feat(idp): provide option to auto link user (#7734)

* init auto linking

* prompt handling

* working

* translations

* console

* fixes

* unify

* custom texts

* fix tests

* linting

* fix check of existing user

* fix bg translation

* set unspecified as default in the form

internal/query/custom_text.go

@@ -409,8 +409,11 @@ func CustomTextsToLoginDomain(instanceID, aggregateID, lang string, texts *Custo
 		if strings.HasPrefix(text.Key, domain.LoginKeyRegistrationOrg) {
 			registrationOrgKeyToDomain(text, result)
 		}
+		if strings.HasPrefix(text.Key, domain.LoginKeyLinkingUserPrompt) {
+			linkingUserPromptKeyToDomain(text, result)
+		}
 		if strings.HasPrefix(text.Key, domain.LoginKeyLinkingUserDone) {
-			linkingUserKeyToDomain(text, result)
+			linkingUserDoneKeyToDomain(text, result)
 		}
 		if strings.HasPrefix(text.Key, domain.LoginKeyExternalNotFound) {
 			externalUserNotFoundKeyToDomain(text, result)
@@ -1100,7 +1103,22 @@ func registrationOrgKeyToDomain(text *CustomText, result *domain.CustomLoginText
 	}
 }
 
-func linkingUserKeyToDomain(text *CustomText, result *domain.CustomLoginText) {
+func linkingUserPromptKeyToDomain(text *CustomText, result *domain.CustomLoginText) {
+	if text.Key == domain.LoginKeyLinkingUserPromptTitle {
+		result.LinkingUserPrompt.Title = text.Text
+	}
+	if text.Key == domain.LoginKeyLinkingUserPromptDescription {
+		result.LinkingUserPrompt.Description = text.Text
+	}
+	if text.Key == domain.LoginKeyLinkingUserPromptLinkButtonText {
+		result.LinkingUserPrompt.LinkButtonText = text.Text
+	}
+	if text.Key == domain.LoginKeyLinkingUserPromptOtherButtonText {
+		result.LinkingUserPrompt.OtherButtonText = text.Text
+	}
+}
+
+func linkingUserDoneKeyToDomain(text *CustomText, result *domain.CustomLoginText) {
 	if text.Key == domain.LoginKeyLinkingUserDoneTitle {
 		result.LinkingUsersDone.Title = text.Text
 	}

internal/query/idp_login_policy_link_test.go

@@ -16,12 +16,12 @@ import (
 
 var (
 	loginPolicyIDPLinksQuery = regexp.QuoteMeta(`SELECT projections.idp_login_policy_links5.idp_id,` +
-		` projections.idp_templates5.name,` +
-		` projections.idp_templates5.type,` +
-		` projections.idp_templates5.owner_type,` +
+		` projections.idp_templates6.name,` +
+		` projections.idp_templates6.type,` +
+		` projections.idp_templates6.owner_type,` +
 		` COUNT(*) OVER ()` +
 		` FROM projections.idp_login_policy_links5` +
-		` LEFT JOIN projections.idp_templates5 ON projections.idp_login_policy_links5.idp_id = projections.idp_templates5.id AND projections.idp_login_policy_links5.instance_id = projections.idp_templates5.instance_id` +
+		` LEFT JOIN projections.idp_templates6 ON projections.idp_login_policy_links5.idp_id = projections.idp_templates6.id AND projections.idp_login_policy_links5.instance_id = projections.idp_templates6.instance_id` +
 		` RIGHT JOIN (SELECT login_policy_owner.aggregate_id, login_policy_owner.instance_id, login_policy_owner.owner_removed FROM projections.login_policies5 AS login_policy_owner` +
 		` WHERE (login_policy_owner.instance_id = $1 AND (login_policy_owner.aggregate_id = $2 OR login_policy_owner.aggregate_id = $3)) ORDER BY login_policy_owner.is_default LIMIT 1) AS login_policy_owner` +
 		` ON login_policy_owner.aggregate_id = projections.idp_login_policy_links5.resource_owner AND login_policy_owner.instance_id = projections.idp_login_policy_links5.instance_id` +

internal/query/idp_template.go

@@ -35,6 +35,7 @@ type IDPTemplate struct {
 	IsLinkingAllowed  bool
 	IsAutoCreation    bool
 	IsAutoUpdate      bool
+	AutoLinking       domain.AutoLinkingOption
 	*OAuthIDPTemplate
 	*OIDCIDPTemplate
 	*JWTIDPTemplate
@@ -227,6 +228,10 @@ var (
 		name:  projection.IDPTemplateIsAutoUpdateCol,
 		table: idpTemplateTable,
 	}
+	IDPTemplateAutoLinkingCol = Column{
+		name:  projection.IDPTemplateAutoLinkingCol,
+		table: idpTemplateTable,
+	}
 )
 
 var (
@@ -812,6 +817,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 			IDPTemplateIsLinkingAllowedCol.identifier(),
 			IDPTemplateIsAutoCreationCol.identifier(),
 			IDPTemplateIsAutoUpdateCol.identifier(),
+			IDPTemplateAutoLinkingCol.identifier(),
 			// oauth
 			OAuthIDCol.identifier(),
 			OAuthClientIDCol.identifier(),
@@ -1037,6 +1043,7 @@ func prepareIDPTemplateByIDQuery(ctx context.Context, db prepareDatabase) (sq.Se
 				&idpTemplate.IsLinkingAllowed,
 				&idpTemplate.IsAutoCreation,
 				&idpTemplate.IsAutoUpdate,
+				&idpTemplate.AutoLinking,
 				// oauth
 				&oauthID,
 				&oauthClientID,
@@ -1297,6 +1304,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 			IDPTemplateIsLinkingAllowedCol.identifier(),
 			IDPTemplateIsAutoCreationCol.identifier(),
 			IDPTemplateIsAutoUpdateCol.identifier(),
+			IDPTemplateAutoLinkingCol.identifier(),
 			// oauth
 			OAuthIDCol.identifier(),
 			OAuthClientIDCol.identifier(),
@@ -1527,6 +1535,7 @@ func prepareIDPTemplatesQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 					&idpTemplate.IsLinkingAllowed,
 					&idpTemplate.IsAutoCreation,
 					&idpTemplate.IsAutoUpdate,
+					&idpTemplate.AutoLinking,
 					// oauth
 					&oauthID,
 					&oauthClientID,

internal/query/idp_template_test.go

@@ -16,128 +16,129 @@ import (
 )
 
