diff --git a/lib/appinfo/application.php b/lib/appinfo/application.php
index 16a87fb..c4587b1 100644
--- a/lib/appinfo/application.php
+++ b/lib/appinfo/application.php
@@ -24,6 +24,7 @@ namespace OCA\User_SAML\AppInfo;
 use OCA\User_SAML\Controller\AuthSettingsController;
 use OCA\User_SAML\Controller\SAMLController;
 use OCA\User_SAML\Controller\SettingsController;
+use OCA\User_SAML\MiddleWare\OnlyLoggedInMiddleware;
 use OCA\User_SAML\SAMLSettings;
 use OCA\User_SAML\UserBackend;
 use OCP\AppFramework\App;
@@ -76,5 +77,16 @@ class Application extends App {
 				)
 			);
 		});
+
+		/**
+		 * Middleware
+		 */
+		$container->registerService('OnlyLoggedInMiddleware', function(IAppContainer $c){
+			return new OnlyLoggedInMiddleware(
+				$c->query('ControllerMethodReflector'),
+				$c->query('ServerContainer')->getUserSession()
+			);
+		});
+		$container->registerMiddleware('OnlyLoggedInMiddleware');
 	}
 }
diff --git a/lib/controller/samlcontroller.php b/lib/controller/samlcontroller.php
index 6ebadf3..7dc59f2 100644
--- a/lib/controller/samlcontroller.php
+++ b/lib/controller/samlcontroller.php
@@ -63,6 +63,7 @@ class SAMLController extends Controller {
 	/**
 	 * @PublicPage
 	 * @UseSession
+	 * @OnlyUnauthenticatedUsers
 	 */
 	public function login() {
 		$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
@@ -93,6 +94,7 @@ class SAMLController extends Controller {
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 * @UseSession
+	 * @OnlyUnauthenticatedUsers
 	 */
 	public function assertionConsumerService() {
 		$AuthNRequestID = $this->session->get('user_saml.AuthNRequestID');
@@ -142,7 +144,7 @@ class SAMLController extends Controller {
 	}
 
 	/**
-	 * @PublicPage
+	 * @NoAdminRequired
 	 */
 	public function singleLogoutService() {
 		$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
@@ -157,6 +159,7 @@ class SAMLController extends Controller {
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
+	 * @OnlyUnauthenticatedUsers
 	 */
 	public function notProvisioned() {
 		return new Http\TemplateResponse($this->appName, 'notProvisioned', [], 'guest');
diff --git a/lib/middleware/onlyloggedinmiddleware.php b/lib/middleware/onlyloggedinmiddleware.php
new file mode 100644
index 0000000..e0a738f
--- /dev/null
+++ b/lib/middleware/onlyloggedinmiddleware.php
@@ -0,0 +1,66 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_SAML\MiddleWare;
+
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\AppFramework\Http\NotFoundResponse;
+use \OCP\AppFramework\Middleware;
+use \OCP\AppFramework\Utility\IControllerMethodReflector;
+use OCP\IUserSession;
+
+/**
+ * Class OnlyLoggedInMiddleware prevents access to a controller method if the user
+ * is already logged-in.
+ *
+ * @package OCA\User_SAML\MiddleWare
+ */
+class OnlyLoggedInMiddleware extends Middleware {
+	private $reflector;
+	private $userSession;
+
+	public function __construct(IControllerMethodReflector $reflector,
+								IUserSession $userSession) {
+		$this->reflector = $reflector;
+		$this->userSession = $userSession;
+	}
+
+	/**
+	 * @param \OCP\AppFramework\Controller $controller
+	 * @param string $methodName
+	 * @throws \Exception
+	 */
+	public function beforeController($controller, $methodName){
+		if($this->reflector->hasAnnotation('OnlyUnauthenticatedUsers') && $this->userSession->isLoggedIn()) {
+			throw new \Exception('User is already logged-in');
+		}
+	}
+
+	public function afterException($controller, $methodName, \Exception $exception) {
+		if($exception->getMessage() === 'User is already logged-in') {
+			return new JSONResponse('User is already logged-in', 403);
+		}
+
+		throw $exception;
+	}
+
+
+}