diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
index b0f3af4d108..64fa36fc4ac 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
@@ -9,7 +9,15 @@ import {
   Validators,
 } from "@angular/forms";
 import { ActivatedRoute } from "@angular/router";
-import { concatMap, firstValueFrom, Subject, switchMap, takeUntil } from "rxjs";
+import {
+  concatMap,
+  firstValueFrom,
+  pairwise,
+  startWith,
+  Subject,
+  switchMap,
+  takeUntil,
+} from "rxjs";
 
 import { ControlsOf } from "@bitwarden/angular/types/controls-of";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -263,18 +271,27 @@ export class SsoComponent implements OnInit, OnDestroy {
   }
 
   listenForKeyConnectorSelection() {
+    const memberDecryptionTypeOnInit = this.ssoConfigForm?.controls?.memberDecryptionType.value;
+
     this.ssoConfigForm?.controls?.memberDecryptionType.valueChanges
       .pipe(
-        switchMap(async (memberDecryptionType) => {
-          if (memberDecryptionType === MemberDecryptionType.KeyConnector) {
+        startWith(memberDecryptionTypeOnInit),
+        pairwise(),
+        switchMap(async ([prevMemberDecryptionType, newMemberDecryptionType]) => {
+          // Only pre-populate a default URL when changing TO Key Connector from a different decryption type.
+          // ValueChanges gets re-triggered during the submit() call, so we need a !== check
+          // to prevent a custom URL from getting overwritten back to the default on a submit().
+          if (
+            prevMemberDecryptionType !== MemberDecryptionType.KeyConnector &&
+            newMemberDecryptionType === MemberDecryptionType.KeyConnector
+          ) {
             // Pre-populate a default key connector URL (user can still change it)
             const env = await firstValueFrom(this.environmentService.environment$);
             const webVaultUrl = env.getWebVaultUrl();
-            const defaultKeyConnectorUrl = webVaultUrl + "/key-connector/";
+            const defaultKeyConnectorUrl = webVaultUrl + "/key-connector";
 
             this.ssoConfigForm.controls.keyConnectorUrl.setValue(defaultKeyConnectorUrl);
-          } else {
-            // Otherwise clear the key connector URL
+          } else if (newMemberDecryptionType !== MemberDecryptionType.KeyConnector) {
             this.ssoConfigForm.controls.keyConnectorUrl.setValue("");
           }
         }),