 var (
-	idpTemplateQuery = `SELECT projections.idp_templates5.id,` +
-		` projections.idp_templates5.resource_owner,` +
-		` projections.idp_templates5.creation_date,` +
-		` projections.idp_templates5.change_date,` +
-		` projections.idp_templates5.sequence,` +
-		` projections.idp_templates5.state,` +
-		` projections.idp_templates5.name,` +
-		` projections.idp_templates5.type,` +
-		` projections.idp_templates5.owner_type,` +
-		` projections.idp_templates5.is_creation_allowed,` +
-		` projections.idp_templates5.is_linking_allowed,` +
-		` projections.idp_templates5.is_auto_creation,` +
-		` projections.idp_templates5.is_auto_update,` +
+	idpTemplateQuery = `SELECT projections.idp_templates6.id,` +
+		` projections.idp_templates6.resource_owner,` +
+		` projections.idp_templates6.creation_date,` +
+		` projections.idp_templates6.change_date,` +
+		` projections.idp_templates6.sequence,` +
+		` projections.idp_templates6.state,` +
+		` projections.idp_templates6.name,` +
+		` projections.idp_templates6.type,` +
+		` projections.idp_templates6.owner_type,` +
+		` projections.idp_templates6.is_creation_allowed,` +
+		` projections.idp_templates6.is_linking_allowed,` +
+		` projections.idp_templates6.is_auto_creation,` +
+		` projections.idp_templates6.is_auto_update,` +
+		` projections.idp_templates6.auto_linking,` +
 		// oauth
-		` projections.idp_templates5_oauth2.idp_id,` +
-		` projections.idp_templates5_oauth2.client_id,` +
-		` projections.idp_templates5_oauth2.client_secret,` +
-		` projections.idp_templates5_oauth2.authorization_endpoint,` +
-		` projections.idp_templates5_oauth2.token_endpoint,` +
-		` projections.idp_templates5_oauth2.user_endpoint,` +
-		` projections.idp_templates5_oauth2.scopes,` +
-		` projections.idp_templates5_oauth2.id_attribute,` +
+		` projections.idp_templates6_oauth2.idp_id,` +
+		` projections.idp_templates6_oauth2.client_id,` +
+		` projections.idp_templates6_oauth2.client_secret,` +
+		` projections.idp_templates6_oauth2.authorization_endpoint,` +
+		` projections.idp_templates6_oauth2.token_endpoint,` +
+		` projections.idp_templates6_oauth2.user_endpoint,` +
+		` projections.idp_templates6_oauth2.scopes,` +
+		` projections.idp_templates6_oauth2.id_attribute,` +
 		// oidc
-		` projections.idp_templates5_oidc.idp_id,` +
-		` projections.idp_templates5_oidc.issuer,` +
-		` projections.idp_templates5_oidc.client_id,` +
-		` projections.idp_templates5_oidc.client_secret,` +
-		` projections.idp_templates5_oidc.scopes,` +
-		` projections.idp_templates5_oidc.id_token_mapping,` +
+		` projections.idp_templates6_oidc.idp_id,` +
+		` projections.idp_templates6_oidc.issuer,` +
+		` projections.idp_templates6_oidc.client_id,` +
+		` projections.idp_templates6_oidc.client_secret,` +
+		` projections.idp_templates6_oidc.scopes,` +
+		` projections.idp_templates6_oidc.id_token_mapping,` +
 		// jwt
-		` projections.idp_templates5_jwt.idp_id,` +
-		` projections.idp_templates5_jwt.issuer,` +
-		` projections.idp_templates5_jwt.jwt_endpoint,` +
-		` projections.idp_templates5_jwt.keys_endpoint,` +
-		` projections.idp_templates5_jwt.header_name,` +
+		` projections.idp_templates6_jwt.idp_id,` +
+		` projections.idp_templates6_jwt.issuer,` +
+		` projections.idp_templates6_jwt.jwt_endpoint,` +
+		` projections.idp_templates6_jwt.keys_endpoint,` +
+		` projections.idp_templates6_jwt.header_name,` +
 		// azure
-		` projections.idp_templates5_azure.idp_id,` +
-		` projections.idp_templates5_azure.client_id,` +
-		` projections.idp_templates5_azure.client_secret,` +
-		` projections.idp_templates5_azure.scopes,` +
-		` projections.idp_templates5_azure.tenant,` +
-		` projections.idp_templates5_azure.is_email_verified,` +
+		` projections.idp_templates6_azure.idp_id,` +
+		` projections.idp_templates6_azure.client_id,` +
+		` projections.idp_templates6_azure.client_secret,` +
+		` projections.idp_templates6_azure.scopes,` +
+		` projections.idp_templates6_azure.tenant,` +
+		` projections.idp_templates6_azure.is_email_verified,` +
 		// github
-		` projections.idp_templates5_github.idp_id,` +
-		` projections.idp_templates5_github.client_id,` +
-		` projections.idp_templates5_github.client_secret,` +
-		` projections.idp_templates5_github.scopes,` +
+		` projections.idp_templates6_github.idp_id,` +
+		` projections.idp_templates6_github.client_id,` +
+		` projections.idp_templates6_github.client_secret,` +
+		` projections.idp_templates6_github.scopes,` +
 		// github enterprise
-		` projections.idp_templates5_github_enterprise.idp_id,` +
-		` projections.idp_templates5_github_enterprise.client_id,` +
-		` projections.idp_templates5_github_enterprise.client_secret,` +
-		` projections.idp_templates5_github_enterprise.authorization_endpoint,` +
-		` projections.idp_templates5_github_enterprise.token_endpoint,` +
-		` projections.idp_templates5_github_enterprise.user_endpoint,` +
-		` projections.idp_templates5_github_enterprise.scopes,` +
+		` projections.idp_templates6_github_enterprise.idp_id,` +
+		` projections.idp_templates6_github_enterprise.client_id,` +
+		` projections.idp_templates6_github_enterprise.client_secret,` +
+		` projections.idp_templates6_github_enterprise.authorization_endpoint,` +
+		` projections.idp_templates6_github_enterprise.token_endpoint,` +
+		` projections.idp_templates6_github_enterprise.user_endpoint,` +
+		` projections.idp_templates6_github_enterprise.scopes,` +
 		// gitlab
-		` projections.idp_templates5_gitlab.idp_id,` +
-		` projections.idp_templates5_gitlab.client_id,` +
-		` projections.idp_templates5_gitlab.client_secret,` +
-		` projections.idp_templates5_gitlab.scopes,` +
+		` projections.idp_templates6_gitlab.idp_id,` +
+		` projections.idp_templates6_gitlab.client_id,` +
+		` projections.idp_templates6_gitlab.client_secret,` +
+		` projections.idp_templates6_gitlab.scopes,` +
 		// gitlab self hosted
-		` projections.idp_templates5_gitlab_self_hosted.idp_id,` +
-		` projections.idp_templates5_gitlab_self_hosted.issuer,` +
-		` projections.idp_templates5_gitlab_self_hosted.client_id,` +
-		` projections.idp_templates5_gitlab_self_hosted.client_secret,` +
-		` projections.idp_templates5_gitlab_self_hosted.scopes,` +
