diff --git a/src/frontend/src/lib/components/ui/IdentityAvatar.svelte b/src/frontend/src/lib/components/ui/IdentityAvatar.svelte
index 9454e5ee6b..7366293b9f 100644
--- a/src/frontend/src/lib/components/ui/IdentityAvatar.svelte
+++ b/src/frontend/src/lib/components/ui/IdentityAvatar.svelte
@@ -17,13 +17,15 @@
       identity.authMethod.openid.metadata !== undefined
       ? openIdLogo(
           identity.authMethod.openid.iss,
-          // `sub` and `aud` not currently tracked on `LastUsedIdentity`;
-          // see #3795. Falls back to issuer-only matching in findConfig —
-          // correct for direct providers, imprecise for SSO until that's
-          // fixed.
-          identity.authMethod.openid.sub,
+          // `aud` not currently tracked on `LastUsedIdentity` (see
+          // #3795) — issuer-only fallback in `findConfig` is correct
+          // for direct providers, imprecise for SSO until that's
+          // fixed. `ssoDomain` is unknown here for the same reason,
+          // so SSO-linked last-used identities render with the
+          // underlying IdP's logo.
           undefined,
           identity.authMethod.openid.metadata,
+          undefined,
         )
       : undefined,
   );
diff --git a/src/frontend/src/lib/components/ui/ManageIdentities.svelte b/src/frontend/src/lib/components/ui/ManageIdentities.svelte
index d897983b3e..7bbaf00dba 100644
--- a/src/frontend/src/lib/components/ui/ManageIdentities.svelte
+++ b/src/frontend/src/lib/components/ui/ManageIdentities.svelte
@@ -44,10 +44,14 @@
     identity.authMethod.openid.metadata !== undefined
       ? openIdName(
           identity.authMethod.openid.iss,
-          identity.authMethod.openid.sub,
-          // `aud` not tracked on `LastUsedIdentity`; see #3795.
+          // `aud`, `ssoName`, `ssoDomain` not tracked on
+          // `LastUsedIdentity`; see #3795. Fall through to issuer-only
+          // `findConfig` — correct for direct providers, imprecise for
+          // SSO until that's fixed.
           undefined,
           identity.authMethod.openid.metadata,
+          undefined,
+          undefined,
         )
       : undefined}
   <div class="flex flex-col gap-8">
diff --git a/src/frontend/src/lib/components/utils/error.ts b/src/frontend/src/lib/components/utils/error.ts
index 729601d734..3aefca6baf 100644
--- a/src/frontend/src/lib/components/utils/error.ts
+++ b/src/frontend/src/lib/components/utils/error.ts
@@ -11,11 +11,7 @@ import type {
   OpenIdCredentialAddError,
   OpenIdCredentialRemoveError,
 } from "$lib/generated/internet_identity_types";
-import {
-  OAuthProviderError,
-  OpenIdCredentialAlreadyLinkedHereError,
-  isOpenIdCancelError,
-} from "$lib/utils/openID";
+import { OAuthProviderError, isOpenIdCancelError } from "$lib/utils/openID";
 import {
   AuthenticationV2Events,
   authenticationV2Funnel,
@@ -32,30 +28,23 @@ export const handleError = (error: unknown) => {
     return;
   }
 
-  // Specialization of the generic `OpenIdCredentialAlreadyRegistered` error
-  // below: the credential is already on THIS identity, not some other one.
-  if (error instanceof OpenIdCredentialAlreadyLinkedHereError) {
-    toaster.error({
-      title: "This account is already linked to this identity",
-    });
-    return;
-  }
-
   // OAuth provider returned `error=…` in the callback fragment (RFC 6749
   // §4.1.2.1 / 4.2.2.1). Surface the provider's own description so a
-  // misconfigured SSO app (e.g. Okta set to `response_types=[code]` only)
+  // misconfigured OAuth/OpenID app (e.g. an Okta SSO set to
+  // `response_types=[code]` only, or a botched direct-Google config)
   // doesn't look like an II bug. The SSO view's `mapSubmitError` gives
   // more specific guidance when the error hits inside `SignInWithSso`;
   // this branch covers callers (direct-OpenID entry points) that route
-  // through `handleError` instead.
+  // through `handleError` instead. Wording is provider-agnostic here
+  // because this path handles both SSO and direct providers.
   if (error instanceof OAuthProviderError) {
     toaster.error({
-      title: `SSO provider returned "${error.error}"`,
+      title: `OAuth provider returned "${error.error}"`,
       description:
         error.errorDescription !== undefined &&
         error.errorDescription.length > 0
           ? error.errorDescription
-          : "Ask your SSO admin to check the app's OAuth configuration.",
+          : "Ask your administrator to check the provider's OAuth configuration.",
     });
     return;
   }
diff --git a/src/frontend/src/lib/components/wizards/addAccessMethod/AddAccessMethodWizard.svelte b/src/frontend/src/lib/components/wizards/addAccessMethod/AddAccessMethodWizard.svelte
index 656605a21a..f2c5fda593 100644
--- a/src/frontend/src/lib/components/wizards/addAccessMethod/AddAccessMethodWizard.svelte
+++ b/src/frontend/src/lib/components/wizards/addAccessMethod/AddAccessMethodWizard.svelte
@@ -100,6 +100,7 @@
   <SignInWithSso
     continueWithSso={handleContinueWithSso}
     goBack={addAccessMethodFlow.chooseMethod}
+    {openIdCredentials}
   />
 {/if}
 
diff --git a/src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte b/src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte
index ab1106ba98..3c24052b20 100644
--- a/src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte
+++ b/src/frontend/src/lib/components/wizards/addAccessMethod/views/AddAccessMethod.svelte
@@ -125,7 +125,7 @@
         disabled={authenticatingProviderId !== undefined}
         size="xl"
         class="flex-1"
-        aria-label={$t`Sign in with SSO`}
+        aria-label={$t`Continue with SSO`}
       >
         <SsoIcon class="size-6" />
       </Button>
diff --git a/src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte b/src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte
index 2fc32546d4..2f983c8f4f 100644
--- a/src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte
+++ b/src/frontend/src/lib/components/wizards/auth/views/PickAuthenticationMethod.svelte
@@ -98,7 +98,7 @@
         disabled={authenticatingProviderId !== undefined}
         size="xl"
         class="flex-1"
-        aria-label={$t`Sign in with SSO`}
+        aria-label={$t`Continue with SSO`}
       >
         <SsoIcon class="size-6" />
       </Button>
diff --git a/src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte b/src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte
index 3b3152d86e..3872624a7e 100644
--- a/src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte
+++ b/src/frontend/src/lib/components/wizards/auth/views/SignInWithSso.svelte
@@ -13,6 +13,7 @@
   } from "$lib/utils/ssoDiscovery";
   import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
   import { OAuthProviderError } from "$lib/utils/openID";
+  import type { OpenIdCredential } from "$lib/generated/internet_identity_types";
   import { t } from "$lib/stores/locale.store";
 
   interface Props {
@@ -20,9 +21,19 @@
       result: SsoDiscoveryResult,
     ) => Promise<void | "cancelled">;
     goBack: () => void;
+    /**
+     * Credentials already linked to the signed-in identity. When present,
+     * the Continue button is disabled and an inline hint is shown if the
+     * discovered SSO's `(iss, aud)` matches an existing credential —
+     * mirroring how the add-access-method UI disables already-linked
+     * direct providers (Google / Apple / Microsoft) in
+     * `AddAccessMethod.svelte`. Leave this `undefined` in the sign-in
+     * flow, where reusing an already-linked credential is the point.
+     */
+    openIdCredentials?: OpenIdCredential[];
   }
 
-  const { continueWithSso, goBack }: Props = $props();
+  const { continueWithSso, goBack, openIdCredentials }: Props = $props();
 
   /**
    * Debounce delay before kicking off the (network-heavy) two-hop lookup.
@@ -44,33 +55,63 @@
    */
   let preparedResult = $state<SsoDiscoveryResult>();
 
+  /**
+   * True when `preparedResult`'s `(issuer, client_id)` already matches a
+   * credential in `openIdCredentials` — i.e. this SSO domain is already
+   * linked to the signed-in identity. Keeps the add-access-method Continue
+   * button disabled with an inline hint, matching the direct-provider
+   * behaviour in `AddAccessMethod.svelte`. Always `false` in the sign-in
+   * flow (where `openIdCredentials` is left undefined).
+   */
+  const isAlreadyLinked = $derived.by(() => {
+    if (preparedResult === undefined || openIdCredentials === undefined) {
+      return false;
+    }
+    const { discovery, clientId } = preparedResult;
+    return openIdCredentials.some(
+      (c) => c.iss === discovery.issuer && c.aud === clientId,
+    );
+  });
+
   let debounceTimer: ReturnType<typeof setTimeout> | undefined;
 
