Hi, I'm using vouch-proxy (behind nginx) to authenticate Google accounts that are from my organisation's domain. So my organisation's Google accounts are all in the format: first.second@work.domain.com and I've configured Vouch with the domain, "work.domain.com", and so anyone from the organisation can login to the site.

My question is, we have a few external users (without a google account or organisation account) that we would like to have access to our site. How do I set that up - so organisation accounts are handled as currently but external users have to authenticate through a separate bespoke login page?

Thanks,
Dave

I would set them up as parallel but separate NGINX servers hooked into seperate VP instances for both work.domain.com and partners.domain.com

You could also use a satisfy any strategy with a regular http password, though that's not best practice
http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy

Here's something fancier that might work but I've not tried this method
https://stackoverflow.com/questions/45822565/is-there-a-way-to-use-multiple-auth-request-directives-in-nginx

VP is fairly cheap resources wise. The underlying philosophy is to keep separate authorized groups of users in separate VP buckets so as to limit the opportunity to expose one side to another.

There has sometimes been talk of going for something fancier akin to RBAC or full ACL but that is not likely to be implemented any time soon.

Great thanks for the reply Benjamin, I'll look into your suggestions.

Cheers,
Dave