+		` projections.idp_templates6_gitlab_self_hosted.idp_id,` +
+		` projections.idp_templates6_gitlab_self_hosted.issuer,` +
+		` projections.idp_templates6_gitlab_self_hosted.client_id,` +
+		` projections.idp_templates6_gitlab_self_hosted.client_secret,` +
+		` projections.idp_templates6_gitlab_self_hosted.scopes,` +
 		// google
-		` projections.idp_templates5_google.idp_id,` +
-		` projections.idp_templates5_google.client_id,` +
-		` projections.idp_templates5_google.client_secret,` +
-		` projections.idp_templates5_google.scopes,` +
+		` projections.idp_templates6_google.idp_id,` +
+		` projections.idp_templates6_google.client_id,` +
+		` projections.idp_templates6_google.client_secret,` +
+		` projections.idp_templates6_google.scopes,` +
 		// saml
-		` projections.idp_templates5_saml.idp_id,` +
-		` projections.idp_templates5_saml.metadata,` +
-		` projections.idp_templates5_saml.key,` +
-		` projections.idp_templates5_saml.certificate,` +
-		` projections.idp_templates5_saml.binding,` +
-		` projections.idp_templates5_saml.with_signed_request,` +
+		` projections.idp_templates6_saml.idp_id,` +
+		` projections.idp_templates6_saml.metadata,` +
+		` projections.idp_templates6_saml.key,` +
+		` projections.idp_templates6_saml.certificate,` +
+		` projections.idp_templates6_saml.binding,` +
+		` projections.idp_templates6_saml.with_signed_request,` +
 		// ldap
-		` projections.idp_templates5_ldap2.idp_id,` +
-		` projections.idp_templates5_ldap2.servers,` +
-		` projections.idp_templates5_ldap2.start_tls,` +
-		` projections.idp_templates5_ldap2.base_dn,` +
-		` projections.idp_templates5_ldap2.bind_dn,` +
-		` projections.idp_templates5_ldap2.bind_password,` +
-		` projections.idp_templates5_ldap2.user_base,` +
-		` projections.idp_templates5_ldap2.user_object_classes,` +
-		` projections.idp_templates5_ldap2.user_filters,` +
-		` projections.idp_templates5_ldap2.timeout,` +
-		` projections.idp_templates5_ldap2.id_attribute,` +
-		` projections.idp_templates5_ldap2.first_name_attribute,` +
-		` projections.idp_templates5_ldap2.last_name_attribute,` +
-		` projections.idp_templates5_ldap2.display_name_attribute,` +
-		` projections.idp_templates5_ldap2.nick_name_attribute,` +
-		` projections.idp_templates5_ldap2.preferred_username_attribute,` +
-		` projections.idp_templates5_ldap2.email_attribute,` +
-		` projections.idp_templates5_ldap2.email_verified,` +
-		` projections.idp_templates5_ldap2.phone_attribute,` +
-		` projections.idp_templates5_ldap2.phone_verified_attribute,` +
-		` projections.idp_templates5_ldap2.preferred_language_attribute,` +
-		` projections.idp_templates5_ldap2.avatar_url_attribute,` +
-		` projections.idp_templates5_ldap2.profile_attribute,` +
+		` projections.idp_templates6_ldap2.idp_id,` +
+		` projections.idp_templates6_ldap2.servers,` +
+		` projections.idp_templates6_ldap2.start_tls,` +
+		` projections.idp_templates6_ldap2.base_dn,` +
+		` projections.idp_templates6_ldap2.bind_dn,` +
+		` projections.idp_templates6_ldap2.bind_password,` +
+		` projections.idp_templates6_ldap2.user_base,` +
+		` projections.idp_templates6_ldap2.user_object_classes,` +
+		` projections.idp_templates6_ldap2.user_filters,` +
+		` projections.idp_templates6_ldap2.timeout,` +
+		` projections.idp_templates6_ldap2.id_attribute,` +
+		` projections.idp_templates6_ldap2.first_name_attribute,` +
+		` projections.idp_templates6_ldap2.last_name_attribute,` +
+		` projections.idp_templates6_ldap2.display_name_attribute,` +
+		` projections.idp_templates6_ldap2.nick_name_attribute,` +
+		` projections.idp_templates6_ldap2.preferred_username_attribute,` +
+		` projections.idp_templates6_ldap2.email_attribute,` +
+		` projections.idp_templates6_ldap2.email_verified,` +
+		` projections.idp_templates6_ldap2.phone_attribute,` +
+		` projections.idp_templates6_ldap2.phone_verified_attribute,` +
+		` projections.idp_templates6_ldap2.preferred_language_attribute,` +
+		` projections.idp_templates6_ldap2.avatar_url_attribute,` +
+		` projections.idp_templates6_ldap2.profile_attribute,` +
 		// apple
-		` projections.idp_templates5_apple.idp_id,` +
-		` projections.idp_templates5_apple.client_id,` +
-		` projections.idp_templates5_apple.team_id,` +
-		` projections.idp_templates5_apple.key_id,` +
-		` projections.idp_templates5_apple.private_key,` +
-		` projections.idp_templates5_apple.scopes` +
-		` FROM projections.idp_templates5` +
-		` LEFT JOIN projections.idp_templates5_oauth2 ON projections.idp_templates5.id = projections.idp_templates5_oauth2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_oauth2.instance_id` +
-		` LEFT JOIN projections.idp_templates5_oidc ON projections.idp_templates5.id = projections.idp_templates5_oidc.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_oidc.instance_id` +
-		` LEFT JOIN projections.idp_templates5_jwt ON projections.idp_templates5.id = projections.idp_templates5_jwt.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_jwt.instance_id` +
-		` LEFT JOIN projections.idp_templates5_azure ON projections.idp_templates5.id = projections.idp_templates5_azure.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_azure.instance_id` +
-		` LEFT JOIN projections.idp_templates5_github ON projections.idp_templates5.id = projections.idp_templates5_github.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_github.instance_id` +
-		` LEFT JOIN projections.idp_templates5_github_enterprise ON projections.idp_templates5.id = projections.idp_templates5_github_enterprise.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_github_enterprise.instance_id` +
-		` LEFT JOIN projections.idp_templates5_gitlab ON projections.idp_templates5.id = projections.idp_templates5_gitlab.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab.instance_id` +
-		` LEFT JOIN projections.idp_templates5_gitlab_self_hosted ON projections.idp_templates5.id = projections.idp_templates5_gitlab_self_hosted.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab_self_hosted.instance_id` +
-		` LEFT JOIN projections.idp_templates5_google ON projections.idp_templates5.id = projections.idp_templates5_google.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_google.instance_id` +