-  const mapSubmitError = (e: unknown, domainInput: string): string => {
+  /**
+   * Map caught errors to user-actionable copy, or `undefined` for
+   * "nothing useful to tell the user" — the caller will fall back to a
+   * generic message. Raw errors are always logged to the console so
+   * engineers have the full stack while end users see concise copy.
+   *
+   * Only branches that the user (or their SSO admin) can act on live
+   * here; provider-misconfiguration details (hostname mismatch, HTTPS,
+   * malformed discovery document) are dropped to the generic path —
+   * they're dev-facing and the console log is the right audience.
+   */
+  const mapSubmitError = (
+    e: unknown,
+    domainInput: string,
+  ): string | undefined => {
     if (e instanceof DomainNotConfiguredError) {
       if (e.reason === "http-error" && e.httpStatus !== undefined) {
-        return $t`${domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP ${String(e.httpStatus)}). The domain owner needs to publish it for II to sign you in.`;
+        return $t`${domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP ${String(e.httpStatus)}).`;
       }
       if (e.reason === "network") {
-        return $t`Couldn't reach ${domainInput}. Check the spelling and your network, then try again.`;
-      }
-      if (e.detail !== undefined && e.detail.length > 0) {
-        return $t`${domainInput}'s /.well-known/ii-openid-configuration is malformed: ${e.detail}`;
+        return $t`Couldn't reach ${domainInput}. Check the spelling and your network.`;
       }
       return $t`${domainInput}'s /.well-known/ii-openid-configuration is malformed.`;
     }
     if (e instanceof OAuthProviderError) {
-      // `unsupported_response_type` is the signature of an SSO app that
-      // only allows the plain authorization-code flow. II needs the
-      // hybrid flow (id_token + code) because it verifies JWTs canister-
-      // side with no token-endpoint exchange. Spell out the fix so the
-      // SSO admin can act on it directly.
+      // `unsupported_response_type` = the SSO app is code-only; II needs
+      // the hybrid flow because it verifies JWTs canister-side with no
+      // token-endpoint exchange. Spell out the fix so the SSO admin can
+      // act on it directly.
       if (e.error === "unsupported_response_type") {
-        return $t`${domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type "id_token code" (e.g. in Okta, set the app to Single-Page Application with "Implicit (hybrid)" grant enabled).`;
+        return $t`${domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type "id_token code".`;
       }
       if (e.error === "access_denied") {
-        return $t`${domainInput}'s SSO denied the sign-in. Try again, and check with your SSO admin if the problem persists.`;
+        return $t`${domainInput}'s SSO denied the sign-in.`;
       }
+      // Everything else: show the provider's own words if any, else the
+      // error code. Useful because these bubble straight from the IdP.
       if (e.errorDescription !== undefined && e.errorDescription.length > 0) {
         return $t`${domainInput}'s SSO returned "${e.error}": ${e.errorDescription}`;
       }
@@ -81,30 +122,28 @@
       if (msg.toLowerCase().includes("canary allowlist")) {
         return $t`SSO is not available for "${domainInput}" yet. Ask an II admin to register this domain.`;
       }
-      if (msg.includes("Provider issuer hostname mismatch")) {
-        return $t`SSO provider misconfigured: issuer doesn't match the configured hostname. (${msg})`;
-      }
-      if (msg.includes("Provider authorization endpoint hostname mismatch")) {
-        return $t`SSO provider misconfigured: authorization endpoint points to a different host than the issuer. (${msg})`;
-      }
-      if (msg.includes("Provider issuer must use HTTPS")) {
-        return $t`SSO provider misconfigured: issuer URL is not HTTPS. (${msg})`;
-      }
-      if (msg.includes("Provider authorization endpoint must use HTTPS")) {
-        return $t`SSO provider misconfigured: authorization endpoint is not HTTPS. (${msg})`;
-      }
-      if (msg.startsWith("Provider discovery:")) {
-        return $t`SSO provider's discovery document is malformed: ${msg}`;
-      }
       if (msg.startsWith("Rate limited:")) {
-        return $t`Too many recent attempts for ${domainInput}. Wait a few minutes and try again.`;
+        return $t`Too many recent attempts for ${domainInput}. Wait a few minutes.`;
       }
       if (msg === "Too many concurrent SSO discovery requests") {
-        return $t`Several SSO sign-ins are in flight already. Wait a moment and try again.`;
+        return $t`Several SSO sign-ins are in flight already. Wait a moment.`;
       }
-      return msg;
     }
-    return $t`SSO sign-in failed. Please try again.`;
+    return undefined;
+  };
+
+  /**
+   * Set `error` from a thrown exception: always `console.error` the raw
+   * error (so engineers can inspect the stack / non-Error values), then
+   * surface a user-actionable message if we have one, or a generic
+   * fallback.
+   */
+  const setErrorFrom = (e: unknown, domainInput: string) => {
+    // eslint-disable-next-line no-console
+    console.error("SSO sign-in failed", e);
+    error =
+      mapSubmitError(e, domainInput) ??
+      $t`SSO sign-in for ${domainInput} failed. Please try again.`;
   };
 
   const invalidatePrepared = () => {
@@ -160,7 +199,7 @@
         }
       } catch (e) {
         if (matchesCurrent()) {
-          error = mapSubmitError(e, trimmed);
+          setErrorFrom(e, trimmed);
         }
       } finally {
         if (matchesCurrent()) {
@@ -187,7 +226,7 @@
       // handler.
       await continueWithSso(preparedResult);
     } catch (e) {
-      error = mapSubmitError(e, domain.trim().toLowerCase());
+      setErrorFrom(e, domain.trim().toLowerCase());
     } finally {
       isSubmitting = false;
     }
@@ -207,7 +246,7 @@
       <SsoIcon class="size-5" />
     </FeaturedIcon>
     <div class="flex flex-col gap-3">
-      <h1 class="text-2xl font-medium">{$t`Sign In With SSO`}</h1>
+      <h1 class="text-2xl font-medium">{$t`Continue with SSO`}</h1>
       <p class="text-text-tertiary text-base font-medium">
         {$t`Enter your company domain`}
       </p>
@@ -236,11 +275,19 @@
       {error}
       aria-label={$t`Company domain`}
     />
+    {#if isAlreadyLinked}
+      <p class="text-text-tertiary text-sm">
+        {$t`This SSO is already linked to your identity.`}
+      </p>
+    {/if}
     <Button
       variant="primary"
       size="lg"
       type="submit"
-      disabled={preparedResult === undefined || isSubmitting || isLookingUp}
+      disabled={preparedResult === undefined ||
+        isSubmitting ||
+        isLookingUp ||
+        isAlreadyLinked}
     >
       {#if isSubmitting}
         <ProgressRing />
diff --git a/src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts b/src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts
index dfea292fe4..b78faa8d51 100644
--- a/src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts
+++ b/src/frontend/src/lib/flows/addAccessMethodFlow.svelte.ts
@@ -1,17 +1,11 @@
 import { frontendCanisterConfig } from "$lib/globals";
 import { get } from "svelte/store";
-import {
-  OpenIdCredentialAlreadyLinkedHereError,
-  decodeJWT,
-  requestJWT,
-  selectAuthScopes,
-} from "$lib/utils/openID";
+import { decodeJWT, requestJWT, selectAuthScopes } from "$lib/utils/openID";
 import { authenticatedStore } from "$lib/stores/authentication.store";
-import { isCanisterError, throwCanisterError } from "$lib/utils/utils";
+import { throwCanisterError } from "$lib/utils/utils";
 import type {
   AuthnMethodData,
   OpenIdCredential,
-  OpenIdCredentialAddError,
   OpenIdConfig,
   MetadataMapV2,
 } from "$lib/generated/internet_identity_types";
@@ -20,7 +14,6 @@ import { DiscoverableDummyIdentity } from "$lib/utils/discoverableDummyIdentity"
 import { DiscoverablePasskeyIdentity } from "$lib/utils/discoverablePasskeyIdentity";
 import { passkeyAuthnMethodData } from "$lib/utils/authnMethodData";
 import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
-import { rememberSsoDomainForCredential } from "$lib/utils/ssoDomainStorage";
 
 export class AddAccessMethodFlow {
   #view = $state<"chooseMethod" | "addPasskey" | "signInWithSso">(
@@ -57,30 +50,15 @@ export class AddAccessMethodFlow {
       );
       const { iss, sub, aud, name, email } = decodeJWT(jwt);
       this.#isSystemOverlayVisible = false;
-      try {
-        await actor
-          .openid_credential_add(identityNumber, jwt, salt)
-          .then(throwCanisterError);
-      } catch (err) {
-        // Specialize the generic "already registered to another identity"
-        // error: if the credential's (iss, sub, aud) is already attached
-        // to *this* identity, tell the user that specifically instead of
-        // implying another identity has it.
-        if (
-          isCanisterError<OpenIdCredentialAddError>(err) &&
-          err.type === "OpenIdCredentialAlreadyRegistered"
-        ) {
-          const info = await actor.get_anchor_info(identityNumber);
-          const linkedHere =
-            info.openid_credentials[0]?.some(
-              (c) => c.iss === iss && c.sub === sub && c.aud === aud,
-            ) ?? false;
-          if (linkedHere) {
-            throw new OpenIdCredentialAlreadyLinkedHereError();
-          }
-        }
-        throw err;
-      }
+      // AddAccessMethod.svelte already disables the per-provider button
+      // when that provider is linked to the current identity, and
+      // SignInWithSso.svelte disables Continue once discovery reveals
+      // the same `(iss, aud)` on the identity, so the canister's
+      // `OpenIdCredentialAlreadyRegistered` reply here is only hit when
+      // the credential is linked to another identity. Treat it as-is.
+      await actor
+        .openid_credential_add(identityNumber, jwt, salt)
+        .then(throwCanisterError);
 
