diff --git a/app/models/sso_provider.rb b/app/models/sso_provider.rb
index 5b38d182b..f9f2ef7c4 100644
--- a/app/models/sso_provider.rb
+++ b/app/models/sso_provider.rb
@@ -23,6 +23,12 @@ class SsoProvider < ApplicationRecord
   }
   validates :label, presence: true
   validates :enabled, inclusion: { in: [ true, false ] }
+  validates :icon, format: {
+    with: /\A\S+\z/,
+    message: "cannot be blank or contain only whitespace"
+  }, allow_nil: true
+
+  before_validation :normalize_icon
 
   # Strategy-specific validations
   validate :validate_oidc_fields, if: -> { strategy == "openid_connect" }
@@ -44,7 +50,7 @@ class SsoProvider < ApplicationRecord
       strategy: strategy,
       name: name,
       label: label,
-      icon: icon,
+      icon: icon.present? && icon.strip.present? ? icon.strip : nil,
       issuer: issuer,
       client_id: client_id,
       client_secret: client_secret,
@@ -54,6 +60,10 @@ class SsoProvider < ApplicationRecord
   end
 
   private
+    def normalize_icon
+      self.icon = icon.to_s.strip.presence
+    end
+
     def validate_oidc_fields
       if issuer.blank?
         errors.add(:issuer, "is required for OpenID Connect providers")
diff --git a/app/views/settings/securities/show.html.erb b/app/views/settings/securities/show.html.erb
index f0cfb56bb..b7866c225 100644
--- a/app/views/settings/securities/show.html.erb
+++ b/app/views/settings/securities/show.html.erb
@@ -53,7 +53,8 @@
           <div class="flex items-center justify-between bg-container p-4 shadow-border-xs rounded-lg">
             <div class="flex items-center gap-3">
               <div class="w-9 h-9 shrink-0 bg-surface rounded-full flex items-center justify-center">
-                <%= icon identity.provider_config&.dig(:icon) || "key", class: "w-5 h-5 text-secondary" %>
+                <% icon_name = identity.provider_config&.dig(:icon).presence || "key" %>
+                <%= icon icon_name, class: "w-5 h-5 text-secondary" %>
               </div>
               <div>
                 <p class="font-medium text-primary"><%= identity.provider_config&.dig(:label) || identity.provider.titleize %></p>
diff --git a/test/models/sso_provider_test.rb b/test/models/sso_provider_test.rb
index 86021c397..d9b699ff3 100644
--- a/test/models/sso_provider_test.rb
+++ b/test/models/sso_provider_test.rb
@@ -232,6 +232,38 @@ class SsoProviderTest < ActiveSupport::TestCase
     assert_equal 1, oidc_providers.count
   end
 
+
+
+  test "normalizes icon by stripping whitespace before validation" do
+    provider = SsoProvider.new(
+      strategy: "openid_connect",
+      name: "icon_normalized",
+      label: "Icon Normalized",
+      icon: "  key  ",
+      issuer: "https://test.example.com",
+      client_id: "test_client",
+      client_secret: "test_secret"
+    )
+
+    assert provider.valid?
+    assert_equal "key", provider.icon
+  end
+
+  test "normalizes whitespace-only icon to nil" do
+    provider = SsoProvider.new(
+      strategy: "openid_connect",
+      name: "icon_nil",
+      label: "Icon Nil",
+      icon: "   ",
+      issuer: "https://test.example.com",
+      client_id: "test_client",
+      client_secret: "test_secret"
+    )
+
+    assert provider.valid?
+    assert_nil provider.icon
+  end
+
   test "to_omniauth_config returns correct hash" do
     provider = SsoProvider.create!(
       strategy: "openid_connect",