WSO2 ID - Asgardeo federated login doesn't link to existing user account

Context:

I'm using WSO2 Asgardeo, and the automatic account linking doesn't seem to be working as I expected.

I have configured Just-In-Time (JIT) provisioning with Google as an identity provider.

Here is the scenario:

I sign up with an email address: xpto@gmail.com (using the Asgardeo default login form).

Then I try to log in with the same email (xpto@gmail.com) using the Google IDP.

After both steps, when I check the users in the Asgardeo Console, they appear as two separate users.

What I tried:

I attempted to force the account link using the POST /t/{tenant}/api/users/v1/me/federated-associations endpoint, but I receive this error:

The federated association is already associated to a local user.

However, that local user is not the one I want to associate with this federated identity.

As of now, JIT (Just-In-Time) provisioning through a federated IdP creates a new user profile within the Asgardeo organization. However, an upcoming enhancement will introduce the ability to implicitly link JIT-provisioned users to existing local users.

In the meantime, you can achieve user linking by following this workaround:

1. Disable JIT provisioning in your login IdP configuration.

2. Update your application's conditional authentication script as shown below.

   
   var onLoginRequest = function onLoginRequest(context) {
   
       var fedUser;
       executeStep(1, {
           onSuccess: function(context) {
               var idpName = context.steps[1].idp;
               if (idpName !== "LOCAL") {
                   fedUser = context.currentKnownSubject;
   
                   // Check is there is already a user association
                   var assocUser = getAssociatedLocalUser(fedUser);
                   if (assocUser == null) {
                       Log.info("Association is not found");
                       Log.info("Federated user's email : " + fedUser.remoteClaims.email);
                       var claimMap = {};
                       claimMap["http://wso2.org/claims/username"] = "DEFAULT/" + fedUser.remoteClaims.email;
                       var storedLocalUser = getUniqueUserWithClaimValues(claimMap, context);
                       if (storedLocalUser !== null) {
                           Log.info("Found a local user");
                           // Do the account linking
                           doAssociationWithLocalUser(fedUser, storedLocalUser.username, storedLocalUser.tenantDomain, storedLocalUser.userStoreDomain);
                       } else {
                           Log.info("Matching local user is not found");
                       }
                   }
               }
           }
       });
   };
   

3.Go to its User Attributes tab, and scroll down. Click " Use linked local account attributes" under "Attribute Resolution for Linked Accounts" and save.

Then try the login flow, you should be able to link the federated users silently with local users and consume the linked local users attributes in user assersions returned to the application