       const metadata: MetadataMapV2 = [];
       if (name !== undefined) {
@@ -95,6 +73,12 @@ export class AddAccessMethodFlow {
         sub,
         metadata,
         last_usage_timestamp: [],
+        // `sso_configuration` is populated by the canister when the
+        // credential is later returned via `get_anchor_info`; the FE-
+        // constructed echo of the just-added credential doesn't know
+        // it, so leave empty (Candid `opt SsoConfiguration` = `[] |
+        // [SsoConfiguration]`).
+        sso_configuration: [],
       };
     } finally {
       this.#isSystemOverlayVisible = false;
@@ -148,14 +132,13 @@ export class AddAccessMethodFlow {
    * `OpenIdConfig` from the two-hop discovery result — the issuer and
    * client_id we got from discovery plus a default name.
    *
-   * On success we also remember `(iss, sub, aud) → domain` in localStorage
-   * so the access-methods UI can later label this credential by the SSO
-   * domain the user typed instead of by the underlying IdP's issuer.
+   * The canister itself stamps `sso_domain` (and, when published by the
+   * domain, `sso_name`) onto the credential metadata on verification, so
+   * the access-methods UI can label SSO credentials by domain across
+   * devices — no per-device FE bookkeeping needed.
    */
-  linkSsoAccount = async (
-    result: SsoDiscoveryResult,
-  ): Promise<OpenIdCredential> => {
-    const { domain, clientId, discovery } = result;
+  linkSsoAccount = (result: SsoDiscoveryResult): Promise<OpenIdCredential> => {
+    const { clientId, discovery } = result;
     const syntheticConfig: OpenIdConfig = {
       auth_uri: discovery.authorization_endpoint,
       jwks_uri: "",
@@ -167,11 +150,6 @@ export class AddAccessMethodFlow {
       auth_scope: selectAuthScopes(discovery.scopes_supported),
       client_id: clientId,
     };
-    const credential = await this.linkOpenIdAccount(syntheticConfig);
-    rememberSsoDomainForCredential(
-      { iss: credential.iss, sub: credential.sub, aud: credential.aud },
-      domain,
-    );
-    return credential;
+    return this.linkOpenIdAccount(syntheticConfig);
   };
 }
diff --git a/src/frontend/src/lib/flows/authFlow.svelte.ts b/src/frontend/src/lib/flows/authFlow.svelte.ts
index 4cfb3b824e..ae639dc1cb 100644
--- a/src/frontend/src/lib/flows/authFlow.svelte.ts
+++ b/src/frontend/src/lib/flows/authFlow.svelte.ts
@@ -34,7 +34,6 @@ import {
   selectAuthScopes,
 } from "$lib/utils/openID";
 import type { SsoDiscoveryResult } from "$lib/utils/ssoDiscovery";
-import { rememberSsoDomainForCredential } from "$lib/utils/ssoDomainStorage";
 import { nanosToMillis } from "$lib/utils/time";
 
 interface AuthFlowOptions {
@@ -108,9 +107,13 @@ export class AuthFlow {
         type: "signUp";
       }
   > => {
-    const { domain, clientId, discovery } = ssoResult;
+    const { clientId, discovery } = ssoResult;
 
-    // Build a synthetic OpenIdConfig from SSO discovery result
+    // Build a synthetic OpenIdConfig from SSO discovery result. The
+    // canister identifies the matching DiscoverableProvider by (iss,
+    // aud) and stamps `sso_domain` (+ optional `sso_name`) onto the
+    // credential when it verifies the JWT — the FE doesn't need to
+    // remember anything about this flow locally.
     const syntheticConfig: OpenIdConfig = {
       auth_uri: discovery.authorization_endpoint,
       jwks_uri: "",
@@ -123,37 +126,7 @@ export class AuthFlow {
       client_id: clientId,
     };
 
-    // Pre-fetch the JWT so we can record the `(iss, sub, aud) → domain`
-    // mapping before handing off to the OpenID flow. Passing the JWT into
-    // `continueWithOpenId` avoids a second round-trip to the provider.
-    // The SSO domain is what the user typed; without remembering it here,
-    // `OpenIdItem` would later render this credential as e.g. "Google
-    // account" when the underlying IdP happens to be Google.
-    this.#systemOverlay = true;
-    let jwt: string;
-    try {
-      jwt = await requestJWT(
-        {
-          clientId,
-          authURL: discovery.authorization_endpoint,
-          authScope: syntheticConfig.auth_scope.join(" "),
-        },
-        {
-          nonce: get(sessionStore).nonce,
-          mediation: "required",
-        },
-      );
-    } catch (error) {
-      this.#view = "chooseMethod";
-      throw error;
-    } finally {
-      this.#systemOverlay = false;
-      authenticationV2Funnel.trigger(AuthenticationV2Events.ContinueWithOpenID);
-    }
-    const { iss, sub, aud } = decodeJWT(jwt);
-    rememberSsoDomainForCredential({ iss, sub, aud }, domain);
-
-    return await this.continueWithOpenId(syntheticConfig, jwt);
+    return await this.continueWithOpenId(syntheticConfig);
   };
 
   continueWithExistingPasskey = async (): Promise<bigint> => {
diff --git a/src/frontend/src/lib/generated/internet_identity_idl.js b/src/frontend/src/lib/generated/internet_identity_idl.js
index e1c40719dc..a49ae63287 100644
--- a/src/frontend/src/lib/generated/internet_identity_idl.js
+++ b/src/frontend/src/lib/generated/internet_identity_idl.js
@@ -302,11 +302,16 @@ export const idlFactory = ({ IDL }) => {
   const Aud = IDL.Text;
   const Iss = IDL.Text;
   const Sub = IDL.Text;
+  const SsoConfiguration = IDL.Record({
+    'domain' : IDL.Text,
+    'name' : IDL.Opt(IDL.Text),
+  });
   const OpenIdCredential = IDL.Record({
     'aud' : Aud,
     'iss' : Iss,
     'sub' : Sub,
     'metadata' : MetadataMapV2,
+    'sso_configuration' : IDL.Opt(SsoConfiguration),
     'last_usage_timestamp' : IDL.Opt(Timestamp),
   });
   const DeviceRegistrationInfo = IDL.Record({
diff --git a/src/frontend/src/lib/generated/internet_identity_types.d.ts b/src/frontend/src/lib/generated/internet_identity_types.d.ts
index cc622af0d7..17e2d45e00 100644
--- a/src/frontend/src/lib/generated/internet_identity_types.d.ts
+++ b/src/frontend/src/lib/generated/internet_identity_types.d.ts
@@ -936,6 +936,14 @@ export interface OpenIdCredential {
   'iss' : Iss,
   'sub' : Sub,
   'metadata' : MetadataMapV2,
+  /**
+   * Two-hop SSO provenance for credentials linked via
+   * `add_discoverable_oidc_config`. Looked up on demand by `(iss, aud)`
+   * against current canister state. `null` for direct-provider
+   * credentials (Google / Apple / Microsoft) and for SSO credentials
+   * whose provider is no longer registered.
+   */
+  'sso_configuration' : [] | [SsoConfiguration],
   'last_usage_timestamp' : [] | [Timestamp],
 }
 export type OpenIdCredentialAddError = {
@@ -1143,6 +1151,25 @@ export interface SignedIdAlias {
   'id_alias' : Principal,
   'id_dapp' : Principal,
 }
+/**
+ * Per-credential SSO provenance. Grouped as a single optional record so
+ * `sso_configuration : null` is a single "this credential isn't SSO"
+ * check, rather than two independent optional fields.
+ */
+export interface SsoConfiguration {
+  /**
+   * The `discovery_domain` the user entered (always present when the
+   * outer `sso_configuration` is non-null).
+   */
+  'domain' : string,
+  /**
+   * Human-readable name from the domain's
+   * `/.well-known/ii-openid-configuration`. `null` when the domain
+   * doesn't publish one — callers should fall back to `domain` for
+   * the label.
+   */
+  'name' : [] | [string],
+}
 export interface StreamingCallbackHttpResponse {
   'token' : [] | [Token],
   'body' : Uint8Array | number[],
diff --git a/src/frontend/src/lib/locales/de.po b/src/frontend/src/lib/locales/de.po
index c7c4d34a70..f9d982e773 100644
--- a/src/frontend/src/lib/locales/de.po
+++ b/src/frontend/src/lib/locales/de.po
@@ -25,13 +25,22 @@ msgstr "{application} ist zur neuen Internet Identity umgezogen"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Mit {name} fortfahren"
 msgid "Continue with passkey"
 msgstr "Mit Passkey fortfahren"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Sitzung abgelaufen"
 msgid "Set as default sign-in"
 msgstr "Als Standardanmeldung festlegen"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Anmelden mit bekannten Methoden"
 msgid "Sign in with another identity"
 msgstr "Mit einer anderen Identität anmelden"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Dies kann einige Sekunden dauern"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Dieser Passkey ist mit keiner Identität mehr verknüpft."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Dieser YubiKey hat eine ältere Firmware (5.1), die inkompatibel ist."
 
@@ -1053,7 +1047,7 @@ msgstr "So fahren Sie fort:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Um die Einrichtung Ihres Passkeys abzuschließen, folgen Sie den Anweisungen auf Ihrem <0>neuen Gerät</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/en.po b/src/frontend/src/lib/locales/en.po
index fb140837c6..cf8f6cfedb 100644
--- a/src/frontend/src/lib/locales/en.po
+++ b/src/frontend/src/lib/locales/en.po
@@ -25,15 +25,24 @@ msgstr "{application} has moved to the new Internet Identity"
 msgid "{displayName} account"
 msgstr "{displayName} account"
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
-msgstr "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
-
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
-msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
+msgstr "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 
 msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr "{domainInput}'s SSO denied the sign-in."
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr "{domainInput}'s SSO returned \"{0}\": {1}"
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
+msgstr "{domainInput}'s SSO returned error \"{0}\"."
+
 msgid "{identityName} has been removed from this device."
 msgstr "{identityName} has been removed from this device."
 
@@ -241,8 +250,11 @@ msgstr "Continue with {name}"
 msgid "Continue with passkey"
 msgstr "Continue with passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
-msgstr "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr "Continue with SSO"
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
+msgstr "Couldn't reach {domainInput}. Check the spelling and your network."
 
 msgid "Create account"
 msgstr "Create account"
@@ -830,8 +842,8 @@ msgstr "Session timed out"
 msgid "Set as default sign-in"
 msgstr "Set as default sign-in"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
-msgstr "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
+msgstr "Several SSO sign-ins are in flight already. Wait a moment."
 
 msgid "Show all"
 msgstr "Show all"
@@ -851,12 +863,6 @@ msgstr "Sign in using familiar methods"
 msgid "Sign in with another identity"
 msgstr "Sign in with another identity"
 
-msgid "Sign in with SSO"
-msgstr "Sign in with SSO"
-
-msgid "Sign In With SSO"
-msgstr "Sign In With SSO"
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr "Sign in with your {displayName} account from any device."
 
