Google Auth to only invited users

We want to have the only way to login via Google Auth but we also need to not allow anyone in our domain to get access. We need to add their email and the permissions they need and then they can logins using Google Auth. What we are finding now is that if I am added as a user I must register with a password first which is what we don’t want; just google auth.

We whitelisted domains that are allowed for the system but not all users in those domains are meant to have discourse access.

How do you see this working? How big is the list of allowed email addresses and how often does it change?

Admin adds user to the accounts list with a corporate email and given appropriate permissions.
User then attempts to sign in using Google. Their email matches one that exists on accounts. User logs in successfully. Else, user email does not match and user is not allowed to login.

Even better is to have a SAML integration. Slack has a great G Suite integration for example with JIT provisioning. https://get.slack.help/hc/en-us/articles/204078066-G-Suite-single-sign-on#provisioning-and-deprovisioning

Support for SCIM alongside that would be great
https://tools.ietf.org/html/rfc7643