdapterProvider
 {
     public function __construct(
-        private readonly ContainerInterface $adapters,
+        private ContainerInterface $adapters,
     ) {
     }
 
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnLoginRequestSubscriber.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnLoginRequestSubscriber.php
index c73a26d60d7..5f956584d98 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnLoginRequestSubscriber.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnLoginRequestSubscriber.php
@@ -31,9 +31,9 @@
 class SingleSignOnLoginRequestSubscriber implements EventSubscriberInterface
 {
     public function __construct(
-        private readonly SingleSignOnAdapterProvider $singleSignOnAdapterProvider,
-        private readonly UrlGeneratorInterface $urlGenerator,
-        private readonly UserRepository $userRepository,
+        private SingleSignOnAdapterProvider $singleSignOnAdapterProvider,
+        private UrlGeneratorInterface $urlGenerator,
+        private UserRepository $userRepository,
     ) {
     }
 
@@ -73,9 +73,9 @@ public function onKernelRequest(RequestEvent $event): void
 
         // Todo: Change this, userRepository should not return an error if there was no user found.
         try {
-            /** @var User $user */
+            /** @var ?User $user */
             $user = $this->userRepository->findUserByIdentifier($identifier);
-            $email = $user->getEmail() ?? $user->getUsername();
+            $email = $user ? ($user->getEmail() ?? $user->getUsername()) : $identifier;
         } catch (NoResultException $e) {
             $email = $identifier;
         }
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenExtractor.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenExtractor.php
index bc658ae6645..97f72965623 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenExtractor.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenExtractor.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /*
  * This file is part of Sulu.
  *
@@ -20,7 +18,7 @@
 
 final class SingleSignOnTokenExtractor implements AccessTokenExtractorInterface
 {
-    public function __construct(private readonly SingleSignOnAdapterProvider $singleSignOnAdapterProvider)
+    public function __construct(private SingleSignOnAdapterProvider $singleSignOnAdapterProvider)
     {
     }
 
diff --git a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenHandler.php b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenHandler.php
index d945289db8b..9e46ea842b3 100644
--- a/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenHandler.php
+++ b/src/Sulu/Bundle/SecurityBundle/SingleSignOn/SingleSignOnTokenHandler.php
@@ -1,7 +1,5 @@
 <?php
 
-declare(strict_types=1);
-
 /*
  * This file is part of Sulu.
  *
@@ -19,7 +17,7 @@
 final class SingleSignOnTokenHandler implements AccessTokenHandlerInterface
 {
     public function __construct(
-        private readonly SingleSignOnAdapterProvider $singleSignOnAdapterProvider,
+        private SingleSignOnAdapterProvider $singleSignOnAdapterProvider,
     ) {
     }
 
diff --git a/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterTest.php b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterTest.php
new file mode 100644
index 00000000000..794eed4c229
--- /dev/null
+++ b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/Adapter/OpenId/OpenIdSingleSignOnAdapterTest.php
@@ -0,0 +1,199 @@
+<?php
+
+/*
+ * This file is part of Sulu.
+ *
+ * (c) Sulu GmbH
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+namespace Sulu\Bundle\SecurityBundle\Tests\Unit\SingleSignOn\Adapter\OpenId;
+
+use Doctrine\ORM\EntityManagerInterface;
+use PHPUnit\Framework\TestCase;
+use Prophecy\Argument;
+use Prophecy\PhpUnit\ProphecyTrait;
+use Prophecy\Prophecy\ObjectProphecy;
+use Sulu\Bundle\ContactBundle\Entity\Contact;
+use Sulu\Bundle\ContactBundle\Entity\ContactRepositoryInterface;
+use Sulu\Bundle\SecurityBundle\Entity\Role;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\Adapter\OpenId\OpenIdSingleSignOnAdapter;
+use Sulu\Component\Security\Authentication\RoleRepositoryInterface;
+use Sulu\Component\Security\Authentication\UserRepositoryInterface;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+class OpenIdSingleSignOnAdapterTest extends TestCase
+{
+    use ProphecyTrait;
+
+    private MockHttpClient $httpClient;
+
+    /**
+     * @var ObjectProphecy<UserRepositoryInterface>
+     */
+    private $userRepository;
+
+    /**
+     * @var ObjectProphecy<EntityManagerInterface>
+     */
+    private $entityManager;
+
+    /**
+     * @var ObjectProphecy<ContactRepositoryInterface>
+     */
+    private $contactRepository;
+
+    /**
+     * @var ObjectProphecy<RoleRepositoryInterface>
+     */
+    private $roleRepository;
+
+    /**
+     * @var ObjectProphecy<UrlGeneratorInterface>
+     */
+    private $urlGenerator;
+
+    private OpenIdSingleSignOnAdapter $adapter;
+
+    protected function setUp(): void
+    {
+        $this->httpClient = new MockHttpClient();
+        $this->userRepository = $this->prophesize(UserRepositoryInterface::class);
