As discussed in the previous section, if a user who has an LDAP account but does not have an account in the internal profile repository attempts to log into Commerce SSO, an account for that user is automatically created in the InternalGSAProfileRepository. Profile properties that are linked to LDAP attributes are read-only and cannot be modified through the Business Control Center.

An administrator can create accounts in the internal profile repository for users who have not yet logged into Commerce SSO. Because the LDAP repository is not writable, a new user must already have an LDAP account with the same user name. The page in the Business Control Center for creating a new user has a Validate button next to the Username field that you can click to verify that the account exists in the LDAP directory:

Note that this restriction means that a user account cannot be created by duplicating an existing account and then changing the user name, since this would require writing to the LDAP directory. Therefore, the Duplicate option is disabled in the Users interface in the Access Control area.

Organizations

An administrator can create organizations in the Business Control Center that are stored in the Commerce SSO composite profile repository. There are two types of organizations supported: LDAP (which is linked to an LDAP group) and Commerce (which is stored entirely in the InternalGSAProfileRepository and is not linked to an LDAP group).

The name of an LDAP organization must match the group ID of the corresponding LDAP group. The page in the Business Control Center for creating a new LDAP organization has a Validate button next to the Name field that you can click to verify that the group exists in the LDAP directory.

Once you create an organization, you cannot change its name. This is true for Commerce organizations as well as for LDAP organizations.