authentication restrictions based on the type of user

dan

How can I set up authentication method restrictions based on a "type" of user.

The scenario is we have our staff members login as users through FusionAuth. They have a user.data property telling us they're an Admin, but other than that, they're just another user (not in a special tenant or anything).

We want to force our staff members to log into our platform with Google SSO. This is obviously possible on a per application basis, but can you think of any other way we can do this while having them login to the same Application as all of other users?

dan

Options:

• Hints will direct a user to a specific IDP (but not forcibly - the user can still change the URL). https://fusionauth.io/docs/v1/tech/identity-providers/#hints
• You could look at issued token at the application level and verify the claim of authenticationType and ensure that it’s GOOGLE when the claim is user.data: admin and if not kick the user back to login with a helpful message on the way out. However, any refresh grants won't retain the initial login type: https://github.com/FusionAuth/fusionauth-issues/issues/1483
• Another option might be to key off of user.login.success webhook and fail the login (send a non-200) if the user is an admin and the authenticationType is not GOOGLE: https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-login-success