diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 79643a889..13235f900 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -30,8 +30,7 @@ def callback
         # where we want a JS-based redirect to go.
         render 'complete', locals: { redirect_to_url: url || hyrax.dashboard_path }
       else
-        session['devise.user_attributes'] = @user.attributes
-        redirect_to new_user_registration_url
+        redirect_to root_path, flash: {error: 'Not able to log in user. #{@user.errors.full_messages}'}
       end
     end
     alias cas callback
@@ -42,8 +41,8 @@ def passthru
       render status: 404, plain: 'Not found. Authentication passthru.'
     end
 
-    # def failure
-    #   #redirect_to root_path
-    # end
+    def failure
+      redirect_to root_path, flash: {error: 'Authentication Failed. Something is wrong with the SSO configuration.'}
+    end
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index b5f300764..565c56d9f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -32,20 +32,23 @@ def self.default_scope
   scope :registered, -> { for_repository.group(:id).where(guest: false) }
 
   def self.from_omniauth(auth)
-    find_or_create_by(provider: auth.provider, uid: auth.uid) do |user|
-      user.email = auth&.info&.email
-      user.email ||= auth.uid
-      # rubocop:disable Performance/RedundantMatch
-      user.email = [auth.uid, '@', Site.instance.account.email_domain].join unless user.email.match('@')
-      # rubocop:enable Performance/RedundantMatch
-      user.password = Devise.friendly_token[0, 20]
-      user.display_name = auth&.info&.name # assuming the user model has a name
-      user.display_name ||= "#{auth&.info&.first_name} #{auth&.info&.last_name}" if auth&.info&.first_name && auth&.info&.last_name
-      # user.image = auth.info.image # assuming the user model has an image
-      # If you are using confirmable and the provider(s) you use validate emails,
-      # uncomment the line below to skip the confirmation emails.
-      # user.skip_confirmation!
-    end
+    u = find_by(provider: auth.provider, uid: auth.uid)
+    return u if u
+
+    u = find_by(email: auth&.info&.email&.downcase)
+    u ||= new
+    u.provider = auth.provider
+    u.uid = auth.uid
+    u.email = auth&.info&.email
+    u.email ||= auth.uid
+    # rubocop:disable Performance/RedundantMatch
+    u.email = [auth.uid, '@', Site.instance.account.email_domain].join unless u.email.match('@')
+    # rubocop:enable Performance/RedundantMatch
+    u.password = Devise.friendly_token[0, 20] if u.new_record?
+    u.display_name = auth&.info&.name # assuming the user model has a name
+    u.display_name ||= "#{auth&.info&.first_name} #{auth&.info&.last_name}" if auth&.info&.first_name && auth&.info&.last_name
+    u.save
+    u
   end
 
   # Method added by Blacklight; Blacklight uses #to_s on your