diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index 00ec7c42603..248a75a88cb 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -38,7 +38,8 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
       current_user.save
       redirect_to profile_path
     else
-      @user = User.find_by_provider_and_extern_uid(provider, uid)
+      @user = User.find_or_new_for_omniauth(oauth)
+      @user.save! if @user.try('new_record?')
 
       if @user
         sign_in_and_redirect @user
@@ -48,5 +49,4 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
       end
     end
   end
-
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index ad6af6a6dd0..b956d4ed433 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -86,6 +86,39 @@ class User < ActiveRecord::Base
     where('id NOT IN (SELECT DISTINCT(user_id) FROM users_projects)')
   end
 
+  def self.find_or_new_for_omniauth(oauth)
+    provider, uid = oauth['provider'], oauth['uid']
+
+    if @user = User.find_by_provider_and_extern_uid(provider, uid)
+      @user
+    else
+      if Gitlab.config.omniauth.allow_single_sign_on
+        # Ensure here that all required attributes were passed along with the
+        # oauth request:
+        %w(first_name last_name email).each do |attr|
+          unless oauth[:info][attr].present?
+            raise OmniAuth::Error,
+                  "#{provider} does not provide the required field #{attr}"
+          end
+        end
+
+        password = Devise.friendly_token[0, 8].downcase
+        @user = User.new(
+          extern_uid: uid,
+          provider: provider,
+          name: "#{oauth[:info][:first_name]} #{oauth[:info][:last_name]}",
+          email: oauth[:info][:email],
+          password: password,
+          password_confirmation: password,
+          projects_limit: Gitlab.config.default_projects_limit,
+        )
+
+        @user.blocked = true if Gitlab.config.omniauth.block_auto_created_users
+        @user
+      end
+    end
+  end
+
   def self.find_for_ldap_auth(auth, signed_in_resource=nil)
     uid = auth.info.uid
     provider = auth.provider
@@ -148,4 +181,3 @@ end
 #  bio                    :string(255)
 #  blocked                :boolean(1)      default(FALSE), not null
 #
-
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 1934029d5bb..b5aae4971ed 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -53,6 +53,8 @@ git:
 omniauth:
   enabled: false
   providers:
+  allow_single_sign_on: false
+  block_auto_created_users: true
 
 # omniauth:
 #   enabled: true