User Account Linking

Account linking allows a Jellyfin user to connect one or more SSO provider identities to their existing account. This is useful when:

A user already has a Jellyfin account and wants to add SSO login
A user wants to link multiple SSO providers to one account
The Jellyfin username differs from the SSO provider username

Self-Service Linking Page

Users can manage their own links at:

https://<your-jellyfin-domain>/SSOViews/linking

To surface this page in the Jellyfin UI, add a custom menu link in config/web/config.json:

{
  "customLinks": [
    {
      "name": "Manage SSO Accounts",
      "url": "/SSOViews/linking",
      "icon": "link"
    }
  ]
}

What Users Can Do

Link a provider: click the link button next to a provider name to initiate the SSO flow and link the resulting identity to the current Jellyfin account
View linked identities: see all currently linked SSO accounts
Remove a link: enable delete mode and remove a specific linked identity

How Linking Works

When a user clicks Link for a provider:

The browser redirects to the SSO provider's login page
After successful authentication, the SSO provider redirects back to Jellyfin
The returned identity (e.g., OIDC sub claim or SAML NameID) is stored as a canonical link for the user
On future logins via that provider, the user is identified by this stored link, regardless of username

Canonical Links

A canonical link maps a provider-specific identifier (e.g., a UUID sub claim) to a specific Jellyfin user ID. This allows:

Different usernames between Jellyfin and the IdP
Stable identity even if the IdP username changes
Multiple IdP accounts linked to one Jellyfin account

Admin Operations via API

Admins can manage links for any user via the API.

Link an identity

POST /sso/{mode}/Link/{provider}/{jellyfinUserId}
Authorization: MediaBrowser Token="<api-key>"

{mode} is oid or saml.

Remove a link

DELETE /sso/{mode}/Link/{provider}/{jellyfinUserId}/{canonicalName}
Authorization: MediaBrowser Token="<api-key>"

List links for a user

GET /sso/oid/links/{jellyfinUserId}
GET /sso/saml/links/{jellyfinUserId}
Authorization: MediaBrowser Token="<api-key>"

Removing a User from SSO

To detach a user from SSO and assign them a standard Jellyfin authentication provider:

POST /sso/Unregister/{username}
Authorization: MediaBrowser Token="<api-key>"
Content-Type: application/json

"Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider"

After this, the user can only log in with a local Jellyfin password.

Related Pages

SSO Authentication Plugin

Getting Started

Configuration

Providers

Reference

Development

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User Account Linking

User Account Linking

Self-Service Linking Page

What Users Can Do

How Linking Works

Canonical Links

Admin Operations via API

Link an identity

Remove a link

List links for a user

Removing a User from SSO

Related Pages

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

SSO Authentication Plugin

Clone this wiki locally