Account Linking Two existing Users


I’m using 3 different idps (Facebook, Azure AD and Gmail).
It should be possible for Users to Login without having an Account before in Okta using Facebook or Gmail. Therefore JIT is aktivated in all three ipds.

When a User logs in via Facebook a User is created in Okta.
When the same user logs in via Azure AD another user is Created in Okta.

Is there any possibility to do Account-Linking on these two generated Users manually?
So that when a user logs in with facebook or with azure ad the user can access both apis?

I have tested automatic account linking via email, but in our use case above we can’t do account linking via this attribute, because we don’t have the information, or the accounts already exists.

Okta does allow manual account linking, via this API call. Note this requires the externalId of the account.

So that when a user logs in with facebook or with azure ad the user can access both apis?

I am not sure I understand what is meant here? Do you mean if a single Okta account linked to both a facebook and Azure account logs in via facebook, that would also automatically authenticate them against Azure? If so that would not happen.

I have seen the manual account linking api, but not sure if its possible to link two already existing users.
For Example:

Users with @gmail are Users from idp google. Users with myaaddomain are users from azure ad. User with oktauser are users created direktly in okta.

I wan’t to link which already is listed in users in okta because idp provider google created them, with the user which also already exists in okta.

After this linking testuser1 should be able to get a token for aad and google no matter which login the user choose.

1 Like

In this case you will want to get the external user id of the user you want to link to the other user with GET /api/v1/idps/{idpId}/users/{userId}, then delete that user, and then link them to the other user with POST /api/v1/idps/{idpId}/users/{userId}

After this if you login with that user via gmail or azure they should be linked to which ever account you linked to.