Project Name
Salesforce Commerce Cloud SCAPI Migration and Amber TSOB Auth for a UAE Luxury Retailer
Moving a multi-brand luxury eCommerce platform from OCAPI to SCAPI is a significant but documented migration. Adding social login via SLAS IDP for Google and Apple is well-understood commerce architecture. The genuinely rare problem was Amber. Amber is a UAE lifestyle and loyalty super-app widely used across the Gulf region, but it has no OAuth 2.0 support. Salesforce’s SLAS IDP social login mechanism requires OAuth2 redirect flows for external identity providers. Without OAuth2, the standard approach does not work. For a leading UAE luxury multi-brand retailer operating multiple brand storefronts including international fashion and lifestyle brands across the UAE, Amber login was a business requirement for its UAE customer base. Ksolves engineered a custom Trusted System Outbound (TSOB) authentication flow that authenticates Amber users server-side, generates a SLAS JWT without requiring the standard OAuth2 redirect, maps Amber identities to SFCC shopper records, and prevents duplicate account creation when an Amber user already has an email and password account on the storefront.
- OCAPI Legacy Blocking Headless and Mobile Commerce: The retailer's SFCC implementation ran on OCAPI, the legacy Open Commerce API relying on session-based authentication, which was incompatible with the modern headless and PWA Kit architecture required for mobile-first composable commerce. Migrating to SCAPI with SLAS JWT-based authentication was a prerequisite for supporting PWA Kit storefronts, multi-brand headless frontends, and future composable commerce capabilities.
- No Social Login on Any Brand Storefront: Shoppers across all brand storefronts had no option to sign in with Google or Apple accounts, forcing them to create and remember a separate storefront password for each brand. Without SLAS IDP social login, the retailer could not offer the frictionless authentication experience its luxury customer base expected.
- Amber UAE Has No OAuth 2.0: Amber, a UAE lifestyle and loyalty super-app with millions of active users in the Gulf region, does not implement OAuth 2.0. Salesforce's SLAS IDP social login mechanism requires OAuth2 redirect flows for external identity providers. Amber cannot complete this flow. Implementing Amber login required a completely custom authentication architecture with no documented Salesforce reference implementation.
- Duplicate Account Risk Across Social Login Flows: When a shopper who previously registered with an email and password subsequently logs in via a social identity, SFCC's default behaviour creates a second shopper record with the same email, resulting in split order history, separate wishlists, and broken loyalty data. Preventing duplicate account creation required custom account merging logic across all three social login flows.
- Session Continuity Across SFRA and PWA in a Hybrid Storefront: The storefronts operate in a hybrid architecture where some pages render via SFRA and others via PWA Kit. SLAS JWT tokens used by SCAPI and SFRA's dwsid session cookies are different authentication mechanisms that must be kept in sync to prevent shoppers from losing session state when navigating between SFRA and headless pages.
Ksolves delivered the complete OCAPI to SCAPI migration and advanced authentication architecture across five connected workstreams: SLAS IDP configuration for standard social login, the custom TSOB flow for Amber, account merging logic, Hybrid Authentication replacing Plugin SLAS, and PWA Kit configuration with private SLAS client for secure server-side token management.
- OCAPI to SCAPI Migration: All shopper-facing API calls were migrated from the legacy OCAPI framework to the modern Salesforce Commerce API covering Shopper Baskets, Shopper Customers, Shopper Products, and Shopper Orders. SLAS public and private client IDs were configured for each brand site across development, staging, and production realms with proper PKCE code challenge and verifier flows for all authentication paths.
- SLAS IDP Social Login for Google and Apple: Salesforce SLAS Identity Provider was configured for Google and Apple social login across all brand storefronts, setting up IDP hint routing in the SLAS authorize endpoint to redirect shoppers to the appropriate external identity provider, handling the OAuth2 authorization code return and token exchange, and implementing the full PKCE flow for token generation. Social login buttons were integrated into storefront authentication flows with brand-specific redirect URIs per site.
- Custom TSOB Authentication Flow for Amber: A custom Trusted System Outbound authentication mechanism was engineered for Amber, the only viable path for a social login provider without OAuth 2.0 support. The TSOB flow verifies the Amber user's identity via a server-side trusted API call to Amber's authentication endpoint, receives confirmation of the authenticated Amber user identity without an OAuth2 redirect, calls SLAS's trusted system token endpoint to generate a SLAS JWT on behalf of the authenticated shopper, maps the Amber user identity to an existing SFCC shopper record or creates a new one, and returns a valid SLAS JWT to the storefront without the shopper experiencing a standard OAuth2 redirect flow.
