I’ve enabled SSO on our company’s Discourse site, allowing external users from our app to log in. However, some staff members with company email addresses need access as moderators or administrators. Since these staff members aren’t registered in the app, we can’t create SSO accounts for them.
Is there a built-in solution to handle their login separately, so they can authenticate using their company email, even with SSO enabled for external users?
@RGJ thanks for the quick reply.
But AFAIK this works only for admins, right? I want to do login for staff and moderators i.e power users but non-admin
I’m afraid that won’t work for non-admins.
Can’t they log in as regular users with sso and then you give them admin rights?
That’s the only problem I have is that they can’t exist on SSO
If I understand what you’re saying, Then you can’t use sso. The first S is for single. You’ll need to use multiple OAuth2 logins, I think.
Why can your admins not use your authentication system?
I don’t have a solution, but I seem to remember this exact issue having come up a few times in the past. It’s unfortunate that you can’t make the users moderators and give them access to the site via the /u/admin-login route.
In case it’s relevant, what are you using for SSO? Is it DiscourseConnect, OAuth2, or OpenID Connect?
Hey @simon, I am using DiscourseConnect for SSO
We want our admins, staff, and moderators to use their company email for logging in. However, our current SSO mechanism relies on phone number OTP-based authentication, and the user must be registered on our app with their email ID, which isn’t feasible for these users.
While we could implement custom handling to whitelist certain emails in our SSO, we’re exploring a more out-of-the-box solution. For instance, if it were possible for SSO to coexist with local login, we could disable local login for regular users while allowing admins and external users to log in with their email and password. Unfortunately, I don’t believe SSO and local login can coexist in this way.
That is correct. When DiscourseConnect is enabled, users can only login via the DiscourseConnect authentication provider site.
I had the idea that the /u/admin-login route worked for all staff (admins and moderators), but looking at it now I see that it only allows for admins to bypass DiscourseConnect logins. Possibly a plugin could be developed that would allow members of a custom group to login with the admin-login method, but it would probably be better to find a way of getting external users onto your SSO authentication site.
That sounds right. The best solution would be to make it so your sso works. It doesn’t make much sense that it’s “not feasible” for your sso not to work for your employees,but maybe that’s why I work down myself. 
(But your employees don’t use your app? If they did, it should be easy enough to add their email address with the API).
But people making bad decisions are who keep me in business! When I’m not talking people into using existing features, what I really like make discourse do things it’s not designed to do (like install discourse).
I would be happy to develop, or help you develop, a plugin that would make the /u/admin-login route (or another one) work for members of your team group (that automatically includes users with your company email), and make a page they could visit and enter their email to get a login link.
Maybe it could even redirect anonymous users on your vpn to the login page automatically or something else to make it more seamless for your employees.