-		` LEFT JOIN projections.idp_templates5_saml ON projections.idp_templates5.id = projections.idp_templates5_saml.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_saml.instance_id` +
-		` LEFT JOIN projections.idp_templates5_ldap2 ON projections.idp_templates5.id = projections.idp_templates5_ldap2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_ldap2.instance_id` +
-		` LEFT JOIN projections.idp_templates5_apple ON projections.idp_templates5.id = projections.idp_templates5_apple.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_apple.instance_id` +
+		` projections.idp_templates6_apple.idp_id,` +
+		` projections.idp_templates6_apple.client_id,` +
+		` projections.idp_templates6_apple.team_id,` +
+		` projections.idp_templates6_apple.key_id,` +
+		` projections.idp_templates6_apple.private_key,` +
+		` projections.idp_templates6_apple.scopes` +
+		` FROM projections.idp_templates6` +
+		` LEFT JOIN projections.idp_templates6_oauth2 ON projections.idp_templates6.id = projections.idp_templates6_oauth2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_oauth2.instance_id` +
+		` LEFT JOIN projections.idp_templates6_oidc ON projections.idp_templates6.id = projections.idp_templates6_oidc.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_oidc.instance_id` +
+		` LEFT JOIN projections.idp_templates6_jwt ON projections.idp_templates6.id = projections.idp_templates6_jwt.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_jwt.instance_id` +
+		` LEFT JOIN projections.idp_templates6_azure ON projections.idp_templates6.id = projections.idp_templates6_azure.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_azure.instance_id` +
+		` LEFT JOIN projections.idp_templates6_github ON projections.idp_templates6.id = projections.idp_templates6_github.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_github.instance_id` +
+		` LEFT JOIN projections.idp_templates6_github_enterprise ON projections.idp_templates6.id = projections.idp_templates6_github_enterprise.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_github_enterprise.instance_id` +
+		` LEFT JOIN projections.idp_templates6_gitlab ON projections.idp_templates6.id = projections.idp_templates6_gitlab.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab.instance_id` +
+		` LEFT JOIN projections.idp_templates6_gitlab_self_hosted ON projections.idp_templates6.id = projections.idp_templates6_gitlab_self_hosted.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab_self_hosted.instance_id` +
+		` LEFT JOIN projections.idp_templates6_google ON projections.idp_templates6.id = projections.idp_templates6_google.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_google.instance_id` +
+		` LEFT JOIN projections.idp_templates6_saml ON projections.idp_templates6.id = projections.idp_templates6_saml.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_saml.instance_id` +
+		` LEFT JOIN projections.idp_templates6_ldap2 ON projections.idp_templates6.id = projections.idp_templates6_ldap2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap2.instance_id` +
+		` LEFT JOIN projections.idp_templates6_apple ON projections.idp_templates6.id = projections.idp_templates6_apple.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_apple.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	idpTemplateCols = []string{
 		"id",
@@ -153,6 +154,7 @@ var (
 		"is_linking_allowed",
 		"is_auto_creation",
 		"is_auto_update",
+		"auto_linking",
 		// oauth config
 		"idp_id",
 		"client_id",
@@ -250,129 +252,130 @@ var (
 		"private_key",
 		"scopes",
 	}
-	idpTemplatesQuery = `SELECT projections.idp_templates5.id,` +
-		` projections.idp_templates5.resource_owner,` +
-		` projections.idp_templates5.creation_date,` +
-		` projections.idp_templates5.change_date,` +
-		` projections.idp_templates5.sequence,` +
-		` projections.idp_templates5.state,` +
-		` projections.idp_templates5.name,` +
-		` projections.idp_templates5.type,` +
-		` projections.idp_templates5.owner_type,` +
-		` projections.idp_templates5.is_creation_allowed,` +
-		` projections.idp_templates5.is_linking_allowed,` +
-		` projections.idp_templates5.is_auto_creation,` +
-		` projections.idp_templates5.is_auto_update,` +
+	idpTemplatesQuery = `SELECT projections.idp_templates6.id,` +
+		` projections.idp_templates6.resource_owner,` +
+		` projections.idp_templates6.creation_date,` +
+		` projections.idp_templates6.change_date,` +
+		` projections.idp_templates6.sequence,` +
+		` projections.idp_templates6.state,` +
+		` projections.idp_templates6.name,` +
+		` projections.idp_templates6.type,` +
+		` projections.idp_templates6.owner_type,` +
+		` projections.idp_templates6.is_creation_allowed,` +
+		` projections.idp_templates6.is_linking_allowed,` +
+		` projections.idp_templates6.is_auto_creation,` +
+		` projections.idp_templates6.is_auto_update,` +
+		` projections.idp_templates6.auto_linking,` +
 		// oauth
-		` projections.idp_templates5_oauth2.idp_id,` +
-		` projections.idp_templates5_oauth2.client_id,` +
-		` projections.idp_templates5_oauth2.client_secret,` +
-		` projections.idp_templates5_oauth2.authorization_endpoint,` +
-		` projections.idp_templates5_oauth2.token_endpoint,` +
-		` projections.idp_templates5_oauth2.user_endpoint,` +
-		` projections.idp_templates5_oauth2.scopes,` +
-		` projections.idp_templates5_oauth2.id_attribute,` +
+		` projections.idp_templates6_oauth2.idp_id,` +
+		` projections.idp_templates6_oauth2.client_id,` +
+		` projections.idp_templates6_oauth2.client_secret,` +
+		` projections.idp_templates6_oauth2.authorization_endpoint,` +
+		` projections.idp_templates6_oauth2.token_endpoint,` +
+		` projections.idp_templates6_oauth2.user_endpoint,` +
+		` projections.idp_templates6_oauth2.scopes,` +
+		` projections.idp_templates6_oauth2.id_attribute,` +
 		// oidc
-		` projections.idp_templates5_oidc.idp_id,` +
-		` projections.idp_templates5_oidc.issuer,` +
-		` projections.idp_templates5_oidc.client_id,` +
-		` projections.idp_templates5_oidc.client_secret,` +
-		` projections.idp_templates5_oidc.scopes,` +
-		` projections.idp_templates5_oidc.id_token_mapping,` +
+		` projections.idp_templates6_oidc.idp_id,` +
