diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/OAuth2SsoConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/OAuth2SsoConfig.groovy
index 81970f9f40..a153fa532a 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/OAuth2SsoConfig.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/OAuth2SsoConfig.groovy
@@ -90,7 +90,7 @@ class OAuth2SsoConfig {
     String firstName = "given_name"
     String lastName = "family_name"
     String username = "email"
-    String serviceAccountEmail = "email"
+    String serviceAccountEmail = "client_email"
   }
 
   @Component
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/SpinnakerUserInfoTokenServices.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/SpinnakerUserInfoTokenServices.groovy
index 43d6cf5e96..29663c10b5 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/SpinnakerUserInfoTokenServices.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/oauth2/SpinnakerUserInfoTokenServices.groovy
@@ -34,6 +34,7 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication
 import org.springframework.security.oauth2.provider.OAuth2Request
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import retrofit.RetrofitError
 
 import java.util.regex.Pattern
 import java.util.regex.PatternSyntaxException
@@ -120,11 +121,16 @@ class SpinnakerUserInfoTokenServices implements ResourceServerTokenServices {
 
   boolean isServiceAccount(Map details) {
     String email = details[userInfoMapping.serviceAccountEmail]
-    if (!email) {
+    if (!email || !permissionService.isEnabled()) {
       return false
     }
-    def serviceAccounts = front50Service.getServiceAccounts()
-    return serviceAccounts.find { email.equalsIgnoreCase(it.name)}
+    try {
+      def serviceAccounts = front50Service.getServiceAccounts()
+      return serviceAccounts.find { email.equalsIgnoreCase(it.name) }
+    } catch (RetrofitError re) {
+      log.warn("Could not get list of service accounts.", re)
+    }
+    return false
   }
 
   boolean hasAllUserInfoRequirements(Map details) {
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy
index 4762dd8f42..1f45e2c8c9 100644
--- a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy
+++ b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/services/PermissionService.groovy
@@ -42,6 +42,10 @@ class PermissionService {
   @Autowired
   FiatPermissionEvaluator permissionEvaluator
 
+  boolean isEnabled() {
+    return fiatConfig.enabled
+  }
+
   void login(String userId) {
     if (fiatConfig.enabled) {
       fiatService.loginUser(userId, "")