@@ -906,23 +912,8 @@ msgstr "SSO"
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr "SSO provider's discovery document is malformed: {msg}"
-
-msgid "SSO sign-in failed. Please try again."
-msgstr "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
+msgstr "SSO sign-in for {domainInput} failed. Please try again."
 
 msgid "Start over"
 msgstr "Start over"
@@ -1017,6 +1008,9 @@ msgstr "This may take a few seconds"
 msgid "This passkey is no longer associated with any identity."
 msgstr "This passkey is no longer associated with any identity."
 
+msgid "This SSO is already linked to your identity."
+msgstr "This SSO is already linked to your identity."
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "This YubiKey has older firmware (5.1) that's incompatible."
 
@@ -1053,8 +1047,8 @@ msgstr "To continue:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
-msgstr "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
+msgstr "Too many recent attempts for {domainInput}. Wait a few minutes."
 
 msgid "Type each word in the correct order:"
 msgstr "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/es.po b/src/frontend/src/lib/locales/es.po
index 6a0787ace6..294a7d6eea 100644
--- a/src/frontend/src/lib/locales/es.po
+++ b/src/frontend/src/lib/locales/es.po
@@ -25,13 +25,22 @@ msgstr "{application} se ha trasladado al nuevo Internet Identity"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Continuar con {name}"
 msgid "Continue with passkey"
 msgstr "Continuar con passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "La sesión ha expirado"
 msgid "Set as default sign-in"
 msgstr "Establecer como inicio de sesión predeterminado"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Inicia la sesión usando métodos conocidos"
 msgid "Sign in with another identity"
 msgstr "Iniciar sesión con otra identidad"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Esto puede tardar unos segundos"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Esta passkey ya no está asociada a ninguna identidad."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Esta YubiKey tiene un firmware antiguo (5.1) que es incompatible."
 
@@ -1053,7 +1047,7 @@ msgstr "Para continuar:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Para terminar de configurar tu passkey, sigue las instrucciones que aparecen en tu <0>nuevo dispositivo</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/fr.po b/src/frontend/src/lib/locales/fr.po
index 40d138632e..d181b9b964 100644
--- a/src/frontend/src/lib/locales/fr.po
+++ b/src/frontend/src/lib/locales/fr.po
@@ -25,13 +25,22 @@ msgstr "{application} est passé à la nouvelle Internet Identity"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Continuer avec {name}"
 msgid "Continue with passkey"
 msgstr "Continuer avec une passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Session expirée"
 msgid "Set as default sign-in"
 msgstr "Définir comme connexion par défaut"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Se connecter avec des méthodes familières"
 msgid "Sign in with another identity"
 msgstr "Se connecter avec une autre identité"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Cela peut prendre quelques secondes"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Cette passkey n’est plus associée à aucune identité."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Cette YubiKey possède un micrologiciel plus ancien (5.1) qui est incompatible."
 
@@ -1053,7 +1047,7 @@ msgstr "Pour continuer :"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Pour terminer la configuration de votre passkey, suivez les instructions affichées sur votre <0>nouvel appareil</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/id.po b/src/frontend/src/lib/locales/id.po
index 49bec0e95d..a856d016b8 100644
--- a/src/frontend/src/lib/locales/id.po
+++ b/src/frontend/src/lib/locales/id.po
@@ -25,13 +25,22 @@ msgstr "{application} telah pindah ke Internet Identity baru"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Lanjutkan dengan {name}"
 msgid "Continue with passkey"
 msgstr "Lanjutkan dengan passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Sesi telah habis"
 msgid "Set as default sign-in"
 msgstr "Atur sebagai metode masuk default"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Masuk menggunakan metode yang dikenal"
 msgid "Sign in with another identity"
 msgstr "Masuk dengan identitas lain"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Ini mungkin memakan waktu beberapa detik"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Passkey ini tidak lagi dikaitkan dengan identitas apa pun."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "YubiKey ini memiliki firmware lama (5.1) yang tidak kompatibel."
 
@@ -1053,7 +1047,7 @@ msgstr "Untuk melanjutkan:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Untuk menyelesaikan pengaturan passkey Anda, ikuti instruksi yang ditampilkan di <0>perangkat baru</0> Anda."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/it.po b/src/frontend/src/lib/locales/it.po
index 8fc5c3b567..a0680a8d2f 100644
--- a/src/frontend/src/lib/locales/it.po
+++ b/src/frontend/src/lib/locales/it.po
@@ -25,13 +25,22 @@ msgstr "{application} si è spostata sulla nuova Internet Identity"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Continua con {name}"
 msgid "Continue with passkey"
 msgstr "Continua con passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Sessione scaduta"
 msgid "Set as default sign-in"
 msgstr "Imposta come accesso predefinito"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Accedi utilizzando metodi familiari"
 msgid "Sign in with another identity"
 msgstr "Accedi con un'altra identità"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Potrebbero volerci alcuni secondi"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Questa passkey non è più associata ad alcuna identità."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Questa YubiKey utilizza un firmware precedente (5.1) che è incompatibile."
 
@@ -1053,7 +1047,7 @@ msgstr "Per continuare:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Per terminare la configurazione della tua passkey, segui le istruzioni mostrate sul tuo <0>nuovo dispositivo</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/nl.po b/src/frontend/src/lib/locales/nl.po
index 892df6fe67..420b0d4386 100644
--- a/src/frontend/src/lib/locales/nl.po
+++ b/src/frontend/src/lib/locales/nl.po
@@ -25,13 +25,22 @@ msgstr "{application} is overgegaan naar de nieuwe Internet Identity"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Doorgaan met {name}"
 msgid "Continue with passkey"
 msgstr "Doorgaan met passkey"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Sessie verlopen"
 msgid "Set as default sign-in"
 msgstr "Instellen als standaard inlogmethode"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Inloggen met vertrouwde methoden"
 msgid "Sign in with another identity"
 msgstr "Inloggen met een andere identiteit"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Dit kan enkele seconden duren"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Deze passkey is niet langer gekoppeld aan een identiteit."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Deze YubiKey heeft oudere firmware (5.1) die incompatibel is."
 
@@ -1053,7 +1047,7 @@ msgstr "Om verder te gaan:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Om uw passkey te voltooien, volgt u de instructies op uw <0>nieuwe apparaat</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/pl.po b/src/frontend/src/lib/locales/pl.po
index fc368e6f52..8c2e4674ef 100644
--- a/src/frontend/src/lib/locales/pl.po
+++ b/src/frontend/src/lib/locales/pl.po
@@ -25,13 +25,22 @@ msgstr "{application} został przeniesiony do nowej tożsamości internetowej"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Kontynuuj z {name}"
 msgid "Continue with passkey"
 msgstr "Kontynuuj za pomocą klucza dostępu"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Sesja wygasła"
 msgid "Set as default sign-in"
 msgstr "Ustaw jako domyślne logowanie"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Loguj się za pomocą znanych metod"
 msgid "Sign in with another identity"
 msgstr "Zaloguj się z inną tożsamością"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Może to potrwać kilka sekund"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Ten klucz dostępu nie jest już powiązany z żadną tożsamością."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Ten YubiKey ma starsze oprogramowanie układowe (5.1), które jest niekompatybilne."
 
@@ -1053,7 +1047,7 @@ msgstr "Aby kontynuować:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Aby dokończyć konfigurowanie klucza dostępu, postępuj zgodnie z instrukcjami wyświetlanymi na <0>nowym urządzeniu</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/ru.po b/src/frontend/src/lib/locales/ru.po
index 0f12479997..fda84be86c 100644
--- a/src/frontend/src/lib/locales/ru.po
+++ b/src/frontend/src/lib/locales/ru.po
@@ -25,13 +25,22 @@ msgstr "приложение {application} переехало на новую в
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Продолжить с {name}"
 msgid "Continue with passkey"
 msgstr "Войти с ключом доступа"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Время сессии истекло"
 msgid "Set as default sign-in"
 msgstr "Установить как вход по умолчанию"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Вход через знакомые сервисы"
 msgid "Sign in with another identity"
 msgstr "Войти с другой учётной записью"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Это может занять несколько секунд."
 msgid "This passkey is no longer associated with any identity."
 msgstr "Этот ключ доступа больше не связан ни с одной учётной записью."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Этот YubiKey имеет старую прошивку (5.1), которая несовместима."
 
@@ -1053,7 +1047,7 @@ msgstr "Чтобы продолжить:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Чтобы завершить настройку вашего ключа доступа, следуйте инструкциям, показанным на вашем <0>новом устройстве</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/uk.po b/src/frontend/src/lib/locales/uk.po
index 22ec763078..bcf06d50e5 100644
--- a/src/frontend/src/lib/locales/uk.po
+++ b/src/frontend/src/lib/locales/uk.po
@@ -25,13 +25,22 @@ msgstr "{application} перейшов до нової версії Internet Ide
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "Продовжити з {name}"
 msgid "Continue with passkey"
 msgstr "Продовжити з ключем доступу"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "Час сеансу минув"
 msgid "Set as default sign-in"
 msgstr "Встановити як вхід за замовчуванням"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "Увійдіть за допомогою звичних методів"
 msgid "Sign in with another identity"
 msgstr "Увійти з іншим ідентифікатором"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "Це може зайняти кілька секунд"
 msgid "This passkey is no longer associated with any identity."
 msgstr "Цей ключ доступу більше не пов'язаний з жодним ідентифікатором."
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "Цей YubiKey має старішу прошивку (5.1), яка несумісна."
 