+        $this->entityManager = $this->prophesize(EntityManagerInterface::class);
+        $this->contactRepository = $this->prophesize(ContactRepositoryInterface::class);
+        $this->roleRepository = $this->prophesize(RoleRepositoryInterface::class);
+        $this->urlGenerator = $this->prophesize(UrlGeneratorInterface::class);
+
+        $this->adapter = new OpenIdSingleSignOnAdapter(
+            $this->httpClient,
+            $this->userRepository->reveal(),
+            $this->entityManager->reveal(),
+            $this->contactRepository->reveal(),
+            $this->roleRepository->reveal(),
+            $this->urlGenerator->reveal(),
+            'https://example.com/endpoint',
+            'clientId',
+            'clientSecret',
+            'userRole',
+            ['de', 'en'],
+        );
+    }
+
+    public function testGenerateLoginUrl(): void
+    {
+        $session = new Session(new MockArraySessionStorage());
+        /** @var string $responseContent */
+        $responseContent = \json_encode([
+            'authorization_endpoint' => 'https://example.com/authorize',
+        ]);
+
+        $response = new MockResponse($responseContent, [
+            'http_code' => 200,
+            'response_headers' => ['Content-Type' => 'application/json'],
+        ]);
+
+        $this->httpClient->setResponseFactory([$response]);
+        $request = new Request();
+        $request->setSession($session);
+        $redirectUrl = 'https://example.com/redirect';
+        $domain = 'example.com';
+
+        $loginUrl = $this->adapter->generateLoginUrl($request, $redirectUrl, $domain);
+
+        $this->assertStringStartsWith('https://example.com/authorize', $loginUrl);
+
+        /** @var array{
+         *     domain: string,
+         *     state: string,
+         * } $openIdAttributes
+         */
+        $openIdAttributes = $session->get(OpenIdSingleSignOnAdapter::OPEN_ID_ATTRIBUTES);
+        $this->assertSame($domain, $openIdAttributes['domain']);
+        $this->assertIsString($openIdAttributes['state']);
+    }
+
+    public function testIsAuthorizationValid(): void
+    {
+        $isValid = $this->adapter->isAuthorizationValid(['state' => 'f20f9604-7577-4ac8-8890-9a6fbf359259'], ['state' => 'f20f9604-7577-4ac8-8890-9a6fbf359259']);
+        $isNotValid = $this->adapter->isAuthorizationValid(['state' => 'f20f9604-7577-4ac8-8890-9a6fbf359259'], ['state' => '123-7577-4ac8-8890-9a6fbf359259']);
+        $isNotSet = $this->adapter->isAuthorizationValid([], ['state' => '123-7577-4ac8-8890-9a6fbf359259']);
+
+        $this->assertTrue($isValid);
+        $this->assertFalse($isNotValid);
+        $this->assertFalse($isNotSet);
+    }
+
+    public function testCreateOrUpdateUser(): void
+    {
+        $token = 'mock_token';
+        $expectedRequests = [
+            function($method, $url, $options): MockResponse {
+                $this->assertSame('GET', $method);
+                $this->assertSame('https://example.com/endpoint', $url);
+
+                /** @var string $response */
+                $response = \json_encode([
+                    'token_endpoint' => 'https://token_endpoint.com',
+                    'userinfo_endpoint' => 'https://userinfo_endpoint.com',
+                ]);
+
+                return new MockResponse($response);
+            },
+
+            function($method, $url, $options): MockResponse {
+                $this->assertSame('POST', $method);
+                $this->assertSame('https://token_endpoint.com/', $url);
+
+                /** @var string $response */
+                $response = \json_encode([
+                    'access_token' => 'ya29.a0Ad52N38l9acjoNc975Apn4W4H8DK_TtX_S',
+                ]);
+
+                return new MockResponse($response);
+            },
+
+            function($method, $url, $options): MockResponse {
+                $this->assertSame('GET', $method);
+                $this->assertSame('https://userinfo_endpoint.com/', $url);
+
+                /** @var string $response */
+                $response = \json_encode([
+                    'email' => 'hello@sulu.io',
+                ]);
+
+                return new MockResponse($response);
+            },
+        ];
+
+        $this->httpClient->setResponseFactory($expectedRequests);
+
+        $this->urlGenerator->generate('sulu_admin', [], UrlGeneratorInterface::ABSOLUTE_URL)
+            ->shouldBeCalled()
+            ->willReturn('https://sulu.io/admin');
+
+        $this->userRepository->findOneBy(Argument::any())->willReturn(null);
+        $this->contactRepository->createNew()->willReturn($this->prophesize(Contact::class)->reveal());
+        $this->entityManager->persist(Argument::any())->shouldBeCalled();
+        $role = $this->prophesize(Role::class);
+        $role->getAnonymous()->shouldBeCalled()->willReturn(false);
+        $role->getIdentifier()->willReturn('hello@sulu.io');
+        $this->roleRepository->findOneBy(Argument::any())
+            ->shouldBeCalled()
+            ->willReturn($role->reveal());
+        $this->entityManager->flush()->shouldBeCalled();
+
+        $expectedUserBadge = new UserBadge('hello@sulu.io', null, ['email' => 'hello@sulu.io']);
