diff --git a/Changelog.md b/Changelog.md
index 0242ab5f..fef67240 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -6,6 +6,7 @@ This file only reflects the changes that are made in this image. Please refer to
 - gitlab-workhorse: upgrade to v0.6.4
 - gitlab: upgrade to CE v8.5.0
 - firstrun: expose `GITLAB_ROOT_EMAIL` configuration option
+- expose `OAUTH_AUTO_LINK_SAML_USER` configuration parameter
 
 **8.4.4**
 - gitlab: upgrade to CE v8.4.4
diff --git a/README.md b/README.md
index 60e6e286..2a4e2ab2 100644
--- a/README.md
+++ b/README.md
@@ -873,6 +873,7 @@ Below is the complete list of available options that can be used to customize yo
 - **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`.
 - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`.
 - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`.
+- **OAUTH_AUTO_LINK_SAML_USER**: Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`.
 - **OAUTH_CAS3_LABEL**: The "Sign in with" button label. Defaults to "cas3".
 - **OAUTH_CAS3_SERVER**: CAS3 server URL. No defaults.
 - **OAUTH_CAS3_DISABLE_SSL_VERIFICATION**: Disable CAS3 SSL verification. Defaults to `false`.
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index ac7ee48a..8ab3942b 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -301,7 +301,7 @@ production: &base
     # Allow users with existing accounts to login and auto link their account via SAML
     # login, without having to do a manual login first and manually add SAML
     # (default: false)
-    auto_link_saml_user: false
+    auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}}
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 787eff8b..46e536ba 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -216,6 +216,7 @@ OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-}
 OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-false}
 OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
+OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}
 
 ### GOOGLE
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 0fa0c99a..ec00d18e 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -563,7 +563,8 @@ gitlab_configure_oauth() {
     OAUTH_ENABLED \
     OAUTH_ALLOW_SSO \
     OAUTH_BLOCK_AUTO_CREATED_USERS \
-    OAUTH_AUTO_LINK_LDAP_USER
+    OAUTH_AUTO_LINK_LDAP_USER \
+    OAUTH_AUTO_LINK_SAML_USER
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
     cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2)