{"id":4042,"date":"2025-06-04T17:01:26","date_gmt":"2025-06-04T16:01:26","guid":{"rendered":"https:\/\/discovery.cevolution.co.uk\/ciam\/?p=4042"},"modified":"2026-03-27T04:21:16","modified_gmt":"2026-03-27T04:21:16","slug":"why-account-linking-should-be-pivotal-in-your-ciam-sso-integration","status":"publish","type":"post","link":"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/06\/04\/why-account-linking-should-be-pivotal-in-your-ciam-sso-integration\/","title":{"rendered":"Why Account Linking Should Be Pivotal in your CIAM SSO"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 11<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p>Leveraging <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span> (a.k.a. Single Sign On) as part of a CIAM integration provides significant benefits when it comes to building your SaaS solution. From user convenience, rich user profiling, and attack protection provided by the <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> authentication mechanisms, to the business benefits that (Enterprise) <a data-type=\"page\" data-id=\"1136\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Federation<\/a> provides in <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> scenarios, SSO gives your customers the sort of seamless experience I\u2019ve talked about previously in videos such as <em><a href=\"https:\/\/youtu.be\/SvbZ4KgZiAo\" target=\"_blank\" rel=\"noreferrer noopener\">Be More Social With Your CIAM Integration<\/a><\/em>, <em><a href=\"https:\/\/youtu.be\/MQkF9cWYokc\">Vibe Coding Authentication via Authorization Code Flow<\/a><\/em>, and of course my article:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"3b6IzwRGJN\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/05\/the-benefits-of-single-sign-on-sso\/\">The Benefits of SSO in a CIAM Integration<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;The Benefits of SSO in a CIAM Integration&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/05\/the-benefits-of-single-sign-on-sso\/embed\/#?secret=aYS003Bpvv#?secret=3b6IzwRGJN\" data-secret=\"3b6IzwRGJN\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>In each of those previous publications, I\u2019ve touched on the topic of <span class=\"popup-trigger popmake-2232\" data-popup-id=\"2232\" data-do-default=\"0\">Account Linking<\/span> \u2014 arguably, one of the most transformative yet underappreciated capabilities in a customer identity context, particularly when it comes to <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span>. <\/p>\n\n\n\n<p>My name\u2019s <span class=\"popup-trigger popmake-378\" data-popup-id=\"378\" data-do-default=\"0\">Peter Fernandez<\/span>, and in this article, I\u2019m going to show you why and how Account Linking plays a pivotal role, why you need to leverage it as part of your CIAM integration, and why the process of linking accounts is best handled by the third-party (SaaS) CIAM solution with which you integrate.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-0404e5f131265c4f36c22ec7ed0dec02 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst Account Linking is arguably more relatable in <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social <\/span>authentication scenarios, it can be extremely beneficial in Enterprise Federation use cases as well \u2014<\/em> <em>particularly where a user has multiple subscriptions in the context of a B2B SaaS solution, and\/or Social is being used as a password-free approach to subscription signup. <\/em><\/p>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"whatisaccountlinking\">What is Account Linking?<\/h2>\n\n\n<p>In a nutshell, account linking refers to the process of connecting the <strong>multiple identities<\/strong> belonging to the same person across various systems, platforms, and identity providers (IdPs), thus mitigating <strong>identity fragmentation<\/strong>.<\/p>\n\n\n\n<p>What do I mean by multiple identities and identity fragmentation? Well, consider, for example, how a user may have implicitly signed up using their Google account, say, and then later they log in using their LinkedIn, GitHub or even Facebook account. Without account linking, each of those would typically present as an individual, unique and distinct user to your <span class=\"popup-trigger popmake-2946\" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> solution, leading to confusion and disconnection from a user perspective:<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-fd490101b49badf06fd1679772f08973 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In certain scenarios, temporary Account Linking between non-related identities is also beneficial, however, that&#8217;s a topic for a different discussion. <\/em><\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inconsistent and de-personalised experiences<\/li>\n\n\n\n<li>Fragmented view of a