diff --git a/app/models/auth_config.rb b/app/models/auth_config.rb
index 7cb630966..7b4c9c7a4 100644
--- a/app/models/auth_config.rb
+++ b/app/models/auth_config.rb
@@ -74,7 +74,17 @@ class AuthConfig
     end
 
     def sso_providers
-      Rails.configuration.x.auth.sso_providers || []
+      if FeatureFlags.db_sso_providers?
+        # After boot, OmniAuth registers successfully configured providers into
+        # Rails.configuration.x.auth.sso_providers. Prefer that filtered list
+        # so we never render login buttons for providers that couldn't be
+        # registered (e.g., missing required fields in YAML fallback).
+        # Fall back to ProviderLoader for pre-boot contexts.
+        registered = Rails.configuration.x.auth.sso_providers
+        registered&.any? ? registered : ProviderLoader.load_providers
+      else
+        Rails.configuration.x.auth.sso_providers || []
+      end
     end
   end
 end
diff --git a/app/models/oidc_identity.rb b/app/models/oidc_identity.rb
index e8993142f..fe85a1fdf 100644
--- a/app/models/oidc_identity.rb
+++ b/app/models/oidc_identity.rb
@@ -95,7 +95,7 @@ class OidcIdentity < ApplicationRecord
 
   # Find the configured provider for this identity
   def provider_config
-    Rails.configuration.x.auth.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
+    AuthConfig.sso_providers&.find { |p| p[:name] == provider || p[:id] == provider }
   end
 
   # Validate that the stored issuer matches the configured provider's issuer