+
+        $result = $this->adapter->createOrUpdateUser($token);
+
+        $this->assertEquals($expectedUserBadge, $result);
+    }
+}
diff --git a/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnLoginRequestSubscriberTest.php b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnLoginRequestSubscriberTest.php
new file mode 100644
index 00000000000..52c200d9be4
--- /dev/null
+++ b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnLoginRequestSubscriberTest.php
@@ -0,0 +1,300 @@
+<?php
+
+/*
+ * This file is part of Sulu.
+ *
+ * (c) Sulu GmbH
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+namespace Sulu\Bundle\SecurityBundle\Tests\Unit\SingleSignOn\Adapter\OpenId;
+
+use PHPUnit\Framework\TestCase;
+use Prophecy\PhpUnit\ProphecyTrait;
+use Prophecy\Prophecy\ObjectProphecy;
+use Sulu\Bundle\SecurityBundle\Entity\User;
+use Sulu\Bundle\SecurityBundle\Entity\UserRepository;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\Adapter\OpenId\OpenIdSingleSignOnAdapter;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnAdapterProvider;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnLoginRequestSubscriber;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+class SingleSignOnLoginRequestSubscriberTest extends TestCase
+{
+    use ProphecyTrait;
+
+    /**
+     * @var ObjectProphecy<SingleSignOnAdapterProvider>
+     */
+    private $singleSignOnAdapterProvider;
+
+    /**
+     * @var ObjectProphecy<UrlGeneratorInterface>
+     */
+    private $urlGenerator;
+
+    /**
+     * @var ObjectProphecy<UserRepository>
+     */
+    private $userRepository;
+
+    private SingleSignOnLoginRequestSubscriber $subscriber;
+
+    protected function setUp(): void
+    {
+        $this->singleSignOnAdapterProvider = $this->prophesize(SingleSignOnAdapterProvider::class);
+        $this->urlGenerator = $this->prophesize(UrlGeneratorInterface::class);
+        $this->userRepository = $this->prophesize(UserRepository::class);
+
+        $this->subscriber = new SingleSignOnLoginRequestSubscriber(
+            $this->singleSignOnAdapterProvider->reveal(),
+            $this->urlGenerator->reveal(),
+            $this->userRepository->reveal(),
+        );
+    }
+
+    public function testGetSubscribedEvents(): void
+    {
+        $this->assertSame([
+            RequestEvent::class => [
+                ['onKernelRequest', 9],
+            ],
+        ], SingleSignOnLoginRequestSubscriber::getSubscribedEvents());
+    }
+
+    public function testOnKernelRequestNotMainRequest(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+        $event = $this->createRequestEvent($request, HttpKernelInterface::SUB_REQUEST);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestNotPost(): void
+    {
+        $request = Request::create('/admin/login');
+        $event = $this->createRequestEvent($request);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestNotLoginRoute(): void
+    {
+        $request = Request::create('/admin/login');
+        $event = $this->createRequestEvent($request);
+        $request->attributes->set('_route', 'sulu_admin.WRONG_NAME');
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestNoIdentifier(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $event = $this->createRequestEvent($request);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestWrongIdentifierAndNoUser(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+        $request->request->set('username', 'martin');
+        $event = $this->createRequestEvent($request);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"json_login"}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestUserNameAndPassword(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+        $request->request->set('username', 'martin');
+        $request->request->set('password', '123');
+        $event = $this->createRequestEvent($request);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestResetPasswordUser(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'martin');
+        $event = $this->createRequestEvent($request);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestResetPasswordEmail(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'hello@sulu.io');
+        $event = $this->createRequestEvent($request);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"json_login"}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestResetPasswordExistingUser(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'admin');
+        $event = $this->createRequestEvent($request);
+        $user = new User();
+        $user->setEmail('admin@sulu.io');
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestExistingUser(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'admin');
+        $event = $this->createRequestEvent($request);
+        $user = new User();
+        $user->setEmail('admin@sulu.io');
+        $this->userRepository->findUserByIdentifier('admin')->willReturn($user);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"json_login"}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestExistingUserAndPassword(): void
+    {