customer<\/li>\n\n\n\n<li>Duplication of user records<\/li>\n\n\n\n<li>Weakening of security controls<\/li>\n<\/ul>\n\n\n<h3 class=\"wp-block-heading\" id=\"common-use-cases\">Common Use Cases<\/h3>\n\n\n<p>Implementing account linking thoughtfully \u2014 balancing user control, privacy, and business value \u2014 will invariably unlock richer insights and stronger relationships with customers; seeing and serving the customer as a whole, no matter how they choose to connect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple Identity Providers<\/strong>. Many third-party (SaaS) CIAM integrations support more than one <span class=\"popup-trigger popmake-3363\" data-popup-id=\"3363\" data-do-default=\"0\">upstream IdP<\/span> out of the box \u2014 i.e. multiple <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> logins (e.g., Google, Facebook) in addition to (Enterprise) <a data-type=\"page\" data-id=\"1136\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Federation<\/a>. A user might first log in via Facebook and later via their Microsoft or Google account, say; without account linking, your SaaS solution will see two users, but with linking, it sees the same person.\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-553b2e9e2805b46835bac4b22ea70aff is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Upstream IdPs have been known to lock\/revoke people&#8217;s accounts without warning \u2014 often with no appeal and no help getting that decision overturned.&nbsp;If they&#8217;re the sole provider for credential authentication, then the user account is effectively gone; account linking mitigates this by allowing your CIAM Integration to effectively support multiple identity providers.   <\/em><\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mergers and Acquisitions<\/strong>. When companies merge, they may need to unify user bases from different identity systems. Account linking can reconcile duplicate accounts and maintain continuity for users.<\/li>\n\n\n\n<li><strong>Multiple Brands or Products<\/strong>. Companies with multiple brands (e.g., automotive, travel, or media conglomerates, say), may have users who create accounts on different brand platforms, but SSO combined with account linking ensures a unified brand experience.<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"why-is-account-linking-important\">Why is Account Linking Important?<\/h2>\n\n\n<p>As a rule, there is typically a 1:1 correlation between a user identity and their account; by default, most identity provision works on the basis that every user has exactly one account. And an account\/user is typically created either explicitly \u2014 i.e. via signup or via some management dashboard\/API process \u2014 or implicitly when login occurs via some <span class=\"popup-trigger popmake-3363\" data-popup-id=\"3363\" data-do-default=\"0\">upstream IdP<\/span> (such as a <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> or Federation connection).<\/p>\n\n\n\n<p>If you only ever use one login method (as part of <span class=\"popup-trigger popmake-397 \" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span>) \u2014 i.e. UserID and Password, say \u2014then on the face of it, you don&#8217;t need to link accounts, right? Well, that is true to an extent, but not in all use cases.<\/p>\n\n\n\n<p>Besides, if you&#8217;re only leveraging UserID and Password, you&#8217;re missing out on the opportunities provided by the likes of <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social,<\/span> <a data-type=\"page\" data-id=\"1149\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/passwordless\/\" target=\"_blank\" rel=\"noreferrer noopener\">passwordless<\/a> or password-free workflows, and for <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS solutions, you will lack the competitive value provided by Enterprise <a data-type=\"page\" data-id=\"1136\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Federation<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"AokGeGnewA\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/12\/social-authentication-for-customer-identity-and-access-management\/\">Social Authentication for Customer Identity and Access Management<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Social Authentication for Customer Identity and Access Management&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/12\/social-authentication-for-customer-identity-and-access-management\/embed\/#?secret=QoYbH4mcMI#?secret=AokGeGnewA\" data-secret=\"AokGeGnewA\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>By linking accounts, a 1-to-many relationship is created between a user identity and their related accounts. Users don\u2019t have to remember which <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">login<\/span> method(s) they used, as account linking ensures that all accounts related to the user are seamlessly connected \u2014 by implication, your SaaS solution automatically recognising any related login as belonging to the same person.