Ory does not support creating a new account with a social sign-in provider if the email address already exists in the system. The platform enforces global uniqueness of email addresses across all authentication methods and providers. When a user attempts to sign in with a social provider using an email that already exists, Ory will prompt the user to link the accounts—typically by entering the password for the existing account. This is a deliberate security measure to prevent account takeover and ensure that email addresses are not used to create duplicate or conflicting identities. There is no configuration or documented workaround to always create a new account for each social sign-in attempt with the same email address. The only way to achieve provider-specific uniqueness (i.e., allowing the same email to be used for different accounts with different providers) would be to run separate Ory projects or Kratos instances for each provider, but this approach is not officially documented or recommended and comes with significant complexity and trade-offs [kratos, login with different oidc providers, with same email address](https://github.com/ory/kratos/discussions/4162). This behavior is by design and is not configurable, as confirmed in the official Ory response: > "No its not possible to circumvent this because the email address must be unique. You could potentially circumvent this with multiple Ory Network projects / multiple Ory Kratos instances, but it is not documented." [kratos, login with different oidc providers, with same email address](https://github.com/ory/kratos/discussions/4162) Additionally, Ory does not support fully automatic account linking for social sign-in due to security concerns, and the deduplication step (requiring password entry) is a key part of the account linking process [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). Summary: You cannot configure Ory to always create a new account for each social sign-in with the same email address. Email addresses must be unique, and deduplication/account linking is enforced for security reasons.

Social sign-in in Ory is designed to be initiated by the user through the login UI, where the user selects a social provider and is redirected to authenticate with that provider. The flow is user-driven and relies on browser-based redirection or, for native/mobile apps, opening a browser window for the user to complete authentication with the social provider. For native and mobile apps, the process is still user-initiated: the app opens a browser window for the user to authenticate, and then handles the redirect back to the app. The API is used to initialize and manage the flow, but the actual authentication step with the social provider must be performed by the user in a browser context. There is no documented way to perform the entire social sign-in process purely via backend API calls without user interaction in the UI or browser [Social sign-in for native and mobile apps](https://www.ory.sh/docs/kratos/social-signin/native-apps#implementation) [Integration basics](https://www.ory.sh/docs/kratos/bring-your-own-ui/custom-ui-basic-integration). In summary: Social sign-in must be initiated by the user via the login UI (web or native app). The API is used to manage the flow, but the user must interact with the social provider through a browser or web view. There is no supported way to complete social sign-in entirely via backend API calls.

If a user has an existing identity in Ory that was created without a password (for example, via the API), and then attempts to log in using social sign-in with the same email address, Ory will attempt to link the social account to the existing identity. However, since the existing account does not have a password authentication method, the user will be prompted to enter a password to confirm the account linking—but will not be able to do so, as no password exists for that account. This results in a situation where the user cannot complete the account linking or log in using the new social sign-in method. This is a known limitation and is discussed in Ory's issue tracker. The current behavior is that if the user does not have a password (or any other available authentication method), it is not possible to securely link the social account, and the user may be effectively locked out. Ory recommends not removing authentication methods (such as OIDC providers) from users who rely on them, as this can leave accounts without any way to authenticate or recover access. There is no automatic linking in this scenario, and the process will not simply link the accounts without confirmation [Presented with a prompt to link account using password when pre-existing account does not use password auth method](https://github.com/ory/network/issues/400). In summary: If the user does not have a password, Ory will still prompt for password confirmation to link the social account, and the process cannot be completed without an available authentication method. The accounts will not be linked automatically.

Based on the knowledge sources, the described behavior—where a user with an existing account (created without a password) is prompted for a password when attempting to link a social sign-in—applies to both Enterprise SSO and standard social sign-in (OIDC) flows in Ory. The documentation and issue discussions do not distinguish different behaviors between Enterprise SSO and regular social sign-in regarding account linking when no password is set. In both cases, Ory requires an additional verification step (such as entering a password) before linking a new login method to an existing account. If the account does not have a password (or another available authentication method), the user cannot complete the linking process and may be locked out [Presented with a prompt to link account using password when pre-existing account does not use password auth method](https://github.com/ory/network/issues/400) [Account linking on login and registration](https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account#account-linking-on-login-and-registration). There is no indication in the knowledge sources that standard social sign-in behaves differently from Enterprise SSO in this scenario. If an account has no available authentication method, Ory will not automatically link the social account, regardless of the type of provider. Summary: No, there is no documented difference in behavior between Enterprise SSO and standard social sign-in for this scenario. In both cases, Ory will not link the accounts automatically if the existing account lacks a password or other authentication method.

Yes, it is possible to set up identities in Ory with a schema that does not require an email address. Ory allows you to fully customize your identity schema using JSON Schema, and you can define any field as the unique identifier for login, such as a username or phone number, instead of an email address. For example, you can use a schema where the only required trait is a username, and no email is present at all. In this case, uniqueness is enforced on the chosen identifier (e.g., username), not on email addresses [Identity schema](https://www.ory.sh/docs/kratos/manage-identities/identity-schema). Here’s an example from the documentation:

json // Identity example   {     id: "6e9d3d30-f93e-4630-901f-c2096953723d",     traits: {       username: "some-username",     },   }

In this setup, the system does not require or enforce uniqueness on email addresses, since they are not part of the schema. The uniqueness constraint applies only to the fields you designate as identifiers in your schema [Identity schema](https://www.ory.sh/docs/kratos/manage-identities/identity-schema). So, if your schema does not include an email address, identities do not need to have unique emails—because they do not have emails at all.

If your identity schema does not include an email address as a trait, Ory cannot use email to deduplicate or link accounts during social sign-in. In this case, when a user signs in with a social provider, Ory will not find an existing identity based on email (since it does not exist in the schema) and will create a new identity for each social sign-in attempt. This means that, without a unique identifier (like email or username) present in both the identity schema and the social provider's claims, Ory will be unable to match the social sign-in to an existing account and will default to creating a new identity every time [Identity schema](https://www.ory.sh/docs/kratos/manage-identities/identity-schema) [Map and merge profile data](https://www.ory.sh/docs/kratos/social-signin/data-mapping). Summary: If your schema does not include an email (or any other matching identifier), Ory will not be able to link social sign-in accounts to existing identities and will create a new identity for each sign-in attempt.