diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
index 7706380db2f..326b9057053 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java
@@ -584,8 +584,11 @@ private boolean isRegisteredIdpAuthentication(Authentication request) {
 
     @Override
     protected boolean isAddNewShadowUser(final String origin) {
-        IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> provider = getProviderProvisioning().retrieveByOrigin(origin, identityZoneManager.getCurrentIdentityZoneId());
-        return provider.getConfig().isAddShadowUserOnLogin();
+        IdentityProvider<?> provider = getProviderProvisioning().retrieveByOrigin(origin, identityZoneManager.getCurrentIdentityZoneId());
+        if (provider.getConfig() instanceof AbstractExternalOAuthIdentityProviderDefinition<?> config) {
+            return config.isAddShadowUserOnLogin();
+        }
+        return false;
     }
 
     public RestTemplate getRestTemplate(AbstractExternalOAuthIdentityProviderDefinition config) {
diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
index 237145a686a..225813b5622 100644
--- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
+++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerIT.java
@@ -32,6 +32,7 @@
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.UaaIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.RawExternalOAuthIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthAuthenticationManager.AuthenticationData;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMember;
@@ -305,6 +306,16 @@ public URL getAuthUrl() {
                 .hasMessage("Unknown type for provider.");
     }
 
+    @Test
+    void isAddNewShadowUser_returnsFalse_whenProviderConfigIsNotExternalOAuth() {
+        IdentityProvider<UaaIdentityProviderDefinition> provider = new IdentityProvider<>();
+        provider.setType(OriginKeys.UAA);
+        provider.setConfig(new UaaIdentityProviderDefinition());
+        when(provisioning.retrieveByOrigin(eq(ORIGIN), anyString())).thenReturn(provider);
+
+        assertThat(externalOAuthAuthenticationManager.isAddNewShadowUser(ORIGIN)).isFalse();
+    }
+
     @Test
     void verify_hmac_256_signature() throws Exception {
         String key = "key";