@@ -1053,7 +1047,7 @@ msgstr "Щоб продовжити:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "Щоб завершити налаштування вашого ключа доступу, дотримуйтесь інструкцій, показаних на вашому <0>новому пристрої</0>."
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/locales/ur.po b/src/frontend/src/lib/locales/ur.po
index 555c3a6212..d447b4c2d8 100644
--- a/src/frontend/src/lib/locales/ur.po
+++ b/src/frontend/src/lib/locales/ur.po
@@ -25,13 +25,22 @@ msgstr "{application} نئی Internet Identity پر منتقل ہو گئی ہے"
 msgid "{displayName} account"
 msgstr ""
 
-msgid "{domainInput} didn't serve /.well-known/ii-openid-configuration (HTTP {0}). The domain owner needs to publish it for II to sign you in."
+msgid "{domainInput} didn't publish /.well-known/ii-openid-configuration (HTTP {0})."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed: {0}"
+msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
 msgstr ""
 
-msgid "{domainInput}'s /.well-known/ii-openid-configuration is malformed."
+msgid "{domainInput}'s SSO app doesn't allow the hybrid OAuth flow II requires. Ask the SSO admin to enable response_type \"id_token code\"."
+msgstr ""
+
+msgid "{domainInput}'s SSO denied the sign-in."
+msgstr ""
+
+msgid "{domainInput}'s SSO returned \"{0}\": {1}"
+msgstr ""
+
+msgid "{domainInput}'s SSO returned error \"{0}\"."
 msgstr ""
 
 msgid "{identityName} has been removed from this device."
@@ -241,7 +250,10 @@ msgstr "{name} کے ساتھ جاری رکھیں"
 msgid "Continue with passkey"
 msgstr "پاس کی کے ساتھ جاری رکھیں"
 
-msgid "Couldn't reach {domainInput}. Check the spelling and your network, then try again."
+msgid "Continue with SSO"
+msgstr ""
+
+msgid "Couldn't reach {domainInput}. Check the spelling and your network."
 msgstr ""
 
 msgid "Create account"
@@ -830,7 +842,7 @@ msgstr "سیشن کا وقت ختم ہو گیا"
 msgid "Set as default sign-in"
 msgstr "ڈیفالٹ سائن اِن کے طور پر سیٹ کریں"
 
-msgid "Several SSO sign-ins are in flight already. Wait a moment and try again."
+msgid "Several SSO sign-ins are in flight already. Wait a moment."
 msgstr ""
 
 msgid "Show all"
@@ -851,12 +863,6 @@ msgstr "مانوس طریقوں سے سائن اِن کریں"
 msgid "Sign in with another identity"
 msgstr "دوسری شناخت کے ساتھ سائن اِن کریں"
 
-msgid "Sign in with SSO"
-msgstr ""
-
-msgid "Sign In With SSO"
-msgstr ""
-
 msgid "Sign in with your {displayName} account from any device."
 msgstr ""
 
@@ -906,22 +912,7 @@ msgstr ""
 msgid "SSO is not available for \"{domainInput}\" yet. Ask an II admin to register this domain."
 msgstr ""
 
-msgid "SSO provider misconfigured: authorization endpoint is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: authorization endpoint points to a different host than the issuer. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer doesn't match the configured hostname. ({msg})"
-msgstr ""
-
-msgid "SSO provider misconfigured: issuer URL is not HTTPS. ({msg})"
-msgstr ""
-
-msgid "SSO provider's discovery document is malformed: {msg}"
-msgstr ""
-
-msgid "SSO sign-in failed. Please try again."
+msgid "SSO sign-in for {domainInput} failed. Please try again."
 msgstr ""
 
 msgid "Start over"
@@ -1017,6 +1008,9 @@ msgstr "اس میں کچھ سیکنڈ لگ سکتے ہیں"
 msgid "This passkey is no longer associated with any identity."
 msgstr "یہ پاس کی اب کسی شناخت سے منسلک نہیں ہے۔"
 
+msgid "This SSO is already linked to your identity."
+msgstr ""
+
 msgid "This YubiKey has older firmware (5.1) that's incompatible."
 msgstr "اس YubiKey کا فرم ویئر پرانا (5.1) ہے اور یہ اس سسٹم کے ساتھ مطابقت نہیں رکھتا۔"
 
@@ -1053,7 +1047,7 @@ msgstr "جاری رکھنے کے لیے:"
 msgid "To finish setting up your passkey, follow the instructions shown on your <0>new device</0>."
 msgstr "اپنی پاس کی سیٹ اپ مکمل کرنے کے لیے، اپنی <0>نئی ڈیوائس</0> پر دکھائی گئی ہدایات پر عمل کریں۔"
 
-msgid "Too many recent attempts for {domainInput}. Wait a few minutes and try again."
+msgid "Too many recent attempts for {domainInput}. Wait a few minutes."
 msgstr ""
 
 msgid "Type each word in the correct order:"
diff --git a/src/frontend/src/lib/utils/openID.test.ts b/src/frontend/src/lib/utils/openID.test.ts
index 242764e3cb..efaa4ced82 100644
--- a/src/frontend/src/lib/utils/openID.test.ts
+++ b/src/frontend/src/lib/utils/openID.test.ts
@@ -248,9 +248,11 @@ describe("findConfig", () => {
     // Legacy/migrated credentials can have an `aud` that doesn't line up
     // with the current `openid_configs` entry (e.g. client_id rotation).
     // We prefer returning SOMETHING so the UI can label these direct-
-    // provider credentials correctly, and rely on the localStorage SSO
-    // map in `openIdName`/`openIdLogo` to short-circuit the SSO case
-    // before `findConfig` is consulted.
+    // provider credentials correctly. SSO credentials are disambiguated
+    // earlier via canister-stamped `sso_domain` / `sso_name` metadata —
+    // `openIdName` / `openIdLogo` short-circuit on those before ever
+    // consulting `findConfig`, so the issuer-only fallback can't
+    // mis-attribute an SSO credential to its underlying IdP.
     const googleCfg = createOpenIDConfig("https://accounts.google.com");
     backendCanisterConfig.openid_configs = [[googleCfg]];
     expect(
diff --git a/src/frontend/src/lib/utils/openID.ts b/src/frontend/src/lib/utils/openID.ts
index b6c8271aa3..adca26caa3 100644
--- a/src/frontend/src/lib/utils/openID.ts
+++ b/src/frontend/src/lib/utils/openID.ts
@@ -3,7 +3,6 @@ import type {
   OpenIdConfig,
 } from "$lib/generated/internet_identity_types";
 import { backendCanisterConfig } from "$lib/globals";
-import { lookupSsoDomainForCredential } from "$lib/utils/ssoDomainStorage";
 import { fromBase64URL, toBase64URL } from "$lib/utils/utils";
 import { Principal } from "@icp-sdk/core/principal";
 import {
@@ -94,20 +93,6 @@ export const isOpenIdCancelError = (error: unknown) => {
   );
 };
 
