As mentioned above, the LDAP directory is not writable by the Oracle Commerce Platform. Therefore, before a user can log into Commerce SSO, an account must exist for that user in the LDAP directory.

When a user who has an LDAP account but does not have an account in the internal profile repository attempts to log into Commerce SSO, an account for that user is automatically created in the InternalGSAProfileRepository (assuming that the LDAP authentication succeeds). Once the user is logged in, user properties that are not linked to the LDAPRepository can be updated.

In order for Commerce SSO to automatically create an internal user in this way, the user must belong to at least one LDAP group whose group ID matches the name of an LDAP organization defined in the Business Control Center. The new user is automatically assigned to this organization (and to any other LDAP organizations that match existing LDAP groups). For each subsequent successful login, the user’s organization memberships are resynchronized with the user’s current LDAP group memberships.

Validating a login against the LDAP directory on the Commerce SSO server is handled through the /atg/dynamo/security/LDAPAuthenticationService component, which is of class atg.security.ldap.LDAPAuthenticationService.