[DerJacques]

Interesting. Wouldn’t that allow someone to sign up for service Y with an email address associated with an account in your system using service X, in order to get access to the account in your system?

Maybe there’s something I’m not seeing, but it seems dangerous to rely on the identity provider’s email address to authenticate the user.

[dwaite]

Your local account is associated with X, you attempt to sign in with Y, the Y authentication was successful but there is no local account associated with Y.

Some heuristics (such as email address matching) means you indicate to the user that perhaps they meant to try X? They sign in with X, and now you have authentications from X as well as Y for the user.

You use the authentication from X to authenticate, and you associate provider Y with the account as well. From this point forward, either X or Y can be used. You might also indicate these on a user profile page, possibly with other options - the user may decide they want to either revoke authentication from X or Y or add on authentication with Z.

You also have a similar behavior with multiple authenticators if you are implementing Web Authentication/FIDO, however these are "pure" authentication with no attributes so your heuristics for this sort of pre-login suggestion would be limited.

[m0dest]

Exactly this.

[earenndil]

It's assumed that, if you're signed up for a service with an email address, you control that email address.

This is generally a reasonable thing to assume, and can be verified for whatever account providers you support.