+		` projections.idp_templates6_oidc.issuer,` +
+		` projections.idp_templates6_oidc.client_id,` +
+		` projections.idp_templates6_oidc.client_secret,` +
+		` projections.idp_templates6_oidc.scopes,` +
+		` projections.idp_templates6_oidc.id_token_mapping,` +
 		// jwt
-		` projections.idp_templates5_jwt.idp_id,` +
-		` projections.idp_templates5_jwt.issuer,` +
-		` projections.idp_templates5_jwt.jwt_endpoint,` +
-		` projections.idp_templates5_jwt.keys_endpoint,` +
-		` projections.idp_templates5_jwt.header_name,` +
+		` projections.idp_templates6_jwt.idp_id,` +
+		` projections.idp_templates6_jwt.issuer,` +
+		` projections.idp_templates6_jwt.jwt_endpoint,` +
+		` projections.idp_templates6_jwt.keys_endpoint,` +
+		` projections.idp_templates6_jwt.header_name,` +
 		// azure
-		` projections.idp_templates5_azure.idp_id,` +
-		` projections.idp_templates5_azure.client_id,` +
-		` projections.idp_templates5_azure.client_secret,` +
-		` projections.idp_templates5_azure.scopes,` +
-		` projections.idp_templates5_azure.tenant,` +
-		` projections.idp_templates5_azure.is_email_verified,` +
+		` projections.idp_templates6_azure.idp_id,` +
+		` projections.idp_templates6_azure.client_id,` +
+		` projections.idp_templates6_azure.client_secret,` +
+		` projections.idp_templates6_azure.scopes,` +
+		` projections.idp_templates6_azure.tenant,` +
+		` projections.idp_templates6_azure.is_email_verified,` +
 		// github
-		` projections.idp_templates5_github.idp_id,` +
-		` projections.idp_templates5_github.client_id,` +
-		` projections.idp_templates5_github.client_secret,` +
-		` projections.idp_templates5_github.scopes,` +
+		` projections.idp_templates6_github.idp_id,` +
+		` projections.idp_templates6_github.client_id,` +
+		` projections.idp_templates6_github.client_secret,` +
+		` projections.idp_templates6_github.scopes,` +
 		// github enterprise
-		` projections.idp_templates5_github_enterprise.idp_id,` +
-		` projections.idp_templates5_github_enterprise.client_id,` +
-		` projections.idp_templates5_github_enterprise.client_secret,` +
-		` projections.idp_templates5_github_enterprise.authorization_endpoint,` +
-		` projections.idp_templates5_github_enterprise.token_endpoint,` +
-		` projections.idp_templates5_github_enterprise.user_endpoint,` +
-		` projections.idp_templates5_github_enterprise.scopes,` +
+		` projections.idp_templates6_github_enterprise.idp_id,` +
+		` projections.idp_templates6_github_enterprise.client_id,` +
+		` projections.idp_templates6_github_enterprise.client_secret,` +
+		` projections.idp_templates6_github_enterprise.authorization_endpoint,` +
+		` projections.idp_templates6_github_enterprise.token_endpoint,` +
+		` projections.idp_templates6_github_enterprise.user_endpoint,` +
+		` projections.idp_templates6_github_enterprise.scopes,` +
 		// gitlab
-		` projections.idp_templates5_gitlab.idp_id,` +
-		` projections.idp_templates5_gitlab.client_id,` +
-		` projections.idp_templates5_gitlab.client_secret,` +
-		` projections.idp_templates5_gitlab.scopes,` +
+		` projections.idp_templates6_gitlab.idp_id,` +
+		` projections.idp_templates6_gitlab.client_id,` +
+		` projections.idp_templates6_gitlab.client_secret,` +
+		` projections.idp_templates6_gitlab.scopes,` +
 		// gitlab self hosted
-		` projections.idp_templates5_gitlab_self_hosted.idp_id,` +
-		` projections.idp_templates5_gitlab_self_hosted.issuer,` +
-		` projections.idp_templates5_gitlab_self_hosted.client_id,` +
-		` projections.idp_templates5_gitlab_self_hosted.client_secret,` +
-		` projections.idp_templates5_gitlab_self_hosted.scopes,` +
+		` projections.idp_templates6_gitlab_self_hosted.idp_id,` +
+		` projections.idp_templates6_gitlab_self_hosted.issuer,` +
+		` projections.idp_templates6_gitlab_self_hosted.client_id,` +
+		` projections.idp_templates6_gitlab_self_hosted.client_secret,` +
+		` projections.idp_templates6_gitlab_self_hosted.scopes,` +
 		// google
-		` projections.idp_templates5_google.idp_id,` +
-		` projections.idp_templates5_google.client_id,` +
-		` projections.idp_templates5_google.client_secret,` +
-		` projections.idp_templates5_google.scopes,` +
+		` projections.idp_templates6_google.idp_id,` +
+		` projections.idp_templates6_google.client_id,` +
+		` projections.idp_templates6_google.client_secret,` +
+		` projections.idp_templates6_google.scopes,` +
 		// saml
-		` projections.idp_templates5_saml.idp_id,` +
-		` projections.idp_templates5_saml.metadata,` +
-		` projections.idp_templates5_saml.key,` +
-		` projections.idp_templates5_saml.certificate,` +
-		` projections.idp_templates5_saml.binding,` +
-		` projections.idp_templates5_saml.with_signed_request,` +
+		` projections.idp_templates6_saml.idp_id,` +
+		` projections.idp_templates6_saml.metadata,` +
+		` projections.idp_templates6_saml.key,` +
+		` projections.idp_templates6_saml.certificate,` +
+		` projections.idp_templates6_saml.binding,` +
+		` projections.idp_templates6_saml.with_signed_request,` +
 		// ldap
-		` projections.idp_templates5_ldap2.idp_id,` +
-		` projections.idp_templates5_ldap2.servers,` +
-		` projections.idp_templates5_ldap2.start_tls,` +
-		` projections.idp_templates5_ldap2.base_dn,` +
-		` projections.idp_templates5_ldap2.bind_dn,` +
-		` projections.idp_templates5_ldap2.bind_password,` +
-		` projections.idp_templates5_ldap2.user_base,` +
-		` projections.idp_templates5_ldap2.user_object_classes,` +
-		` projections.idp_templates5_ldap2.user_filters,` +
-		` projections.idp_templates5_ldap2.timeout,` +
-		` projections.idp_templates5_ldap2.id_attribute,` +
-		` projections.idp_templates5_ldap2.first_name_attribute,` +
-		` projections.idp_templates5_ldap2.last_name_attribute,` +
-		` projections.idp_templates5_ldap2.display_name_attribute,` +
-		` projections.idp_templates5_ldap2.nick_name_attribute,` +
-		` projections.idp_templates5_ldap2.preferred_username_attribute,` +
-		` projections.idp_templates5_ldap2.email_attribute,` +
-		` projections.idp_templates5_ldap2.email_verified,` +
-		` projections.idp_templates5_ldap2.phone_attribute,` +
-		` projections.idp_templates5_ldap2.phone_verified_attribute,` +
-		` projections.idp_templates5_ldap2.preferred_language_attribute,` +
-		` projections.idp_templates5_ldap2.avatar_url_attribute,` +
