Admins (and eventually everyone) needs to be able to login.
I do not want to maintain my own username/password database and want to use a third party provider.
I found Hellō which looks like a good fit from a product and a philosophy perspective. It could also be useful for validating identities with the different providers without having to integrate with them directly.
My current thinking is that users should be separate from identities, so a user could have zero or one or multiple identities, and an identity can have no users (if it was added by admin).
However, a “person” (vs “organization”) identity should be limited to a single user. Though I’m not sure if this should be enforced at the database level.
Additionally, every login should be logged.