Different default SSO organization based on Domain

Hello,

currently I am using awesome Google Apps + Duo SSO for managing access to internal network to employees.

Now, we are hiring contractors, which will use domain ext.something.com instead of something.com. I have created a new Pritunl Organization with different routes for contractors, but I want to have same SSO 2FA security. Right now, if I add another Google Apps Domain (ext.something.com) into Pritunl, it will use default SSO Organization.

But that is not what I need. I need to somehow force new SSO signups to use different orgs based on the domain name.

What is the best way to do that?

I would be OK manually registering people into another org, but then they would use PIN auth instead of SSO + 2FA.

Thanks!

Users are added to organizations if the user has a Google Workspace group name that matches an existing organization name. When manually adding users the user type must be changed in the advanced user settings.