diff --git a/src/orchestratord/src/controller/materialize/console.rs b/src/orchestratord/src/controller/materialize/console.rs
index b3c42f2a8e6ec..659a35f22ef00 100644
--- a/src/orchestratord/src/controller/materialize/console.rs
+++ b/src/orchestratord/src/controller/materialize/console.rs
@@ -212,7 +212,7 @@ struct ConsoleAppConfig {
 
 #[derive(Serialize)]
 struct ConsoleAppConfigAuth {
-    mode: AuthenticatorKind,
+    self_managed_password_auth_enabled: bool,
 }
 
 fn create_console_app_configmap_object(mz: &Materialize, console_image_ref: &str) -> ConfigMap {
@@ -224,7 +224,10 @@ fn create_console_app_configmap_object(mz: &Materialize, console_image_ref: &str
     let app_config_json = serde_json::to_string(&ConsoleAppConfig {
         version,
         auth: ConsoleAppConfigAuth {
-            mode: mz.spec.authenticator_kind,
+            self_managed_password_auth_enabled: mz
+                .spec
+                .authenticator_kind
+                .password_style_self_managed_auth(),
         },
     })
     .expect("known valid");
diff --git a/src/orchestratord/src/controller/materialize/environmentd.rs b/src/orchestratord/src/controller/materialize/environmentd.rs
index 90681e3b06ddb..24019dd854c4b 100644
--- a/src/orchestratord/src/controller/materialize/environmentd.rs
+++ b/src/orchestratord/src/controller/materialize/environmentd.rs
@@ -1394,10 +1394,7 @@ fn create_environmentd_statefulset_object(
             ..Default::default()
         });
         args.push("--listeners-config-path=/listeners/listeners.json".to_owned());
-        if matches!(
-            mz.spec.authenticator_kind,
-            AuthenticatorKind::Password | AuthenticatorKind::Sasl
-        ) {
+        if mz.spec.authenticator_kind.password_style_self_managed_auth() {
             args.push("--system-parameter-default=enable_password_auth=true".into());
             env.push(EnvVar {
                 name: "MZ_EXTERNAL_LOGIN_PASSWORD_MZ_SYSTEM".to_string(),
@@ -1691,10 +1688,7 @@ fn create_connection_info(
         },
     };
 
-    if matches!(
-        authenticator_kind,
-        AuthenticatorKind::Password | AuthenticatorKind::Sasl
-    ) {
+    if mz.spec.authenticator_kind.password_style_self_managed_auth() {
         listeners_config.sql.remove("internal");
         listeners_config.http.remove("internal");
 
@@ -1747,17 +1741,18 @@ fn create_connection_info(
         },
     };
 
-    let (scheme, leader_api_port, mz_system_secret_name) = match authenticator_kind {
-        AuthenticatorKind::Password | AuthenticatorKind::Sasl => {
+    let (scheme, leader_api_port, mz_system_secret_name) =
+        if mz.spec.authenticator_kind.password_style_self_managed_auth() {
             let scheme = if external_enable_tls { "https" } else { "http" };
             (
                 scheme,
                 config.environmentd_http_port,
                 Some(mz.spec.backend_secret_name.clone()),
             )
-        }
-        _ => ("http", config.environmentd_internal_http_port, None),
-    };
+        } else {
+            ("http", config.environmentd_internal_http_port, None)
+        };
+
     let environmentd_url = format!(
         "{}://{}.{}.svc.cluster.local:{}",
         scheme,
diff --git a/src/server-core/src/listeners.rs b/src/server-core/src/listeners.rs
index 2242643ec6a56..35b63387c1185 100644
--- a/src/server-core/src/listeners.rs
+++ b/src/server-core/src/listeners.rs
@@ -26,6 +26,13 @@ pub enum AuthenticatorKind {
     None,
 }
 
+impl AuthenticatorKind {
+    /// Whether this authenticator kind supports password-style self-managed authentication.
+    pub fn password_style_self_managed_auth(&self) -> bool {
+        matches!(self, AuthenticatorKind::Password | AuthenticatorKind::Sasl)
+    }
+}
+
 /// Whether to allow internal users (ie: mz_system) and/or normal users.
 #[derive(Debug, Clone, Copy, Deserialize, Serialize, PartialEq)]
 pub enum AllowedRoles {