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'admin');
+        $request->request->set('password', 'admin');
+        $event = $this->createRequestEvent($request);
+        $user = new User();
+        $user->setEmail('admin@sulu.io');
+        $this->userRepository->findUserByIdentifier('admin')->willReturn($user);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertNull($event->getResponse());
+    }
+
+    public function testOnKernelRequestSSIOEmail(): void
+    {
+        $redirectUrl = 'https://example.com/authorize';
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+        $request->request->set('username', 'martin@sulu.io');
+        $event = $this->createRequestEvent($request);
+        $openIdAdapter = $this->prophesize(OpenIdSingleSignOnAdapter::class);
+        $this->urlGenerator->generate('sulu_admin', [], UrlGeneratorInterface::ABSOLUTE_URL)
+            ->shouldBeCalled()
+            ->willReturn('/admin');
+        $this->singleSignOnAdapterProvider->getAdapterByDomain('sulu.io')->willReturn($openIdAdapter->reveal());
+        $openIdAdapter->generateLoginUrl($request, '/admin', 'sulu.io')->willReturn($redirectUrl);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"redirect","url":' . \json_encode($redirectUrl) . '}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestSSIOEmailPasswordReset(): void
+    {
+        $redirectUrl = 'https://example.com/authorize';
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'martin@sulu.io');
+        $event = $this->createRequestEvent($request);
+        $openIdAdapter = $this->prophesize(OpenIdSingleSignOnAdapter::class);
+        $this->urlGenerator->generate('sulu_admin', [], UrlGeneratorInterface::ABSOLUTE_URL)
+            ->shouldBeCalled()
+            ->willReturn('/admin');
+        $this->singleSignOnAdapterProvider->getAdapterByDomain('sulu.io')->willReturn($openIdAdapter->reveal());
+        $openIdAdapter->generateLoginUrl($request, '/admin', 'sulu.io')->willReturn($redirectUrl);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"redirect","url":' . \json_encode($redirectUrl) . '}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestExistingSSIOUser(): void
+    {
+        $redirectUrl = 'https://example.com/authorize';
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_admin.login_check');
+        $request->request->set('username', 'admin');
+        $event = $this->createRequestEvent($request);
+        $openIdAdapter = $this->prophesize(OpenIdSingleSignOnAdapter::class);
+        $this->urlGenerator->generate('sulu_admin', [], UrlGeneratorInterface::ABSOLUTE_URL)
+            ->shouldBeCalled()
+            ->willReturn('/admin');
+        $this->singleSignOnAdapterProvider->getAdapterByDomain('sulu.io')->willReturn($openIdAdapter->reveal());
+        $openIdAdapter->generateLoginUrl($request, '/admin', 'sulu.io')->willReturn($redirectUrl);
+        $user = new User();
+        $user->setEmail('admin@sulu.io');
+        $this->userRepository->findUserByIdentifier('admin')->willReturn($user);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"redirect","url":' . \json_encode($redirectUrl) . '}', $event->getResponse()?->getContent());
+    }
+
+    public function testOnKernelRequestExistingSSIOUserResetPassword(): void
+    {
+        $redirectUrl = 'https://example.com/authorize';
+        $request = Request::create('/admin/login', Request::METHOD_POST);
+        $request->attributes->set('_route', 'sulu_security.reset_password.email');
+        $request->request->set('username', 'admin');
+        $event = $this->createRequestEvent($request);
+        $openIdAdapter = $this->prophesize(OpenIdSingleSignOnAdapter::class);
+        $this->urlGenerator->generate('sulu_admin', [], UrlGeneratorInterface::ABSOLUTE_URL)
+            ->shouldBeCalled()
+            ->willReturn('/admin');
+        $this->singleSignOnAdapterProvider->getAdapterByDomain('sulu.io')->willReturn($openIdAdapter->reveal());
+        $openIdAdapter->generateLoginUrl($request, '/admin', 'sulu.io')->willReturn($redirectUrl);
+        $user = new User();
+        $user->setEmail('admin@sulu.io');
+        $this->userRepository->findUserByIdentifier('admin')->willReturn($user);
+
+        $this->subscriber->onKernelRequest($event);
+
+        $this->assertSame('{"method":"redirect","url":' . \json_encode($redirectUrl) . '}', $event->getResponse()?->getContent());
+    }
+
+    private function createRequestEvent(Request $request, ?int $requestType = HttpKernelInterface::MAIN_REQUEST): RequestEvent
+    {
+        $httpKernel = $this->prophesize(HttpKernelInterface::class);
+
+        return new RequestEvent(
+            $httpKernel->reveal(),
+            $request,
+            $requestType,
+        );
+    }
+}
diff --git a/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnTokeExtractorTest.php b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnTokeExtractorTest.php
new file mode 100644
index 00000000000..11f39f15e4c
--- /dev/null
+++ b/src/Sulu/Bundle/SecurityBundle/Tests/Unit/SingleSignOn/SingleSignOnTokeExtractorTest.php
@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Sulu.