-/**
- * Raised instead of the generic `OpenIdCredentialAlreadyRegistered` canister
- * error when the `(iss, sub, aud)` the user is trying to link is already
- * attached to the identity they're currently signed into. The UI shows a
- * more specific message ("…already linked to *this* identity") instead of
- * the generic "…linked to another identity" which would be misleading.
- */
-export class OpenIdCredentialAlreadyLinkedHereError extends Error {
-  constructor() {
-    super("OpenID credential is already linked to this identity");
-    this.name = "OpenIdCredentialAlreadyLinkedHereError";
-  }
-}
-
 /**
  * Raised when an OAuth provider redirects back to II with an `error` (and
  * optional `error_description`) in the callback fragment — per RFC 6749
@@ -345,10 +330,12 @@ export const issuerMatches = (
  *      - Callers that don't track `aud` (e.g. `LastUsedIdentity`; see #3795).
  *      - Legacy credentials whose `aud` disagrees with the current
  *        `openid_configs` entry (client_id rotation, migration artifacts).
- *    SSO credentials would also match this fallback; {@link openIdName} and
- *    {@link openIdLogo} short-circuit via the localStorage SSO map before
- *    consulting `findConfig`, so the fallback doesn't mis-attribute SSO
- *    credentials that were linked on this device.
+ *    SSO credentials would also match this fallback — but {@link openIdName}
+ *    and {@link openIdLogo} short-circuit on the `sso_domain` / `sso_name`
+ *    metadata the canister stamps on SSO-linked credentials before they
+ *    ever consult `findConfig`, so an SSO credential can't be mis-attributed
+ *    to its underlying IdP even if the issuer happens to match a direct-
+ *    provider config.
  *
  * Not relying on the feature flag ENABLE_GENERIC_OPEN_ID means that if we
  * enable and then disable the feature flag, users that used the generic
@@ -453,25 +440,23 @@ export const getMetadataString = (metadata: MetadataMapV2, key: string) => {
 /**
  * Return the logo of the OpenID provider from the config.
  *
- * Returns `undefined` for credentials that this device remembers as having
- * been linked via SSO (so callers can render a generic SSO icon). For
- * everything else, defers to {@link findConfig} which does strict-then-
- * fallback matching so direct-provider credentials get their logo even
- * when `aud` disagrees with the current config.
+ * Returns `undefined` for SSO-linked credentials — identified by the
+ * `sso_domain` optional field the canister populates on `OpenIdCredential`
+ * at response time (via `openid::generic::sso_fields_for`) — so callers
+ * can render a generic SSO icon instead of the underlying IdP's logo.
+ * Direct-provider credentials fall through to {@link findConfig}, which
+ * does strict-then-fallback matching so they get their logo even when
+ * `aud` disagrees with the current config.
  *
  * @returns {string | undefined} An SVG string to be embedded via `{@html}`.
  */
 export const openIdLogo = (
   issuer: string,
-  sub: string | undefined,
   aud: string | undefined,
   metadata: MetadataMapV2,
+  ssoDomain: string | undefined,
 ): string | undefined => {
-  if (
-    sub !== undefined &&
-    aud !== undefined &&
-    lookupSsoDomainForCredential({ iss: issuer, sub, aud }) !== undefined
-  ) {
+  if (ssoDomain !== undefined) {
     return undefined;
   }
   const logo = findConfig(issuer, aud, metadata)?.logo;
@@ -539,25 +524,37 @@ const namespaceIds = (
  * Return a human-readable name for an OpenID credential.
  *
  * Resolution order:
- * 1. **SSO on this device** — if we remember the `discovery_domain` the
- *    user entered when linking (stored by {@link rememberSsoDomainForCredential}),
- *    return that domain. Runs BEFORE direct-provider lookup so SSO
- *    credentials don't get falsely attributed to their underlying IdP.
- * 2. **Direct provider** — {@link findConfig} resolves strict-then-fallback,
- *    so we get the provider's configured `name` (e.g. "Google") for both
- *    credentials whose `aud` matches the config and legacy credentials
- *    whose `aud` disagrees but whose issuer matches.
- * 3. `undefined` — caller should render a generic fallback.
+ * 1. **SSO name** — `ssoName`, which the canister populates from the
+ *    `name` field of the SSO's `/.well-known/ii-openid-configuration`.
+ *    This is what the org self-identifies as, e.g. `"DFINITY"`.
+ * 2. **SSO domain** — `ssoDomain`, the `discovery_domain` the user
+ *    entered. Used when the SSO didn't publish a `name`, e.g.
+ *    `"dfinity.org"`.
+ * 3. **Direct provider** — {@link findConfig} resolves strict-then-
+ *    fallback, so we get the provider's configured `name` (e.g. "Google")
+ *    for both credentials whose `aud` matches the config and legacy
+ *    credentials whose `aud` disagrees but whose issuer matches.
+ * 4. `undefined` — caller should render a generic fallback.
+ *
+ * Checking the SSO params BEFORE direct-provider lookup means SSO
+ * credentials aren't falsely attributed to their underlying IdP (e.g.
+ * an SSO-via-Google credential reads as "DFINITY", not "Google").
+ *
+ * The SSO values are passed explicitly instead of read from `metadata`
+ * so the FE can distinguish "SSO with a published name" from "SSO with
+ * only a domain" — useful if we later want to render the two cases
+ * differently. Callers that don't have an `OpenIdCredential` on hand
+ * (e.g. `LastUsedIdentity`-backed UI; see #3795) pass `undefined` for
+ * both and fall through to `findConfig`.
  */
 export const openIdName = (
   issuer: string,
-  sub: string | undefined,
   aud: string | undefined,
   metadata: MetadataMapV2,
+  ssoName: string | undefined,
+  ssoDomain: string | undefined,
 ): string | undefined => {
-  if (sub !== undefined && aud !== undefined) {
-    const domain = lookupSsoDomainForCredential({ iss: issuer, sub, aud });
-    if (domain !== undefined) return domain;
-  }
+  if (ssoName !== undefined) return ssoName;
+  if (ssoDomain !== undefined) return ssoDomain;
   return findConfig(issuer, aud, metadata)?.name;
 };
diff --git a/src/frontend/src/lib/utils/ssoDiscovery.test.ts b/src/frontend/src/lib/utils/ssoDiscovery.test.ts
index b68192a3a8..dc6360e931 100644
--- a/src/frontend/src/lib/utils/ssoDiscovery.test.ts
+++ b/src/frontend/src/lib/utils/ssoDiscovery.test.ts
@@ -122,13 +122,15 @@ describe("ssoDiscovery", () => {
       expect(fetchSpy).toHaveBeenCalledTimes(2);
     });
 
-    // Each of these tests exhausts all 3 retry attempts on hop 1, so they
-    // wait through the full exponential backoff (2s + 4s = 6s). Bumped
-    // timeout accordingly. `mockImplementation` (not `mockResolvedValue`)
-    // so each retry gets a fresh Response — reusing one throws
-    // `Body has already been read` after the first `.json()`.
-    it("wraps HTTP 404 on hop 1 as DomainNotConfiguredError(http-error, 404)", async () => {
-      vi.spyOn(globalThis, "fetch").mockImplementation(() =>
+    // `mockImplementation` (not `mockResolvedValue`) so each retry gets
+    // a fresh Response — reusing one throws `Body has already been read`
+    // after the first `.json()`. The network- and invalid-response tests
+    // still run through the full 3 retry attempts (2s + 4s = 6s of
+    // exponential backoff), so they need the bumped timeout. The 404 case
+    // fails fast — deterministic 4xx aren't retried, see
+    // `isTransientHttpStatus` in `ssoDiscovery.ts`.
+    it("wraps HTTP 404 on hop 1 as DomainNotConfiguredError(http-error, 404) without retrying", async () => {
+      const fetchSpy = vi.spyOn(globalThis, "fetch").mockImplementation(() =>
         Promise.resolve(
           new Response("not found", {
             status: 404,
@@ -142,6 +144,27 @@ describe("ssoDiscovery", () => {
         reason: "http-error",
         httpStatus: 404,
       });
+      // Single attempt — retrying 404 would just burn ~14s of backoff
+      // for the same deterministic answer.
+      expect(fetchSpy).toHaveBeenCalledTimes(1);
+    });
+
+    it("retries hop 1 on HTTP 503 (transient) and gives up with http-error", async () => {
+      const fetchSpy = vi.spyOn(globalThis, "fetch").mockImplementation(() =>
+        Promise.resolve(
+          new Response("Service Unavailable", {
+            status: 503,
+          }),
+        ),
+      );
+
+      await expect(discoverSsoConfig("dfinity.org")).rejects.toMatchObject({
+        name: "DomainNotConfiguredError",
+        reason: "http-error",
+        httpStatus: 503,
+      });
+      // 3 attempts = `MAX_RETRIES` in `ssoDiscovery.ts`.
+      expect(fetchSpy).toHaveBeenCalledTimes(3);
     }, 10000);
 
     it("wraps a 200 HTML response on hop 1 as DomainNotConfiguredError(invalid-response)", async () => {
diff --git a/src/frontend/src/lib/utils/ssoDiscovery.ts b/src/frontend/src/lib/utils/ssoDiscovery.ts
index 8e0a53846c..ab7fa04730 100644
--- a/src/frontend/src/lib/utils/ssoDiscovery.ts
+++ b/src/frontend/src/lib/utils/ssoDiscovery.ts
@@ -9,9 +9,10 @@
  * Security — trust model:
  * - The caller must call `add_discoverable_oidc_config({ discovery_domain })`
  *   on the backend BEFORE invoking `discoverSsoConfig`. That call traps on
- *   the backend's canary allowlist (`ALLOWED_DISCOVERY_DOMAINS`) for any
- *   domain an II admin hasn't approved, so by the time this module runs,
- *   the domain has been explicitly blessed by II.
+ *   the backend's canary allowlist (returned by
+ *   `openid::generic::allowed_discovery_domains()`) for any domain an II
+ *   admin hasn't approved, so by the time this module runs, the domain
+ *   has been explicitly blessed by II.
  * - This module doesn't carry its own domain allowlist — the check lives
  *   on the canister, not in frontend code that the user's device could
  *   bypass.
@@ -297,7 +298,18 @@ const errorMessage = (e: unknown): string | undefined =>
     ? (e as { message: string }).message
     : undefined;
 
