SAML authentication for your organization
If your organization uses Security Assertion Markup Language (SAML) to authenticate users and you're on the Shopify Plus plan, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have the Users organization-level permission can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.
Learn more about managing users with Organization settings.
On this page
Before you set up SAML authentication
Submitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations:
- Create a backup account. In case there are any issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication activated, and has the Users access so that you can deactivate SAML in case of emergencies.
- Set up Shopify accounts. Because SAML authentication is based on domains, ensure that all the users in your organization have set up their Shopify account using email addresses that are associated with your organization's domain.
Setting up SAML authentication for your organization
Before you can set up your SAML configuration, you need to verify your domain. You don't have to wait until your domain verification is complete to start setting up your configuration.
Set up configurations automatically
Configurations are currently available for Okta, OneLogin, and Entra.
Follow the linked instructions based on your identity service provider:
- Okta: How to Configure SAML 2.0 for Shopify Plus
- OneLogin: Configuring SSO for SAML-Enabled Applications
- Entra: Tutorial: Microsoft Entra single sign-on (SSO) integration with Shopify Plus
In order to complete the SSO configuration within your organization, follow these steps when directed by your identity service provider's guide:
Steps:
From your Shopify admin, go to Settings.
In the Organization section, click Users > Security.
In the SAML configuration section, click Set up configuration.
In your identity provider, add the Shopify Plus app and then configure the app with your unique single sign-on URL.
Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.
Click Add.
Set up configurations manually
If you use an identity provider other than Okta, OneLogin, or Entra, then you need to manually enter configuration data.
Identity service providers might use different names for some values. For example, Google's SAML integration uses the term ACS URL to refer to the Single sign-on URL. If you encounter errors when setting up your configurations manually, then contact the identity service provider for assistance.
Steps:
From your Shopify admin, go to Settings.
In the Organization section, click Users > Security.
In the SAML configuration section, click Set up configuration.
Click View SAML configuration settings.
-
Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request:
-
Single sign-on URL:
https://accounts.shopify.com/saml/consume/organization/{organization ID}
. Each organization has a unique ID. Copy this value from the Single sign-on URL entry in the SAML configuration details. -
Audience URI (SP Entity ID):
https://accounts.shopify.com/saml_sp
-
Name ID format:
Persistent
. We expect Name ID to be a unique email value that does not change for the user. -
Attribute Statements:
first_name
,last_name
,email
-
Single sign-on URL:
Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.
Click Add.
Requiring SAML authentication
After you add your domain and set up your configuration, wait until verification is complete. When the status of your domain changes to Verified, you can change your SAML authentication settings.
There are three settings for SAML authentication: Required, Specific users, and Off.
Considerations for SAML authentication
- If you select Specific users, then you can set specific login requirements for your users that have Shopify accounts associated with the set email domain from the Users page. Any user who isn't set to require SAML authentication can log in normally. If you select Required, then all users with the email domain that you set must use SAML authentication to log in, including the store owner and users outside the organization.
- The Required setting replaces all individual security requirements for your users. If you change your setting at a later date, then you need to manually change the settings for your users. For example, you have your domain set to Specific users and have three users set to require SAML authentication. You then set enforcement to Required, requiring all users who have Shopify accounts associated with the set email domain to use SAML authentication. Later, you set your enforcement back to Specific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user detail page.
- Requiring a user to use SAML authentication makes existing two-factor authentication requirements redundant. If you set up SAML and require it to log in, then consider deactivating two-factor authentication to avoid users needing to authenticate twice.
- For users on a desktop device, SAML authentication sessions last for 14 days before your users are required to log in again. For users on a mobile device or POS, SAML authentication sessions expire after 14 days if the account is inactive; if the account is active, then sessions renew automatically within 14 days. If you remove a user from the Shopify application in your identity provider, then they can still access Shopify for up to 14 days.
- To prevent users from accessing Organization settings, remove their organization accesses on the Users page in Organization settings.
Require SAML authentication
Steps:
From your Shopify admin, go to Settings.
In the Organization section, click Users > Security.
In the SAML authentication section, click Change setting.
Choose an authentication setting.
Click Save.
Remove SAML authentication
When SAML authentication is set to Off, then all users in your organization who have Shopify accounts associated with your set email domain can log in using their password and email address.
Steps:
From your Shopify admin, go to Settings.
In the Organization section, click Users > Security.
In the SAML authentication section, click Change setting.
Select Off.
Click Save.