Disable Logins for specific domains

I have recently setup OpenID with Discourse as our Staff uses an identity provider to login everywhere, it is working great so far, but is there a way to restrict staff logins to the OpenID provider (For notes: I use the OpenID plugin, so a domain block from login would be great).

SSO is not the way to go as its still a public forum and would like to affect only staff accounts.

Is it possible to restrict domains from logging in and possibly even restrict 2fa as thats provided by the ID provider? Something like the allowlist setting.