<\/p>\n\n\n\n<p>A SaaS solution can then utilise the unified user account and offer consistent experiences no matter what mechanism a customer uses to validate their credentials:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Consistent Personalisation<\/strong>: When customer data is unified, tailored content, recommendations, and services can be offered regardless of how or where a user logs in.<\/li>\n\n\n\n<li><strong>Elimination of Duplication<\/strong>: Without account linking, multiple accounts are unknowingly created, leading to confusion and loss of saved preferences or history.<\/li>\n\n\n\n<li><strong>Smooth Onboarding and Cross-App Transitions<\/strong>: In SaaS solutions leveraging multiple services, a linked account allows users to move between these seamlessly without disruption.<\/li>\n<\/ul>\n\n\n\n<p>Account linking also ensures that customer data is not siloed across services, enabling deeper insights and more effective decision-making: if a user is recognised consistently, no matter how they log in \u2014 or to which ever application\/service that&#8217;s part of your SaaS solution \u2014 then fragmentation of the metrics obtained about a customer is mitigated, making it easier to track and measure behaviour.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>360-Degree Customer View<\/strong>: A holistic understanding of customer behaviour can be obtained across different touchpoints, devices, and login methods.<\/li>\n\n\n\n<li><strong>Improved Analytics and Reporting<\/strong>: Unified data supports better segmentation, campaign effectiveness tracking, and journey analysis.<\/li>\n\n\n\n<li><strong>Data-Driven Personalisation<\/strong>: Personalised marketing and product recommendations rely on comprehensive user profiles, which are made possible through account linking.<\/li>\n<\/ul>\n\n\n\n<p>From a security perspective, account linking also helps to enforce consistent authentication and authorization rules across a SaaS solution, improving the overall security posture. Fewer accounts mean fewer opportunities for attackers to exploit credential weaknesses to gain unauthorised access, and with linked accounts, unusual behaviour \u2014 e.g., a sudden change in login method or location \u2014 can be flagged more accurately.<\/p>\n\n\n\n<p>Security from an account linking perspective will also typically involve some form of identity verification, which reduces the risk of impersonation or account takeover, and I&#8217;ll be discussing this more in the section <a href=\"#howtolink\">below<\/a>.<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"consistency\">Consistent Customer Identification<\/h3>\n\n\n<p>Let me elaborate. In a CIAM-integrated SaaS solution, a customer account is usually referenced by some unique and consistent identifier; how that identifier is generated and what it might look like, I&#8217;ll talk more about later.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-06be9217483a94fa2f1f789a750d4bea is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In his follow-up <a href=\"https:\/\/ciamweekly.substack.com\/p\/account-linking\" target=\"_blank\" rel=\"noopener\" title=\"\">Account Linking<\/a> article, <a href=\"https:\/\/www.linkedin.com\/in\/mooreds\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Dan Moore<\/a> highlighted a particular case where bespoke CIAM implementation in <a href=\"https:\/\/www.redhat.com\/en\/technologies\/cloud-computing\/openshift\" target=\"_blank\" rel=\"noopener\" title=\"\">OpenShift<\/a> broke identifier consistency (see <a href=\"https:\/\/gitlab.com\/gitlab-org\/gitlab-foss\/-\/issues\/47791\" target=\"_blank\" rel=\"noopener\" title=\"\">here<\/a>). Beware if your third-party (SaaS) CIAM does something similar! <\/em><\/p>\n<\/div>\n\n\n\n<p>For now, it&#8217;s enough to know that whilst such an identifier is not necessarily designed to replace any account identifier(s) already in use by any specific aspect of the SaaS solution (i.e. any particular application or service), it is certainly meant to augment them.<\/p>\n\n\n\n<p>It essentially provides an overarchingly consistent identification of a user account \u2014 and by implication, a user \u2014 across all applications in your SaaS solution. Importantly, it is also designed to be opaque: as a best practice, such an identifier should never expose user PII in any form.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-c7977be4b637015b33c29166fc5e0346 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>User identifiers generated by Keycloak, for example, are typically expressed in GUID-like notation as a completely opaque value. This isn&#8217;t necessarily true of all third-party (SaaS) CIAM solutions.