diff --git a/.env.example b/.env.example
index ad1ea56..a97a432 100644
--- a/.env.example
+++ b/.env.example
@@ -20,6 +20,7 @@ DB_USERNAME=homestead
 DB_PASSWORD=secret
 
 AUTH_ADMINS=
+AUTH_BANNED_USERS=
 AUTH_REMEMBER=false
 BROADCAST_DRIVER=log
 CACHE_DRIVER=file
diff --git a/app/Http/Controllers/Platform/VatsimLoginController.php b/app/Http/Controllers/Platform/VatsimLoginController.php
index 8640f7e..0fbe5b8 100644
--- a/app/Http/Controllers/Platform/VatsimLoginController.php
+++ b/app/Http/Controllers/Platform/VatsimLoginController.php
@@ -87,9 +87,8 @@ public function callback(Request $request)
             );
 
             $user = $ssoRequest->user;
-            $this->processUser($user);
 
-            return $this->sendLoginResponse($request);
+            return $this->processLogin($request, $user);
         } catch (SSOException $e) {
             $this->incrementLoginAttempts($request);
 
@@ -100,9 +99,11 @@ public function callback(Request $request)
     /**
      * Update and log in the user.
      *
+     * @param \Illuminate\Http\Request $request
      * @param $ssoUser
+     * @return \Illuminate\Http\RedirectResponse
      */
-    protected function processUser($ssoUser)
+    protected function processLogin($request, $ssoUser)
     {
         /* @var User $user */
         User::updateOrCreate([
@@ -113,9 +114,16 @@ protected function processUser($ssoUser)
             'vatsim_sso_data' => $ssoUser,
         ]);
 
+        if (in_array($ssoUser->id, config('auth.banned_users'))) {
+            return redirect()->route('platform.login')
+                ->with('error', 'SSO login failed: You are not authorized to use this service.');
+        }
+
         $guardName = config('auth.defaults.guard');
         $remember = config("auth.guards.{$guardName}.remember", false);
         auth()->loginUsingId($ssoUser->id, $remember);
+
+        return $this->sendLoginResponse($request);
     }
 
     /**
diff --git a/config/auth.php b/config/auth.php
index 88f3b77..203c75b 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -112,4 +112,6 @@
 
     'admins' => explode(',', env('AUTH_ADMINS', '')),
 
+    'banned_users' => explode(',', env('AUTH_BANNED_USERS', '')),
+
 ];
diff --git a/tests/Feature/Platform/VatsimLoginTest.php b/tests/Feature/Platform/VatsimLoginTest.php
index 530cace..510bf6d 100644
--- a/tests/Feature/Platform/VatsimLoginTest.php
+++ b/tests/Feature/Platform/VatsimLoginTest.php
@@ -38,6 +38,21 @@ function user_can_complete_vatsim_login()
         $this->assertTrue(Auth::check());
     }
 
+    /** @test */
+    function banned_user_login_redirects_with_error()
+    {
+        $ssoRequest = json_decode('{"request":{"result":"success","message":""},"user":{"id":"1300001","name_first":"1st","name_last":"Test","rating":{"id":"1","short":"OBS","long":"Pilot\/Observer","GRP":"Pilot\/Observer"},"pilot_rating":{"rating":"0"},"experience":"N","reg_date":"2014-05-14 17:17:26","country":{"code":"GB","name":"United Kingdom"},"region":{"code":"EUR","name":"Europe"},"division":{"code":"GBR","name":"United Kingdom"},"subdivision":{"code":null,"name":null}}}');
+        $mock = $this->createMock(SSO::class);
+        $mock->method('checkLogin')->willReturn($ssoRequest);
+        $this->app->instance('vatsimoauth', $mock);
+
+        config(['auth.banned_users' => [1300001]]);
+
+        $this->get(route('platform.login.vatsim.callback'))
+            ->assertRedirect()
+            ->assertSessionHas('error');
+    }
+
     /** @test */
     function failed_login_redirects_with_error()
     {