- Duplicate Account Merge Logic: Custom account merging logic was built across all three social login paths. When a Google, Apple, or Amber social login is attempted and an existing SFCC shopper record with the same email already exists from a previous email and password registration, the logic detects the existing account, links the social identity to it, consolidates order history, wishlist, and loyalty data under a single shopper record, and completes login without creating a duplicate profile.
- Hybrid Authentication Replacing Plugin SLAS: Salesforce B2C Commerce 25.3+ native Hybrid Authentication was configured across all brand sites, replacing the older Plugin SLAS cartridge with the platform-native solution. Hybrid Auth synchronises the SLAS JWT for SCAPI calls from PWA Kit with the legacy SFRA dwsid session cookie by calling the SLAS session bridge endpoint on JWT generation, enabling seamless session continuity as shoppers navigate between SFRA and PWA pages within the hybrid storefronts.
- PWA Kit Multi-Brand Configuration: PWA Kit was configured on Managed Runtime with private SLAS clients for all brand sites using the BFF pattern to manage SLAS secrets server-side, with site-specific configurations for currency, language, catalogue IDs, and search settings per brand, and basket transfer and merge logic ensuring guest cart items are preserved when a shopper registers or logs in.
Technology Stack
| Category | Technology |
|---|---|
| Commerce API | Salesforce Commerce API (SCAPI) |
| Authentication | SLAS IDP, SLAS JWT, PKCE |
| Custom Auth | Trusted System Outbound (TSOB) for Amber UAE |
| Session Management | Hybrid Authentication (B2C Commerce 25.3+) |
| Frontend | PWA Kit, Managed Runtime |
- OCAPI Dependency Eliminated Across All Brand Storefronts: All brand sites now operate on modern SCAPI with SLAS JWT authentication, enabling headless PWA Kit storefronts, composable commerce architecture, and compatibility with Salesforce's current and future Commerce API roadmap.
- Google and Apple Social Login Live on All Brand Storefronts: Shoppers can authenticate in seconds using existing Google or Apple accounts via SLAS IDP, with automatic account merging preventing duplicate profiles for returning email and password registrants across all brand sites.
- Amber Login Delivered via Custom TSOB with No OAuth 2.0 Required: UAE shoppers can log in with their Amber credentials directly from the storefront without any OAuth2 redirect, with server-side identity verification, SLAS JWT generation, and account merging all handled transparently by the custom TSOB implementation, a pattern with no documented Salesforce reference implementation before this engagement.
- Duplicate Account Creation Prevented Across All Social Login Paths: Account merge logic active across Google, Apple, and Amber login paths ensures that when a social login matches an existing email, the social identity is linked to the existing account rather than creating a duplicate, preserving full order history, wishlist, and loyalty data under a single unified shopper record.
- Stable Hybrid Storefront Sessions with Platform-Native Authentication: Native Hybrid Authentication configured across all brand sites provides platform-native session bridging synchronising SLAS JWT and SFRA dwsid, with shoppers navigating between SFRA and PWA pages without session loss and the solution maintained by Salesforce's core platform engineering rather than an external cartridge.
Ksolves delivers Salesforce Commerce Cloud implementation and Salesforce consulting services for luxury retailers and multi-brand eCommerce operators managing complex authentication, migration, and composable commerce requirements.
Before this engagement, the retailer’s storefronts ran on legacy OCAPI with no social login, no path to Amber authentication for UAE customers, and no framework for preventing duplicate shopper accounts across login methods. After Ksolves delivered the full SCAPI migration, SLAS IDP social login, custom TSOB Amber flow, and Hybrid Authentication, every UAE shopper has a seamless, unified authentication experience regardless of how they choose to log in.
The SCAPI migration and SLAS IDP social login patterns are replicable across any SFCC implementation still running on OCAPI. The Amber TSOB pattern is specifically replicable for any GCC or UAE retailer using SFCC where Amber login is a customer requirement.
Still Running On Ocapi Or Need Social Login For Regional Apps Without Oauth 2.0 Support?
