<@U04UQ68083H> I’ve added new user to the system, ...
# ory-copilot
h
@chilly-king-10285 I’ve added new user to the system, and such user gets the reset-password email. But this user want’s to login/register using the SSO, but after that he gets below message:
Copy code
You tried to sign in with "<mailto:abc@gmail.com|abc@gmail.com>", but that email is already used by another account. Sign in to your account with one of the options below to add your account "<mailto:abc@gmail.com|abc@gmail.com>" at "Google" as another way to sign in.
Why the account is not linked with the google account?
b
A message from kapa.ai
The behavior you're seeing is expected with Ory's default account linking and social sign-in flow. When a user is added to the system (e.g., via import or admin creation) and receives a reset-password email, an account is created with their email address. If the same user then tries to log in or register using SSO (e.g., Google) with the same email, Ory detects that the email is already associated with an existing account. By default, Ory does not automatically link the SSO (social login) account to the existing account for security reasons. Instead, the user is prompted to sign in using one of the existing authentication methods (such as password) to confirm their identity before linking the new SSO method. This prevents potential account takeover attacks that could occur if someone else controls the same email address at the SSO provider. Only after successful authentication with an existing method can the SSO account be linked to the user's profile [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) [Account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations). Automatic account linking (where the SSO account is linked without additional verification) is only available in specific migration scenarios, and only if you explicitly enable the
use_auto_link
feature for pre-provisioned identities. This feature is not enabled by default and is only available for Ory Network or Enterprise customers after a security evaluation [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) [Account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations). Summary: The account is not automatically linked with the Google account because Ory requires an explicit verification step (such as signing in with the existing method) before linking a new login method, to prevent security risks. Automatic linking is only available in controlled, pre-provisioned scenarios with additional configuration. For more details, see the documentation on [account linking](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration) and [account linking security considerations](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-security-considerations).