-		` projections.idp_templates5_ldap2.profile_attribute,` +
+		` projections.idp_templates6_ldap2.idp_id,` +
+		` projections.idp_templates6_ldap2.servers,` +
+		` projections.idp_templates6_ldap2.start_tls,` +
+		` projections.idp_templates6_ldap2.base_dn,` +
+		` projections.idp_templates6_ldap2.bind_dn,` +
+		` projections.idp_templates6_ldap2.bind_password,` +
+		` projections.idp_templates6_ldap2.user_base,` +
+		` projections.idp_templates6_ldap2.user_object_classes,` +
+		` projections.idp_templates6_ldap2.user_filters,` +
+		` projections.idp_templates6_ldap2.timeout,` +
+		` projections.idp_templates6_ldap2.id_attribute,` +
+		` projections.idp_templates6_ldap2.first_name_attribute,` +
+		` projections.idp_templates6_ldap2.last_name_attribute,` +
+		` projections.idp_templates6_ldap2.display_name_attribute,` +
+		` projections.idp_templates6_ldap2.nick_name_attribute,` +
+		` projections.idp_templates6_ldap2.preferred_username_attribute,` +
+		` projections.idp_templates6_ldap2.email_attribute,` +
+		` projections.idp_templates6_ldap2.email_verified,` +
+		` projections.idp_templates6_ldap2.phone_attribute,` +
+		` projections.idp_templates6_ldap2.phone_verified_attribute,` +
+		` projections.idp_templates6_ldap2.preferred_language_attribute,` +
+		` projections.idp_templates6_ldap2.avatar_url_attribute,` +
+		` projections.idp_templates6_ldap2.profile_attribute,` +
 		// apple
-		` projections.idp_templates5_apple.idp_id,` +
-		` projections.idp_templates5_apple.client_id,` +
-		` projections.idp_templates5_apple.team_id,` +
-		` projections.idp_templates5_apple.key_id,` +
-		` projections.idp_templates5_apple.private_key,` +
-		` projections.idp_templates5_apple.scopes,` +
+		` projections.idp_templates6_apple.idp_id,` +
+		` projections.idp_templates6_apple.client_id,` +
+		` projections.idp_templates6_apple.team_id,` +
+		` projections.idp_templates6_apple.key_id,` +
+		` projections.idp_templates6_apple.private_key,` +
+		` projections.idp_templates6_apple.scopes,` +
 		` COUNT(*) OVER ()` +
-		` FROM projections.idp_templates5` +
-		` LEFT JOIN projections.idp_templates5_oauth2 ON projections.idp_templates5.id = projections.idp_templates5_oauth2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_oauth2.instance_id` +
-		` LEFT JOIN projections.idp_templates5_oidc ON projections.idp_templates5.id = projections.idp_templates5_oidc.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_oidc.instance_id` +
-		` LEFT JOIN projections.idp_templates5_jwt ON projections.idp_templates5.id = projections.idp_templates5_jwt.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_jwt.instance_id` +
-		` LEFT JOIN projections.idp_templates5_azure ON projections.idp_templates5.id = projections.idp_templates5_azure.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_azure.instance_id` +
-		` LEFT JOIN projections.idp_templates5_github ON projections.idp_templates5.id = projections.idp_templates5_github.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_github.instance_id` +
-		` LEFT JOIN projections.idp_templates5_github_enterprise ON projections.idp_templates5.id = projections.idp_templates5_github_enterprise.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_github_enterprise.instance_id` +
-		` LEFT JOIN projections.idp_templates5_gitlab ON projections.idp_templates5.id = projections.idp_templates5_gitlab.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab.instance_id` +
-		` LEFT JOIN projections.idp_templates5_gitlab_self_hosted ON projections.idp_templates5.id = projections.idp_templates5_gitlab_self_hosted.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_gitlab_self_hosted.instance_id` +
-		` LEFT JOIN projections.idp_templates5_google ON projections.idp_templates5.id = projections.idp_templates5_google.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_google.instance_id` +
-		` LEFT JOIN projections.idp_templates5_saml ON projections.idp_templates5.id = projections.idp_templates5_saml.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_saml.instance_id` +
-		` LEFT JOIN projections.idp_templates5_ldap2 ON projections.idp_templates5.id = projections.idp_templates5_ldap2.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_ldap2.instance_id` +
-		` LEFT JOIN projections.idp_templates5_apple ON projections.idp_templates5.id = projections.idp_templates5_apple.idp_id AND projections.idp_templates5.instance_id = projections.idp_templates5_apple.instance_id` +
+		` FROM projections.idp_templates6` +
+		` LEFT JOIN projections.idp_templates6_oauth2 ON projections.idp_templates6.id = projections.idp_templates6_oauth2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_oauth2.instance_id` +
+		` LEFT JOIN projections.idp_templates6_oidc ON projections.idp_templates6.id = projections.idp_templates6_oidc.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_oidc.instance_id` +
+		` LEFT JOIN projections.idp_templates6_jwt ON projections.idp_templates6.id = projections.idp_templates6_jwt.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_jwt.instance_id` +
+		` LEFT JOIN projections.idp_templates6_azure ON projections.idp_templates6.id = projections.idp_templates6_azure.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_azure.instance_id` +
+		` LEFT JOIN projections.idp_templates6_github ON projections.idp_templates6.id = projections.idp_templates6_github.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_github.instance_id` +
+		` LEFT JOIN projections.idp_templates6_github_enterprise ON projections.idp_templates6.id = projections.idp_templates6_github_enterprise.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_github_enterprise.instance_id` +
+		` LEFT JOIN projections.idp_templates6_gitlab ON projections.idp_templates6.id = projections.idp_templates6_gitlab.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab.instance_id` +
+		` LEFT JOIN projections.idp_templates6_gitlab_self_hosted ON projections.idp_templates6.id = projections.idp_templates6_gitlab_self_hosted.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_gitlab_self_hosted.instance_id` +