+ *
+ * (c) Sulu GmbH
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+namespace Sulu\Bundle\SecurityBundle\Tests\Unit\SingleSignOn\Adapter\OpenId;
+
+use PHPUnit\Framework\TestCase;
+use Prophecy\Argument;
+use Prophecy\PhpUnit\ProphecyTrait;
+use Prophecy\Prophecy\ObjectProphecy;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\Adapter\OpenId\OpenIdSingleSignOnAdapter;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnAdapterProvider;
+use Sulu\Bundle\SecurityBundle\SingleSignOn\SingleSignOnTokenExtractor;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+
+class SingleSignOnTokeExtractorTest extends TestCase
+{
+    use ProphecyTrait;
+
+    /**
+     * @var ObjectProphecy<SingleSignOnAdapterProvider>
+     */
+    private $singleSignOnAdapterProvider;
+
+    private SingleSignOnTokenExtractor $tokenExtractor;
+
+    protected function setUp(): void
+    {
+        $this->singleSignOnAdapterProvider = $this->prophesize(SingleSignOnAdapterProvider::class);
+
+        $this->tokenExtractor = new SingleSignOnTokenExtractor(
+            $this->singleSignOnAdapterProvider->reveal(),
+        );
+    }
+
+    public function testOnKernelRequestExistingSSIOUser(): void
+    {
+        $request = Request::create('/admin', Request::METHOD_GET);
+        $session = new Session(new MockArraySessionStorage());
+        $session->set(OpenIdSingleSignOnAdapter::OPEN_ID_ATTRIBUTES, [
+            'state' => '3cc05262-d86b-4b93-9456-5594ae8f3ed0',
+            'domain' => 'sulu.io',
+        ]);
+        $request->setSession($session);
+        $request->attributes->set('_route', 'sulu_admin');
+        $request->query->set('code', '4/0AeaYSHCvSWVukKJ-rueX8WyKj-ycUM');
+        $request->query->set('state', '3cc05262-d86b-4b93-9456-5594ae8f3ed0');
+        $adapter = $this->prophesize(OpenIdSingleSignOnAdapter::class);
+        $adapter->isAuthorizationValid(Argument::any(), Argument::any())->willReturn(true);
+        $this->singleSignOnAdapterProvider->getAdapterByDomain('sulu.io')->willReturn($adapter->reveal());
+
+        $accessToken = $this->tokenExtractor->extractAccessToken($request);
+        $this->assertSame('sulu.io::4/0AeaYSHCvSWVukKJ-rueX8WyKj-ycUM', $accessToken);
+    }
+}
diff --git a/src/Sulu/Component/DocumentManager/Tests/Unit/Metadata/BaseMetadataFactoryTest.php b/src/Sulu/Component/DocumentManager/Tests/Unit/Metadata/BaseMetadataFactoryTest.php
index d489118ffe3..110a99ce86b 100644
--- a/src/Sulu/Component/DocumentManager/Tests/Unit/Metadata/BaseMetadataFactoryTest.php
+++ b/src/Sulu/Component/DocumentManager/Tests/Unit/Metadata/BaseMetadataFactoryTest.php
@@ -163,6 +163,6 @@ public function testAllMetadata(): void
         $this->assertCount(2, $metadatas);
         $this->assertContainsOnlyInstancesOf(Metadata::class, $metadatas);
         $metadata = \reset($metadatas);
-        $this->assertEquals('Class\Page', $metadata ? $metadata->getClass() : null);
+        $this->assertEquals('Class\Page', $metadata->getClass());
     }
 }