Account linking

Customers will most likely log in more than one way into your apps if you offer multiple options, e.g. they could simultaneously use social login with your local login on the side.

Even if customers use more than one login provider to access your applications, they’d rather manage a single account instead of multiple ones. Account linking allows customers to link their social identities to a local account they’ve already registered with your brand. This way, customers can take care of fewer accounts, and you don’t have to store more customer identities than necessary.

📘

You can switch on Account linking in the self-service policy settings to enable this feature.

Requirements

There are a few requirements for account linking to take effect:

Identity store related

Email identifier support

Account linking works by matching the social identity's email address to a local Strivacity account's email address. The identity store in use needs to support email identifiers.

🚧

Account linking does not work with username-only identity stores

Account related

Registration

Account linking occurs at social registration. Existing social accounts can't be linked to an existing or new local account.

Local account

Account linking connects a new social identity to an existing local self-service account.

🚧

Account linking doesn't link new accounts to existing social accounts.

Verified local account

Account linking only takes place if a local account's email is verified.

An email is verified if the registration flow has been successfully completed—including, for example, identity verification—and the account has an authenticator enrolled at the end—either password or MFA. If there is no activation step, then the email gets a verified status in this case.

Account activation If account activation applies, the activation link sent to the provided email address must be confirmed to verify the email address.

Organization related

• Organizational accounts Account linking looks for a possible match inside a specific organization. Local accounts that the customer has in other organizations won't be affected.
• Simple accounts Account linking can also handle social identity matching for local accounts that don't belong to any organization. In this case, account linking will scan the non-organizational part of the identity store.

Account linking in practice

In some cases, it might not be obvious at first why account linking does or doesn't set off. Here are some common scenarios that will help you navigate through the hows and whys of account linking.

Base organization

Base organizations affect the course of account linking.

Application clients can have base organizations configured. Base organizations close off a chunk of the organizational hierarchy and restrict the use of a client for organizations of that extracted part. When using social login through such clients, customers are automatically routed to the next available organization.

The "next available" organization through a client that has a base organization configured depends on the application type:

Account linking automatically looks for a match inside the "next available" organization when registration is initiated without any route specified.

Scenario In case of a hybrid client, social registration takes place in the base organization, because that's the first available organization option. If the customer has a local account in that specific organization, account linking will set off. If there's no existing account, a new social account will be created in the organization.

Account linking in child organizations (where applicable) can happen after routing to the specific organizations.

Hybrid applications

Hybrid applications can harbor both organizations and individual accounts. Organizations segment a subset of customer identities inside the identity store, while individual accounts are stored directly in the identity store, in the "non-organizational" compartment.

Account linking will execute differently depending on whether there's a base organization configured for the client or not:

• With a base organization
  • Account linking activates for local accounts inside the base organization. Linking will set off in further organizations routing to the specific organization.
  • Account linking won't activate if a customer with a local non-organizational account tries to register their social identity through a hybrid application with a base organization configured. Account linking always looks at the base organization first if configured.
• Without a base organization This is the only time when local non-organizational accounts could be linked at social identity registration. If the hybrid application's client doesn't have a base organization configured, account linking will look for the next best thing, which is the non-organizational segment of the identity store.

Simple applications

In the case of non-organizational accounts, account linking will look for a match in the non-organization part of the identity store if the customer is accessing a simple application.

Self-service registration

If self-service registration is disabled for organizations, and account linking sets off, the following error will show to customers who choose NOT to link their social accounts with their detected local account:

📘

This can happen when a customer tries to log in to their organization with a new social identity for the first time. If the customer chooses not to link their social to their local account, the next step is to register the new social identity. However, if self-service registration has been disabled for the organization, the error occurs.