MII 12.1 SSO and MII Login Security

Currently, we have an SSO and ABAP security system that allows the customer to maintain and deploy users to MII. The issue that the customer sees as a potential security risk is if the user is not available in the ABAP system, the MII login screen appears to the user and allows them to type in a username and password. If, by chance, the user is available in the UME system of NW, then the operator could gain access to MII and its features. Our customer would like the MII login screen to be either disabled or we put some logic in to prevent the screen from appearing if the SSO certificate was invalid or rejected. I would like to know if there is a feature in either NW or MII that we could simply turn off the MII login screen or if anyone has done this in the past? What is the best practice to approach this?