+		` LEFT JOIN projections.idp_templates6_google ON projections.idp_templates6.id = projections.idp_templates6_google.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_google.instance_id` +
+		` LEFT JOIN projections.idp_templates6_saml ON projections.idp_templates6.id = projections.idp_templates6_saml.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_saml.instance_id` +
+		` LEFT JOIN projections.idp_templates6_ldap2 ON projections.idp_templates6.id = projections.idp_templates6_ldap2.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_ldap2.instance_id` +
+		` LEFT JOIN projections.idp_templates6_apple ON projections.idp_templates6.id = projections.idp_templates6_apple.idp_id AND projections.idp_templates6.instance_id = projections.idp_templates6_apple.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	idpTemplatesCols = []string{
 		"id",
@@ -388,6 +391,7 @@ var (
 		"is_linking_allowed",
 		"is_auto_creation",
 		"is_auto_update",
+		"auto_linking",
 		// oauth config
 		"idp_id",
 		"client_id",
@@ -538,6 +542,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						"idp-id",
 						"client_id",
@@ -651,6 +656,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				OAuthIDPTemplate: &OAuthIDPTemplate{
 					IDPID:                 "idp-id",
 					ClientID:              "client_id",
@@ -684,6 +690,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -797,6 +804,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				OIDCIDPTemplate: &OIDCIDPTemplate{
 					IDPID:            "idp-id",
 					Issuer:           "issuer",
@@ -828,6 +836,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -941,6 +950,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				JWTIDPTemplate: &JWTIDPTemplate{
 					IDPID:        "idp-id",
 					Issuer:       "issuer",
@@ -971,6 +981,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1084,6 +1095,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				GitHubIDPTemplate: &GitHubIDPTemplate{
 					IDPID:        "idp-id",
 					ClientID:     "client_id",
@@ -1113,6 +1125,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1226,6 +1239,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				GitLabIDPTemplate: &GitLabIDPTemplate{
 					IDPID:        "idp-id",
 					ClientID:     "client_id",
@@ -1255,6 +1269,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1368,6 +1383,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				GitLabSelfHostedIDPTemplate: &GitLabSelfHostedIDPTemplate{
 					IDPID:        "idp-id",
 					Issuer:       "issuer",
@@ -1398,6 +1414,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1511,6 +1528,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				GoogleIDPTemplate: &GoogleIDPTemplate{
 					IDPID:        "idp-id",
 					ClientID:     "client_id",
@@ -1540,6 +1558,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1653,6 +1672,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				SAMLIDPTemplate: &SAMLIDPTemplate{
 					IDPID:             "idp-id",
 					Metadata:          []byte("metadata"),
@@ -1684,6 +1704,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1797,6 +1818,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				LDAPIDPTemplate: &LDAPIDPTemplate{
 					IDPID:             "idp-id",
 					Servers:           []string{"server"},
@@ -1846,6 +1868,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -1959,6 +1982,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 				AppleIDPTemplate: &AppleIDPTemplate{
 					IDPID:      "idp-id",
 					ClientID:   "client_id",
@@ -1990,6 +2014,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						true,
 						true,
 						true,
+						domain.AutoLinkingOptionUsername,
 						// oauth
 						nil,
 						nil,
@@ -2103,6 +2128,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 				IsLinkingAllowed:  true,
 				IsAutoCreation:    true,
 				IsAutoUpdate:      true,
+				AutoLinking:       domain.AutoLinkingOptionUsername,
 			},
 		},
 		{
@@ -2162,6 +2188,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -2281,6 +2308,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						LDAPIDPTemplate: &LDAPIDPTemplate{
 							IDPID:             "idp-id",
 							Servers:           []string{"server"},
@@ -2333,6 +2361,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -2452,6 +2481,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 					},
 				},
 			},
@@ -2478,6 +2508,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -2589,6 +2620,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -2700,6 +2732,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -2811,6 +2844,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							"idp-id-oauth",
 							"client_id",
@@ -2922,6 +2956,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -3033,6 +3068,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 							true,
 							true,
 							true,
+							domain.AutoLinkingOptionUsername,
 							// oauth
 							nil,
 							nil,
@@ -3152,6 +3188,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						LDAPIDPTemplate: &LDAPIDPTemplate{
 							IDPID:             "idp-id-ldap",
 							Servers:           []string{"server"},
@@ -3193,6 +3230,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						SAMLIDPTemplate: &SAMLIDPTemplate{
 							IDPID:             "idp-id-saml",
 							Metadata:          []byte("metadata"),
@@ -3216,6 +3254,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						GoogleIDPTemplate: &GoogleIDPTemplate{
 							IDPID:        "idp-id-google",
 							ClientID:     "client_id",
@@ -3238,6 +3277,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						OAuthIDPTemplate: &OAuthIDPTemplate{
 							IDPID:                 "idp-id-oauth",
 							ClientID:              "client_id",
@@ -3263,6 +3303,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						OIDCIDPTemplate: &OIDCIDPTemplate{
 							IDPID:            "idp-id-oidc",
 							Issuer:           "issuer",
@@ -3286,6 +3327,7 @@ func Test_IDPTemplateTemplatesPrepares(t *testing.T) {
 						IsLinkingAllowed:  true,
 						IsAutoCreation:    true,
 						IsAutoUpdate:      true,
+						AutoLinking:       domain.AutoLinkingOptionUsername,
 						JWTIDPTemplate: &JWTIDPTemplate{
 							IDPID:        "idp-id-jwt",
 							Issuer:       "issuer",