<\/em><\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large has-custom-border\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"519\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-1024x519.png\" alt=\"\" class=\"wp-image-4183\" style=\"border-width:1px;border-radius:10px;box-shadow:var(--wp--preset--shadow--natural)\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-1024x519.png 1024w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-300x152.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-768x389.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-1536x778.png 1536w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04144136\/image-2-2048x1038.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Screenshot from the Keycloak IdP Dashboard<\/em><\/figcaption><\/figure>\n\n\n\n<p>By way of example, the screenshot above shows the user record generated by the Keycloak <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>, for me, as a customer of the B2B SaaS solution I&#8217;m building \u2014 <em><a href=\"https:\/\/theatricalpa.com\" target=\"_blank\" rel=\"noopener\" title=\"\">TheatricalPA<\/a><\/em>; a Production Management solution for theatrical stage shows, cooked by WOK (<em><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/wordpress-openfga-and-keycloak\/\">WordPress, OpenFGA and Keycloak<\/a><\/em>) \u2014 and I&#8217;ve highlighted the user identifier assigned.<\/p>\n\n\n\n<p>The next screenshot, below, shows the account record generated for me, as a user, in WordPress (which has its own WordPress <code>user_id<\/code> account identifier) and where data from the IdP (Keycloak) has been attached as WordPress metadata. Again, I&#8217;ve highlighted the <code>sub<\/code> claim from the <code>id_token<\/code> as the identifier from above, and I&#8217;ve also shown the data record as it appears in the database so that you can see the specific details.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-272e2d880b2dcc1d2a1021f0136d18f4 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>How reflection against any existing identifier is achieved is entirely up to you \u2014 making an association via metadata on some existing user record, as is the case here, typically works well. <\/em><\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large has-custom-border\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-1024x546.png\" alt=\"\" class=\"wp-image-4184\" style=\"border-width:1px;border-radius:10px;box-shadow:var(--wp--preset--shadow--natural)\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-1024x546.png 1024w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-300x160.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-768x410.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-1536x820.png 1536w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/04145004\/image-3-2048x1093.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MySQL dashboard screenshot of WordPress DB<\/em><\/figcaption><\/figure>\n\n\n\n<p>In contrast, this last screenshot shows an example relationship created in OpenFGA \u2014 i.e. a <span class=\"popup-trigger popmake-2333\" data-popup-id=\"2333\" data-do-default=\"0\">ReBAC<\/span> modelled definition \u2014 for me as a participant in a fictitious stage production; again highlighting the identifier for me as a user. <\/p>\n\n\n\n<p>Note how <code>9e287646-7e43-45e6-ad82-cc138e1deaae<\/code> is common across all three definitions as the unique identifier tying together all the records associated with me, the user, irrespective of any additional application-specific account ID(s) (e.g. the <code>user_id<\/code> identifier that WordPress also employs):<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large has-custom-border\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-content\/uploads\/sites\/22\/2025\/06\/image-1024x566.png\" alt=\"\" class=\"wp-image-4186\" style=\"border-width:1px;border-radius:10px;box-shadow:var(--wp--preset--shadow--natural)\" srcset=\"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-content\/uploads\/sites\/22\/2025\/06\/image-1024x566.png 1024w, https:\/\/discovery.cevolution.co.uk\/ciam\/wp-content\/uploads\/sites\/22\/2025\/06\/image-300x166.png 300w, https:\/\/discovery.cevolution.co.uk\/ciam\/wp-content\/uploads\/sites\/22\/2025\/06\/image-768x425.png 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>OpenFGA relationship visualisation<\/em> <\/figcaption><\/figure>\n\n\n\n<p><strong>The problem<\/strong> arises when the same user chooses to use a different login method, either intentionally or accidentally. They will, by default, essentially appear to the IdP (Keycloak) as a completely separate user: in the default 1:1 correlation, a new login via a new Social or Federation account, say, automatically creates a new user and, by implication, a new account.