Customers will most likely log in more than one way into your apps if you offer multiple options, e.g. they could simultaneously use social login with your local login on the side.
Even if customers use more than one login provider to access your applications, they’d rather manage a single account instead of multiple ones. Account linking allows customers to link their social identities to a local account they’ve already registered with your brand. This way, customers can take care of fewer accounts, and you don’t have to store more customer identities than necessary.
You can switch on Account linking in the self-service policy settings to enable this feature.
There are a few requirements for account linking to take effect:
Account linking works by matching the social identity's email address to a local Strivacity account's email address. The identity store in use needs to support email identifiers.
Account linking does not work with username-only identity stores
Account linking occurs at social registration. Existing social accounts can't be linked to an existing or new local account.
Account linking connects a new social identity to an existing local self-service account.
Account linking doesn't link new accounts to existing social accounts.
Account linking only takes place if a local account's email is verified.
An email is verified if the registration flow has been successfully completed—including, for example, identity verification—and the account has an authenticator enrolled at the end—either password or MFA. If there is no activation step, then the email gets a verified status in this case.
Account activation If account activation applies, the activation link sent to the provided email address must be confirmed to verify the email address.
- Organizational accounts Account linking looks for a possible match inside a specific organization. Local accounts that the customer has in other organizations won't be affected.
- Simple accounts Account linking can also handle social identity matching for local accounts that don't belong to any organization. In this case, account linking will scan the non-organizational part of the identity store.
In some cases, it might not be obvious at first why account linking does or doesn't set off. Here are some common scenarios that will help you navigate through the hows and whys of account linking.
Base organizations affect the course of account linking.
Application clients can have base organizations configured. Base organizations close off a chunk of the organizational hierarchy and restrict the use of a client for organizations of that extracted part. When using social login through such clients, customers are automatically routed to the next available organization.
The "next available" organization through a client that has a base organization configured depends on the application type:
|Hybrid||Base organization with child organizations||for members of the base and child organizations|
|Base organization without child organizations||for members of the base organization|
|Organization-only||Base organization with child organizations||for members of the child organizations only|
|Base organization without child organizations||no access possible|
|Simple||Base organization with child organizations||for members of the base organization only|
|Base organization without child organizations||for members of the base organization only|
Account linking automatically looks for a match inside the "next available" organization when registration is initiated without any route specified.
Scenario In case of a hybrid client, social registration takes place in the base organization, because that's the first available organization option. If the customer has a local account in that specific organization, account linking will set off. If there's no existing account, a new social account will be created in the organization.
Account linking in child organizations (where applicable) can happen after routing to the specific organizations.
Hybrid applications can harbor both organizations and individual accounts. Organizations segment a subset of customer identities inside the identity store, while individual accounts are stored directly in the identity store, in the "non-organizational" compartment.
Account linking will execute differently depending on whether there's a base organization configured for the client or not:
- With a base organization
- Account linking activates for local accounts inside the base organization. Linking will set off in further organizations routing to the specific organization.
- Account linking won't activate if a customer with a local non-organizational account tries to register their social identity through a hybrid application with a base organization configured. Account linking always looks at the base organization first if configured.
- Without a base organization This is the only time when local non-organizational accounts could be linked at social identity registration. If the hybrid application's client doesn't have a base organization configured, account linking will look for the next best thing, which is the non-organizational segment of the identity store.
In the case of non-organizational accounts, account linking will look for a match in the non-organization part of the identity store if the customer is accessing a simple application.
If self-service registration is disabled for organizations, and account linking sets off, the following error will show to customers who choose NOT to link their social accounts with their detected local account:
This can happen when a customer tries to log in to their organization with a new social identity for the first time. If the customer chooses not to link their social to their local account, the next step is to register the new social identity. However, if self-service registration has been disabled for the organization, the error occurs.
Updated 24 days ago