internal/query/idp_user_link_test.go

@@ -14,14 +14,14 @@ import (
 var (
 	idpUserLinksQuery = regexp.QuoteMeta(`SELECT projections.idp_user_links3.idp_id,` +
 		` projections.idp_user_links3.user_id,` +
-		` projections.idp_templates5.name,` +
+		` projections.idp_templates6.name,` +
 		` projections.idp_user_links3.external_user_id,` +
 		` projections.idp_user_links3.display_name,` +
-		` projections.idp_templates5.type,` +
+		` projections.idp_templates6.type,` +
 		` projections.idp_user_links3.resource_owner,` +
 		` COUNT(*) OVER ()` +
 		` FROM projections.idp_user_links3` +
-		` LEFT JOIN projections.idp_templates5 ON projections.idp_user_links3.idp_id = projections.idp_templates5.id AND projections.idp_user_links3.instance_id = projections.idp_templates5.instance_id` +
+		` LEFT JOIN projections.idp_templates6 ON projections.idp_user_links3.idp_id = projections.idp_templates6.id AND projections.idp_user_links3.instance_id = projections.idp_templates6.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`)
 	idpUserLinksCols = []string{
 		"idp_id",

internal/query/projection/idp_template.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	IDPTemplateTable                 = "projections.idp_templates5"
+	IDPTemplateTable                 = "projections.idp_templates6"
 	IDPTemplateOAuthTable            = IDPTemplateTable + "_" + IDPTemplateOAuthSuffix
 	IDPTemplateOIDCTable             = IDPTemplateTable + "_" + IDPTemplateOIDCSuffix
 	IDPTemplateJWTTable              = IDPTemplateTable + "_" + IDPTemplateJWTSuffix
@@ -59,6 +59,7 @@ const (
 	IDPTemplateIsLinkingAllowedCol  = "is_linking_allowed"
 	IDPTemplateIsAutoCreationCol    = "is_auto_creation"
 	IDPTemplateIsAutoUpdateCol      = "is_auto_update"
+	IDPTemplateAutoLinkingCol       = "auto_linking"
 
 	OAuthIDCol                    = "idp_id"
 	OAuthInstanceIDCol            = "instance_id"
@@ -197,6 +198,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
 			handler.NewColumn(IDPTemplateIsLinkingAllowedCol, handler.ColumnTypeBool, handler.Default(false)),
 			handler.NewColumn(IDPTemplateIsAutoCreationCol, handler.ColumnTypeBool, handler.Default(false)),
 			handler.NewColumn(IDPTemplateIsAutoUpdateCol, handler.ColumnTypeBool, handler.Default(false)),
+			handler.NewColumn(IDPTemplateAutoLinkingCol, handler.ColumnTypeEnum, handler.Default(0)),
 		},
 			handler.NewPrimaryKey(IDPTemplateInstanceIDCol, IDPTemplateIDCol),
 			handler.WithIndex(handler.NewIndex("resource_owner", []string{IDPTemplateResourceOwnerCol})),
@@ -700,6 +702,7 @@ func (p *idpTemplateProjection) reduceOAuthIDPAdded(event eventstore.Event) (*ha
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -792,6 +795,7 @@ func (p *idpTemplateProjection) reduceOIDCIDPAdded(event eventstore.Event) (*han
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -873,6 +877,7 @@ func (p *idpTemplateProjection) reduceOIDCIDPMigratedAzureAD(event eventstore.Ev
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 			[]handler.Condition{
 				handler.NewCond(IDPTemplateIDCol, idpEvent.ID),
@@ -924,6 +929,7 @@ func (p *idpTemplateProjection) reduceOIDCIDPMigratedGoogle(event eventstore.Eve
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 			[]handler.Condition{
 				handler.NewCond(IDPTemplateIDCol, idpEvent.ID),
@@ -982,6 +988,7 @@ func (p *idpTemplateProjection) reduceJWTIDPAdded(event eventstore.Event) (*hand
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1070,6 +1077,7 @@ func (p *idpTemplateProjection) reduceOldConfigAdded(event eventstore.Event) (*h
 			handler.NewCol(IDPTemplateIsLinkingAllowedCol, true),
 			handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.AutoRegister),
 			handler.NewCol(IDPTemplateIsAutoUpdateCol, false),
+			handler.NewCol(IDPTemplateAutoLinkingCol, domain.AutoLinkingOptionUnspecified),
 		},
 	), nil
 }
@@ -1328,6 +1336,7 @@ func (p *idpTemplateProjection) reduceAzureADIDPAdded(event eventstore.Event) (*
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1418,6 +1427,7 @@ func (p *idpTemplateProjection) reduceGitHubIDPAdded(event eventstore.Event) (*h
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1465,6 +1475,7 @@ func (p *idpTemplateProjection) reduceGitHubEnterpriseIDPAdded(event eventstore.
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1597,6 +1608,7 @@ func (p *idpTemplateProjection) reduceGitLabIDPAdded(event eventstore.Event) (*h
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1685,6 +1697,7 @@ func (p *idpTemplateProjection) reduceGitLabSelfHostedIDPAdded(event eventstore.
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1774,6 +1787,7 @@ func (p *idpTemplateProjection) reduceGoogleIDPAdded(event eventstore.Event) (*h
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1862,6 +1876,7 @@ func (p *idpTemplateProjection) reduceLDAPIDPAdded(event eventstore.Event) (*han
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -1970,6 +1985,7 @@ func (p *idpTemplateProjection) reduceSAMLIDPAdded(event eventstore.Event) (*han
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -2061,6 +2077,7 @@ func (p *idpTemplateProjection) reduceAppleIDPAdded(event eventstore.Event) (*ha
 				handler.NewCol(IDPTemplateIsLinkingAllowedCol, idpEvent.IsLinkingAllowed),
 				handler.NewCol(IDPTemplateIsAutoCreationCol, idpEvent.IsAutoCreation),
 				handler.NewCol(IDPTemplateIsAutoUpdateCol, idpEvent.IsAutoUpdate),
+				handler.NewCol(IDPTemplateAutoLinkingCol, idpEvent.AutoLinkingOption),
 			},
 		),
 		handler.AddCreateStatement(
@@ -2191,6 +2208,9 @@ func reduceIDPChangedTemplateColumns(name *string, creationDate time.Time, seque
 	if optionChanges.IsAutoUpdate != nil {
 		cols = append(cols, handler.NewCol(IDPTemplateIsAutoUpdateCol, *optionChanges.IsAutoUpdate))
 	}
+	if optionChanges.AutoLinkingOption != nil {
+		cols = append(cols, handler.NewCol(IDPTemplateAutoLinkingCol, *optionChanges.AutoLinkingOption))
+	}
 	return append(cols,
 		handler.NewCol(IDPTemplateChangeDateCol, creationDate),
 		handler.NewCol(IDPTemplateSequenceCol, sequence),