diff --git a/server/private/routers/orgIdp/createOrgOidcIdp.ts b/server/private/routers/orgIdp/createOrgOidcIdp.ts
index 77346fd9..725e93c7 100644
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -28,6 +28,7 @@ import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import privateConfig from "#private/lib/config";
+import { build } from "@server/build";
 
 const paramsSchema = z.strictObject({ orgId: z.string().nonempty() });
 
@@ -122,12 +123,14 @@ export async function createOrgOidcIdp(
 
         let { autoProvision } = parsedBody.data;
 
-        const subscribed = await isSubscribed(
-            orgId,
-            tierMatrix.deviceApprovals
-        );
-        if (!subscribed) {
-            autoProvision = false;
+        if (build == "saas") { // this is not paywalled with a ee license because this whole endpoint is restricted
+            const subscribed = await isSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            if (!subscribed) {
+                autoProvision = false;
+            }
         }
 
         const key = config.getRawConfig().server.secret!;
diff --git a/server/private/routers/orgIdp/updateOrgOidcIdp.ts b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
index 804afbe6..b8ee4dcb 100644
--- a/server/private/routers/orgIdp/updateOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
@@ -27,6 +27,7 @@ import config from "@server/lib/config";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import privateConfig from "#private/lib/config";
+import { build } from "@server/build";
 
 const paramsSchema = z
     .object({
@@ -127,12 +128,15 @@ export async function updateOrgOidcIdp(
 
         let { autoProvision } = parsedBody.data;
 
-        const subscribed = await isSubscribed(
-            orgId,
-            tierMatrix.deviceApprovals
-        );
-        if (!subscribed) {
-            autoProvision = false;
+        if (build == "saas") {
+            // this is not paywalled with a ee license because this whole endpoint is restricted
+            const subscribed = await isSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            if (!subscribed) {
+                autoProvision = false;
+            }
         }
 
         // Check if IDP exists and is of type OIDC
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index c446e0f7..b5c66c0e 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -797,7 +797,7 @@ async function notAllowed(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed(
+        const subscribed = await isSubscribed( // this is fine because the org login page is only a saas feature
             orgId,
             tierMatrix.loginPageDomain
         );
@@ -854,7 +854,7 @@ async function headerAuthChallenged(
 ) {
     let loginPage: LoginPage | null = null;
     if (orgId) {
-        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain);
+        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain); // this is fine because the org login page is only a saas feature
         if (subscribed) {
             loginPage = await getOrgLoginPage(orgId);
         }