-/** Fetch JSON with timeout, retries, and exponential backoff. */
+/**
+ * Whether a failed HTTP response is transient enough that a retry might
+ * succeed. Intentionally narrow: only server-time statuses (`408`,
+ * `429`, `5xx`) are retried. Deterministic 4xx (`400`, `401`, `403`,
+ * `404`, ...) fail fast — retrying a domain's `/.well-known/ii-openid-
+ * configuration` that returns `404` three times just buys the user
+ * 2s + 4s + 8s of waiting for the same answer.
+ */
+const isTransientHttpStatus = (status: number): boolean =>
+  status === 408 || status === 429 || status >= 500;
+
+/** Fetch JSON with timeout, retries on transient errors, and exponential backoff. */
 const fetchWithRetry = async (
   url: string,
   timeoutMs: number,
@@ -310,24 +322,37 @@ const fetchWithRetry = async (
     }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+    // Default: treat unknown / network errors as transient and retry.
+    // The try block overrides this with the HTTP-status classification
+    // when the response itself was received.
+    let retryable = true;
     try {
       const response = await fetch(url, { signal: controller.signal });
-      if (!response.ok) {
-        throw new Error(
-          `Fetch failed: ${response.status} ${response.statusText}`,
-        );
+      if (response.ok) {
+        return await response.json();
       }
-      return await response.json();
+      lastError = new Error(
+        `Fetch failed: ${response.status} ${response.statusText}`,
+      );
+      retryable = isTransientHttpStatus(response.status);
     } catch (error) {
-      lastError = error;
       if (error instanceof Error && error.name === "AbortError") {
+        // Explicit timeout: surface the abort immediately; don't backoff
+        // through retries when the first attempt already spent the full
+        // budget.
         throw error;
       }
+      // Network errors (TypeError from `fetch`) and other unknowns: leave
+      // `retryable = true` as initialised.
+      lastError = error;
     } finally {
-      // Clear the abort timer on every exit path so a late abort can't fire
-      // after the attempt is already done.
+      // Clear the abort timer on every exit path so a late abort can't
+      // fire after the attempt is already done.
       clearTimeout(timeoutId);
     }
+    // Break out of the retry loop on deterministic failures (4xx other
+    // than 408 / 429) so the UI can surface them without backoff delay.
+    if (!retryable) throw lastError;
   }
   throw lastError;
 };
diff --git a/src/frontend/src/lib/utils/ssoDomainStorage.ts b/src/frontend/src/lib/utils/ssoDomainStorage.ts
deleted file mode 100644
index 915955d023..0000000000
--- a/src/frontend/src/lib/utils/ssoDomainStorage.ts
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * Per-device map from an OpenID credential `(iss, sub, aud)` triple to the
- * organization domain the user typed on the SSO screen when they linked
- * that credential.
- *
- * Rationale: the backend credential record only carries the provider-issued
- * claims (`iss`, `sub`, `aud` + the JWT metadata). It has no notion of "this
- * credential was reached via SSO discovery starting from `dfinity.org`". So
- * when the access-methods UI renders a credential whose `iss` happens to be
- * e.g. `accounts.google.com`, it looks identical to a credential obtained
- * via the direct "Sign in with Google" button — and the "Google account"
- * label hides the real SSO provenance.
- *
- * We fix the local-render case by stashing the `iss|sub|aud → domain`
- * mapping in localStorage at the moment `linkSsoAccount` succeeds. Nothing
- * durable — it only helps on the device where the credential was linked,
- * and only until localStorage is cleared. For a persistent cross-device
- * solution the discovery domain would need to live on the backend
- * credential metadata.
- */
-
-const STORAGE_KEY = "ii:sso-domain-by-credential";
-
-type CredentialKey = { iss: string; sub: string; aud: string };
-
-const keyFor = ({ iss, sub, aud }: CredentialKey): string =>
-  `${iss}|${sub}|${aud}`;
-
-/** Read the full map from localStorage. Returns an empty object on any
- * parse / access failure so the caller can treat "not found" uniformly. */
-const readAll = (): Record<string, string> => {
-  try {
-    const raw = localStorage.getItem(STORAGE_KEY);
-    if (raw === null) return {};
-    const parsed: unknown = JSON.parse(raw);
-    if (typeof parsed !== "object" || parsed === null) return {};
-    const out: Record<string, string> = {};
-    for (const [k, v] of Object.entries(parsed as Record<string, unknown>)) {
-      if (typeof v === "string") out[k] = v;
-    }
-    return out;
-  } catch {
-    return {};
-  }
-};
-
-const writeAll = (map: Record<string, string>): void => {
-  try {
-    localStorage.setItem(STORAGE_KEY, JSON.stringify(map));
-  } catch {
-    // Quota exceeded, disabled, private-mode, etc. — the map is purely an
-    // optimization, so silently giving up is fine.
-  }
-};
-
-/** Remember that this credential was linked via SSO starting from `domain`. */
-export const rememberSsoDomainForCredential = (
-  credential: CredentialKey,
-  domain: string,
-): void => {
-  const map = readAll();
-  map[keyFor(credential)] = domain;
-  writeAll(map);
-};
-
-/** Look up the SSO discovery domain for a credential, if known on this
- * device. Returns `undefined` when the credential wasn't linked here or
- * the mapping has been cleared. */
-export const lookupSsoDomainForCredential = (
-  credential: CredentialKey,
-): string | undefined => readAll()[keyFor(credential)];
-
-/** Forget the mapping for a specific credential (e.g. on unlink). Safe to
- * call even if no entry exists. */
-export const forgetSsoDomainForCredential = (
-  credential: CredentialKey,
-): void => {
-  const map = readAll();
-  delete map[keyFor(credential)];
-  writeAll(map);
-};
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/+page.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/+page.svelte
index c627ced429..fd5a540320 100644
--- a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/+page.svelte
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/+page.svelte
@@ -323,9 +323,10 @@
         onCancel={() => (removingAccessMethodKey = undefined)}
         providerName={openIdName(
           removingAccessMethod.openid.iss,
-          removingAccessMethod.openid.sub,
           removingAccessMethod.openid.aud,
           removingAccessMethod.openid.metadata,
+          removingAccessMethod.openid.sso_configuration[0]?.name[0],
+          removingAccessMethod.openid.sso_configuration[0]?.domain,
         ) ?? $t`Unknown`}
         isCurrentAccessMethod={isCurrentAccessMethod(
           $authenticatedStore,
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/components/OpenIdItem.svelte b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/components/OpenIdItem.svelte
index 6128c34fc5..bbcf670347 100644
--- a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/components/OpenIdItem.svelte
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/components/OpenIdItem.svelte
@@ -17,16 +17,28 @@
 
   const { openid, onUnlink, isCurrentAccessMethod }: Props = $props();
 
+  // `sso_configuration` is populated by the canister at response time
+  // via `openid::generic::sso_configuration_for(iss, aud)`. Candid
+  // `opt SsoConfiguration` surfaces on the TS side as
+  // `[] | [SsoConfiguration]`, hence the `[0]` unwrap. When present it
+  // always carries a `domain`; `name` is a separate optional.
+  const sso = $derived(openid.sso_configuration[0]);
+  // Authoritative SSO marker — set by the canister for credentials
+  // whose `(iss, aud)` resolves to a registered discoverable provider.
+  const isSso = $derived(sso !== undefined);
   const name = $derived(
-    openIdName(openid.iss, openid.sub, openid.aud, openid.metadata),
+    openIdName(
+      openid.iss,
+      openid.aud,
+      openid.metadata,
+      sso?.name[0],
+      sso?.domain,
+    ),
   );
   const email = $derived(getMetadataString(openid.metadata, "email"));
   const logo = $derived(
-    openIdLogo(openid.iss, openid.sub, openid.aud, openid.metadata),
+    openIdLogo(openid.iss, openid.aud, openid.metadata, sso?.domain),
   );
-  // Credential didn't match any entry in `openid_configs` on (iss, aud).
-  // Treat it as SSO and render the generic SSO icon as a fallback.
-  const isSso = $derived(logo === undefined);
   const displayName = $derived(name ?? $t`SSO`);
   const options = $derived(
     onUnlink !== undefined
@@ -43,7 +55,14 @@
 
 <div class="mb-3 flex h-9 flex-row items-center">
   <div class="text-fg-primary relative size-6">
-    {#if isSso}
+    {#if isSso || logo === undefined}
+      <!--
+        SSO credentials render the generic SSO icon. We also fall back
+        to it when `findConfig` returned nothing (direct-provider
+        credentials whose issuer doesn't match any `openid_configs`
+        entry, e.g. after client_id rotation) so `{@html logo}` never
+        stringifies `undefined` into the DOM.
+      -->
       <SsoIcon class="size-6" />
     {:else}
       {@html logo}
diff --git a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/utils.test.ts b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/utils.test.ts
index a4e1f9b612..62204d0441 100644
--- a/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/utils.test.ts
+++ b/src/frontend/src/routes/(new-styling)/manage/(authenticated)/(access-and-recovery)/access/utils.test.ts
@@ -43,6 +43,7 @@ const makeOpenId = (
   last_usage_timestamp: lastUse !== undefined ? [lastUse] : [],
   aud: "",
   metadata: [],
+  sso_configuration: [],
 });
 
 describe("compareAccessMethods", () => {
diff --git a/src/internet_identity/internet_identity.did b/src/internet_identity/internet_identity.did
index 321f8f5a42..2b6a441183 100644
--- a/src/internet_identity/internet_identity.did
+++ b/src/internet_identity/internet_identity.did
@@ -417,6 +417,26 @@ type OpenIdCredential = record {
     aud : Aud;
     last_usage_timestamp : opt Timestamp;
     metadata : MetadataMapV2;
+    // Two-hop SSO provenance for credentials linked via
+    // `add_discoverable_oidc_config`. Looked up on demand by `(iss, aud)`
+    // against current canister state. `null` for direct-provider
+    // credentials (Google / Apple / Microsoft) and for SSO credentials
+    // whose provider is no longer registered.
+    sso_configuration : opt SsoConfiguration;
+};
+
+// Per-credential SSO provenance. Grouped as a single optional record so
+// `sso_configuration : null` is a single "this credential isn't SSO"
+// check, rather than two independent optional fields.
+type SsoConfiguration = record {
+    // The `discovery_domain` the user entered (always present when the
+    // outer `sso_configuration` is non-null).
+    domain : text;
+    // Human-readable name from the domain's
+    // `/.well-known/ii-openid-configuration`. `null` when the domain
+    // doesn't publish one — callers should fall back to `domain` for
+    // the label.
+    name : opt text;
 };
 
 type OpenIdCredentialAddError = variant {
diff --git a/src/internet_identity/src/openid.rs b/src/internet_identity/src/openid.rs
index 598bb1e9f9..9421e69d83 100644
--- a/src/internet_identity/src/openid.rs
+++ b/src/internet_identity/src/openid.rs
@@ -22,6 +22,11 @@ use std::{cell::RefCell, collections::HashMap};
 
 mod generic;
 
+// Re-export the SSO-configuration lookup so the storage-layer
+// `OpenIdCredential → OpenIdCredentialData` conversion can call it
+// without making the whole `generic` module public.
+pub use generic::sso_configuration_for;
+
 pub const OPENID_SESSION_DURATION_NS: u64 = 30 * MINUTE_NS;
 
 pub type OpenIdCredentialKey = (Iss, Sub, Aud);
diff --git a/src/internet_identity/src/openid/generic.rs b/src/internet_identity/src/openid/generic.rs
index e8663355df..912df5cfd0 100644
--- a/src/internet_identity/src/openid/generic.rs
+++ b/src/internet_identity/src/openid/generic.rs
@@ -21,6 +21,7 @@ use identity_jose::jws::{
 };
 use internet_identity_interface::internet_identity::types::{
     DiscoverableOidcConfig, MetadataEntryV2, OpenIdConfig, OpenIdEmailVerificationScheme,
+    SsoConfiguration,
 };
 use rsa::{Pkcs1v15Sign, RsaPublicKey};
 use serde::Serialize;
@@ -259,6 +260,11 @@ pub fn is_allowed_discovery_domain(domain: &str) -> bool {
 
