How to Restrict Username/Password Login to a Single ‘Break Glass’ User in FusionAuth
-
We are using Simple Themes and want to have only federated logins (e.g. Google, SSO) for all humans. However, we also want to have a 'break glass' user that can log in with username/password in the case of emergency situations. We want to make sure that no other users other than this break glass should be able to use username/password. In an ideal circumstance, the username/password wouldn’t even show up except for the break glass user, perhaps even a different URL. Any ideas for how we can do this?
-
Having only one user be able to log in with username/password is relatively straightforward with FusionAuth. You could use a Login Validation Lambda or transactional user.login.success Webhook to check the authentication type on each login, which will tell you if they are logging in via a specific Identity Provider or with a password then stop users from logging in based on that criteria. Then set it up so that only the break glass user is able to login with a password.
The slightly trickier part here is only having the username/password field show up for that user. The only way to accomplish this with Simple Themes would be to have managed domains setup such that all normal users are directed to IdPs but the break glass user is on a separate domain so they get to see the login page. With managed domains, the login field changes just to email address for the first step. Then it will check the users email address against domains you have setup for specific IdPs and if they match a IdP then a user is directed straight to that IdP. Any user with a domain that does not match gets sent to the regular email/password login page.
-
W wesley has marked this topic as solved