<\/p>\n\n\n\n<p>If we were to now revisit the above, and if I were to choose a different login method, without the ability to account link things change significantly:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keycloak<\/strong> generates a new user\/account, so the associated identifier is different; I&#8217;m essentially a different user<\/li>\n\n\n\n<li><strong>WordPress<\/strong> generates an error because, typically, an attempt will be made to create a new user with an email address that already exists in its system. As described below, account linking will often use email as a recognised mechanism for identity resolution, and as per <a href=\"https:\/\/wordpress.com\/support\/account-settings\/#email-address\" target=\"_blank\" rel=\"noreferrer noopener\">the official WordPress documentation<\/a>, &#8220;<em>&#8230;Each WordPress.com account must have a unique email address, and email addresses cannot be shared among accounts. That is, one email address cannot be registered with multiple accounts&#8230;<\/em>&#8221; \n<ul class=\"wp-block-list\">\n<li>A mandatory requirement for unique email addresses is not uncommon, and when using third-party applications\/systems as part of your SaaS solution, you may have little choice to do anything other than comply with the way it works.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>OpenFGA<\/strong> definitions no longer apply, because they&#8217;re effectively associated with a completely different user. This means that any access privileges provided will no longer apply, as essentially, the relationships defined will also not apply.  &nbsp;<\/li>\n<\/ul>\n\n\n<h3 class=\"wp-block-heading\" id=\"omnichannel-experiences\">Omnichannel Experiences<\/h3>\n\n\n<p>Account linking ensures that omnichannel strategies can be effectively executed, regardless of how the user logs in. Customers will, more often than not, interact with your SaaS solution via web, mobile, kiosk, smart TVs, and even voice assistant apps. Each of these will typically leverage native account identifiers, and so account linking allows for a continuous identity across these channels:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cross-Device Continuity<\/strong>: A user who adds items to their cart on the mobile app can easily complete checkout from a desktop.<\/li>\n\n\n\n<li><strong>Unified Preferences and Settings<\/strong>: Notification settings, accessibility preferences, and saved items persist across platforms.<\/li>\n\n\n\n<li><strong>Consistent Branding and Interaction<\/strong>: Linked accounts allow for coordinated, personalised touchpoints throughout the customer journey.<\/li>\n<\/ul>\n\n\n<h3 class=\"wp-block-heading\" id=\"compliance-with-privacy-and-data-regulations\">Compliance with Privacy and Data Regulations<\/h3>\n\n\n<p>Data privacy regulations such as GDPR, CCPA, and others require organisations to (a) know what data they hold about individuals and (b) allow individuals to access, correct, or delete that data. By mitigating fragmentation, account linking enables organisations to comply with these mandates more easily:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Avoiding Data Duplication<\/strong>: Redundant data from multiple unlinked accounts increases complexity and compliance risk.<\/li>\n\n\n\n<li><strong>Simplifying Data Subject Requests<\/strong>: Linked accounts ensure that when a user requests data deletion or export, all related records are handled appropriately.<\/li>\n\n\n\n<li><strong>Consistent Consent Management<\/strong>: If a user withdraws consent on one channel, account linking ensures this applies across the entire identity ecosystem.<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\" id=\"howtolink\">How is Account Linking Achieved?<\/h2>\n\n\n<p>As illustrated in the section <a href=\"#consistency\">above<\/a>, <code>9e287646-7e43-45e6-ad82-cc138e1deaae<\/code> represents the identifier uniquely created for me as a user, and in my case, this identifier was created by the Keycloak IdP when my user was created \u2014 again, in my case, by implicit signup as part of my first login via a <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> provider. <\/p>\n\n\n\n<p>In a CIAM context, it&#8217;s almost invariably the role of the <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> to create the user record and subsequently to generate the unique account identifier associated with it \u2014 whether implicitly or explicitly (i.e. via explicit signup or account creation via some explicit management API call).<\/p>\n\n\n\n<p>Ergo, it makes sense for the <span class=\"popup-trigger popmake-5184\" data-popup-id=\"5184\" data-do-default=\"0\">downstream IdP<\/span> to be responsible for the account linking process, and in a CIAM integration, this is exactly the case. The (multiple) applications in a SaaS solution will leverage the centralised identity infrastructure provided by the integrated downstream IdP, so centralised account linking performed by that IdP ensures that all related accounts are consistently recognised as the same user.