 /// SSO provider that resolves its configuration via two-hop discovery.
 /// Used with the `DiscoverableOidcConfig` type.
+///
+/// The `discovery_domain` and human-readable `name` aren't held on the
+/// provider itself — they live on the matching `DiscoveryState` in
+/// `DISCOVERY_TASKS` (written by the periodic discovery timer, read by
+/// `sso_fields_for` when shaping API responses).
 pub struct DiscoverableProvider {
     discovered_client_id: Rc<RefCell<Option<String>>>,
     discovered_issuer: Rc<RefCell<Option<String>>>,
@@ -338,7 +344,13 @@ impl OpenIdProvider for DiscoverableProvider {
                 OpenIDJWTVerificationError::GenericError("Invalid signature".to_string())
             })?;
 
-        // Return credential with metadata
+        // Return credential with metadata. SSO-specific labels
+        // (`sso_domain`, `sso_name`) are NOT stored here; they're looked
+        // up on-demand from current `DISCOVERY_TASKS` state when a
+        // credential is returned via the API (see
+        // `openid::generic::sso_fields_for`). Computing them at query
+        // time means the FE always sees the current SSO `name` if the
+        // domain's `/.well-known/ii-openid-configuration` is updated.
         let mut metadata: HashMap<String, MetadataEntryV2> = HashMap::new();
         if let Some(email) = claims.email {
             metadata.insert("email".into(), MetadataEntryV2::String(email));
@@ -371,6 +383,12 @@ pub struct DiscoveryState {
     pub client_id_ref: Rc<RefCell<Option<String>>>,
     pub openid_configuration_ref: Rc<RefCell<Option<String>>>,
     pub issuer_ref: Rc<RefCell<Option<String>>>,
+    /// Human-readable SSO name served at
+    /// `{discovery_domain}/.well-known/ii-openid-configuration`.
+    /// Populated by hop-1 once per refresh; `None` if absent in the
+    /// hop-1 body. Read by `sso_fields_for` when shaping credential
+    /// responses.
+    pub name_ref: Rc<RefCell<Option<String>>>,
     /// Only read by the periodic discovery timer (non-test builds).
     #[allow(dead_code)]
     pub certs_ref: Rc<RefCell<Vec<Jwk>>>,
@@ -394,13 +412,15 @@ impl DiscoverableProvider {
         let discovered_issuer: Rc<RefCell<Option<String>>> = Rc::new(RefCell::new(None));
         let discovered_client_id: Rc<RefCell<Option<String>>> = Rc::new(RefCell::new(None));
         let openid_configuration: Rc<RefCell<Option<String>>> = Rc::new(RefCell::new(None));
+        let discovered_name: Rc<RefCell<Option<String>>> = Rc::new(RefCell::new(None));
 
         DISCOVERY_TASKS.with_borrow_mut(|tasks| {
             tasks.push(DiscoveryState {
-                discovery_domain: config.discovery_domain.clone(),
+                discovery_domain: config.discovery_domain,
                 client_id_ref: Rc::clone(&discovered_client_id),
                 openid_configuration_ref: Rc::clone(&openid_configuration),
                 issuer_ref: Rc::clone(&discovered_issuer),
+                name_ref: discovered_name,
                 certs_ref: Rc::clone(&certs),
                 last_jwks_uri: Rc::new(RefCell::new(None)),
             });
@@ -490,6 +510,11 @@ async fn run_discovery_tasks() {
         task.openid_configuration_ref
             .replace(Some(ii_config.openid_configuration));
         task.issuer_ref.replace(Some(doc.issuer));
+        // Pass `name` through unchanged — `None` means the domain didn't
+        // publish one in `/.well-known/ii-openid-configuration`. The FE
+        // decides how to render: "DFINITY" if `sso_name` is present,
+        // "dfinity.org" if only `sso_domain` is available.
+        task.name_ref.replace(ii_config.name);
 
         // Start or restart cert fetching when jwks_uri changes
         let jwks_changed = {
@@ -646,6 +671,12 @@ fn transform_discovery(response: HttpResponse) -> HttpResponse {
 struct IIOpenIdConfiguration {
     client_id: String,
     openid_configuration: String,
+    /// Human-readable name for the SSO (e.g. `"DFINITY"`). Optional; we
+    /// pass it through to the API as-is, letting the FE pick between
+    /// this and the bare domain for rendering. `#[serde(default)]` so
+    /// older deployments that don't publish the field continue to parse.
+    #[serde(default)]
+    name: Option<String>,
 }
 
 /// OIDC discovery document — only the fields needed by the backend.
@@ -677,6 +708,43 @@ pub fn discovered_state_for(
     })
 }
 
+/// Looks up the SSO provenance for an OpenID credential by its
+/// `(iss, aud)` pair. Computed on-demand from current `DISCOVERY_TASKS`
+/// state — that way `get_anchor_info` always reflects live SSO metadata
+/// (the domain's current `name` field, or absence thereof) instead of
+/// whatever got stamped at verification time.
+///
+/// Returns `None` for:
+///   - Direct-provider credentials (Google / Apple / Microsoft — the
+///     matching provider isn't a `DiscoverableProvider`, so no task
+///     matches on `(iss, aud)`).
+///   - SSO credentials whose domain has since been removed from the
+///     canister's allowlist (no task registered at all).
+///   - SSO credentials whose hop-1 / hop-2 discovery hasn't completed
+///     yet (task exists but `client_id_ref` / `issuer_ref` are `None`).
+///
+/// Returns `Some(SsoConfiguration { domain, name })` otherwise, where
+/// `name` may still be `None` if the domain doesn't publish one.
+/// Callers that want a human-readable label fall back
+/// `name → domain → direct-provider `findConfig` result` on the
+/// frontend — the backend intentionally does not collapse the two so
+/// the FE can tell "no name published" apart from "has a name" for
+/// future divergent rendering.
+pub fn sso_configuration_for(iss: &str, aud: &str) -> Option<SsoConfiguration> {
+    DISCOVERY_TASKS.with_borrow(|tasks| {
+        tasks
+            .iter()
+            .find(|t| {
+                t.issuer_ref.borrow().as_deref() == Some(iss)
+                    && t.client_id_ref.borrow().as_deref() == Some(aud)
+            })
+            .map(|t| SsoConfiguration {
+                domain: t.discovery_domain.clone(),
+                name: t.name_ref.borrow().clone(),
+            })
+    })
+}
+
 fn compute_next_certs_fetch_delay<T, E>(
     result: &Result<T, E>,
     current_delay: Option<u64>,
diff --git a/src/internet_identity/src/storage/anchor.rs b/src/internet_identity/src/storage/anchor.rs
index 3e4432b2bf..8c43d35130 100644
--- a/src/internet_identity/src/storage/anchor.rs
+++ b/src/internet_identity/src/storage/anchor.rs
@@ -127,18 +127,31 @@ impl From<Device> for DeviceDataWithoutAlias {
 
 impl From<OpenIdCredential> for OpenIdCredentialData {
     fn from(openid_credential: OpenIdCredential) -> Self {
+        // Populate SSO provenance on-demand from current `DISCOVERY_TASKS`
+        // state so the FE always sees the live value — if a domain
+        // updates the `name` in its `/.well-known/ii-openid-
+        // configuration`, the next `get_anchor_info` reflects it
+        // without any per-credential storage migration.
+        let sso_configuration = crate::openid::sso_configuration_for(
+            &openid_credential.iss,
+            &openid_credential.aud,
+        );
         Self {
             iss: openid_credential.iss,
             sub: openid_credential.sub,
             aud: openid_credential.aud,
             last_usage_timestamp: openid_credential.last_usage_timestamp,
             metadata: openid_credential.metadata,
+            sso_configuration,
         }
     }
 }
 
 impl From<OpenIdCredentialData> for OpenIdCredential {
     fn from(openid_credential: OpenIdCredentialData) -> Self {
+        // The inverse conversion drops the derived SSO fields — they're
+        // not stored, they're recomputed each time we go `OpenIdCredential
+        // → OpenIdCredentialData`.
         Self {
             iss: openid_credential.iss,
             sub: openid_credential.sub,
diff --git a/src/internet_identity_interface/src/internet_identity/types/openid.rs b/src/internet_identity_interface/src/internet_identity/types/openid.rs
index 1d5800695b..9e976814a6 100644
--- a/src/internet_identity_interface/src/internet_identity/types/openid.rs
+++ b/src/internet_identity_interface/src/internet_identity/types/openid.rs
@@ -15,6 +15,29 @@ pub struct OpenIdCredentialData {
     // authn method stats if this value is already set to any value.
     pub last_usage_timestamp: Option<Timestamp>,
     pub metadata: HashMap<String, MetadataEntryV2>,
+    /// Two-hop SSO provenance for credentials linked via
+    /// `add_discoverable_oidc_config`. Looked up on demand by `(iss, aud)`
+    /// from current canister state. `None` for direct-provider credentials
+    /// (Google / Apple / Microsoft) and for SSO credentials whose provider
+    /// is no longer registered on the canister.
+    pub sso_configuration: Option<SsoConfiguration>,
+}
+
+/// Per-credential SSO provenance returned alongside an
+/// `OpenIdCredentialData`. Grouped into one optional struct (rather than
+/// two independent optional fields) so "is this credential SSO?" is a
+/// single presence check.
+#[derive(Clone, Debug, CandidType, Deserialize, Eq, PartialEq)]
+pub struct SsoConfiguration {
+    /// The `discovery_domain` the user entered (always present for SSO
+    /// credentials).
+    pub domain: String,
+    /// Human-readable name served alongside `client_id` at
+    /// `{domain}/.well-known/ii-openid-configuration`. `None` when the
+    /// domain doesn't publish one — callers that want a label should
+    /// fall back to `domain` on the frontend side. Kept separate from
+    /// `domain` so callers can render the two cases differently.
+    pub name: Option<String>,
 }
 
 #[derive(Clone, Debug, CandidType, Deserialize, Eq, PartialEq)]