<\/p>\n\n\n\n<p>The actual mechanics of account linking become the responsibility of the (downstream) IdP, typically resulting in the 1-to-many relationship being maintained and managed within the context of the IdP. Thus, each application can go about its business without concern for user duplication.<\/p>\n\n\n\n<p>However, not all CIAM solutions make Account Linking easy to achieve; arguably, a key factor for why many developers don\u2019t consider adopting SSO multi-strategy authentication (e.g. adding <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span>) as part of their CIAM integration. <\/p>\n\n\n\n<p>Previously, I came across the following post on LinkedIn, and whilst <a href=\"https:\/\/frontegg.com\/lp\/hp\" target=\"_blank\" rel=\"noreferrer noopener\">Frontegg<\/a> is known for this kind of marketing approach, as a veteran of Okta\/Auth0 it did make me smile \ud83d\ude0a During my time working with the <a href=\"https:\/\/auth0.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Auth0<\/a> platform from Okta, I came to know that much of its power comes from the toolkit-like nature that allows for integration in some complex scenarios; I often analogised Auth0 to being like a <span class=\"popup-trigger popmake-1185\" data-popup-id=\"1185\" data-do-default=\"0\">CIAM<\/span> toolbox full of CIAM tools.<\/p>\n\n\n\n<div class=\"wp-block-group has-text-align-center has-global-padding is-layout-constrained wp-container-core-group-is-layout-dd602231 wp-block-group-is-layout-constrained\" style=\"margin-top:var(--wp--preset--spacing--30);margin-bottom:0;padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<iframe loading=\"lazy\" src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:share:7289993991301857281\" height=\"948\" width=\"85%\" frameborder=\"0\" allowfullscreen=\"\" title=\"Embedded post\"><\/iframe>\n<\/div>\n\n\n\n<p>I&#8217;m not suggesting Frontegg is any better in the way it provides CIAM workflow solutions, but it&#8217;s certainly true to say that the toolbox approach is not everyone\u2019s cup of tea. <\/p>\n\n\n\n<p>If you\u2019re going to pay a not insignificant sum for a subscription to some third-party CIAM vendor-hosted SaaS solution, you don\u2019t necessarily want to hear \u201c<em>&#8230;yes, you can do that, but you\u2019ll have to build that capability yourself using the tools we provide&#8230;<\/em>\u201d It\u2019s like buying a Range Rover and then being asked to DIY the assembly!<\/p>\n\n\n\n<p>And it&#8217;s particularly true with account linking if you&#8217;re left to deal with the specific security challenges (see <a href=\"#challenges\">below<\/a> for more details) that can lead to account vulnerability!<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-ff61226600de17a11537caf6ad13b56c is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Auth0 does provide a ready-made <a href=\"https:\/\/auth0.com\/docs\/customize\/extensions\/account-link-extension\" target=\"_blank\" rel=\"noreferrer noopener\">Account Linking Extension<\/a>; however, unlike Keycloak, for example, it doesn&#8217;t provide any out-of-the-box facility for user self-service management of linked account information (which, to be regulatory compliant, means you would need to build that yourself). <\/em><\/p>\n<\/div>\n\n\n\n<p>Whilst the ready-made out of box <a href=\"https:\/\/www.keycloak.org\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Keycloak<\/strong><\/a> solution for account linking isn&#8217;t perfect, as a toolkit-oriented CIAM option for a DIY based approach (read more in my article <em><a data-type=\"post\" data-id=\"127\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/02\/22\/diy-or-buy\/\" target=\"_blank\" rel=\"noreferrer noopener\">Build, Buy or DIY your CIAM Solution<\/a><\/em>), it typically comes at no cost. As an open-source solution, it means you can also augment the default behaviour to provide a more secure experience. Something I will be discussing in a future article \ud83d\ude0e<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"alternative-approach\">Alternative Approach<\/h3>\n\n\n<p>One alternative to account linking is for each application to detect a duplicate account, and then make multiple associations at the application level \u2014 e.g. reflect the 1-to-many relationship within the context of the application. Something I&#8217;ve seen happen, especially where SaaS developers end up struggling with the account linking intricacies posed by their integrated <span class=\"popup-trigger popmake-415 \" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> of choice.<\/p>\n\n\n\n<p>However, this is not a recommended course of action: not only is it a costly endeavour, both in terms of development effort and maintenance, but it will almost certainly lead to inconsistency. And invariably, there will be duplication of data. <\/p>\n\n\n\n<p>Further, if some leveraged third-party application or service has particular restrictions (such as with my WordPress scenario illustrated <a href=\"#consistency\">above<\/a>), a development team will need to be aware of them and take this into consideration as part of their implementation design<em>.<\/em><\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-03a35bfa2728d799b88f7b8bdc47df1c is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Some third-party components, particularly those used in a &#8220;black-box&#8221; manner, may not allow 1-to-many relationships to even be built at their application-specific user (account) level. <\/em><\/p>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"challenges\">Challenges<\/h2>\n\n\n<p>Despite its benefits, account linking poses a number of challenges. A poorly implemented account linking strategy can introduce vulnerabilities \u2014 for example, if a malicious actor can trick the system into linking their account to a potential victim\u2019s, they can gain unauthorised access.<\/p>\n\n\n\n<p>So, careful considerations, including strong verification processes and continuous monitoring, are essential to mitigating such risks:<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-0149bacf0494092fdd3f0c2aed2d0364 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>In some cases, support for automatic, silent account linking may be required based on business needs. However, any such endeavour should be approached with extreme caution and only be employed when all risks have been analysed and understood.<\/em><\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identity Resolution<\/strong>. Determining that two accounts belong to the same user is non-trivial. The linking of accounts must balance accuracy with user convenience, typically using the likes of email address matching, coupled with out-of-band verification and optional MFA, to ensure that account linking is safe and secure.<\/li>\n\n\n\n<li><strong>User Consent and Control<\/strong>. Users should be aware when accounts are being linked and must explicitly consent to it. To meet with regulatory compliance, amongst other things, the account linking process should:\n<ul class=\"wp-block-list\">\n<li>Provide transparent messaging<\/li>\n\n\n\n<li>Allow users to manage linked accounts<\/li>\n\n\n\n<li>Support unlinking if needed\/required.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Data Reconciliation<\/strong>. When linking accounts, any conflict in user data (e.g., different profile pictures or contact info) must be handled, with strategies in place to help maintain a single source of truth.:\n<ul class=\"wp-block-list\">\n<li>Prioritise based on trust<\/li>\n\n\n\n<li>Ask users to confirm as part of the linking process<\/li>\n\n\n\n<li>Merge data safely, allowing users to control their linked accounts and understand what data is shared.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Account linking isn&#8217;t just a technical feature, it&#8217;s a strategic capability you&#8217;ll almost certainly want to employ. The ability to recognize and unify customer identities not only offers a competitive advantage, but in an SSO context is a necessity to unlocking the full potential of the user experience, data integrity, personalization, security, and compliance.<\/p>\n","protected":false},"author":1,"featured_media":4173,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"authenticate":"","authentication":"","authenticatedMethod":"","authenticatedMember":"","authorizedPermissions":[],"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":false,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[14,7,10],"tags":[75,57,22,28,74],"class_list":["post-4042","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-authentication","category-integration","category-user","tag-account","tag-architecture","tag-ciam","tag-keycloak","tag-user"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/06\/03110955\/create-a-highly-detailed-high-resolution-featured-image-for-a-blog-6.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/4042","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/comments?post=4042"}],"version-history":[{"count":89,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/4042\/revisions"}],"predecessor-version":[{"id":5535,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/4042\/revisions\/5535"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media\/4173"}],"wp:attachment":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media?parent=4042"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/categories?post=4042"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/tags?post=4042"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}