SAML authentication for your organization

If your organization uses SAML to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, you can require users to authenticate using your SAML identity provider either individually or across your entire organization.

Before you start

Submitting a domain to be verified can have implications for the users logging in to your organization on Shopify. Before you begin, you should review the following considerations.

Create a backup account

In case there are any issues with your SAML authentication integration or interruptions with your identity provider, you should create a backup account that isn't associated with the domain you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication enabled, and has the User managment access so that you can disable SAML in case of emergencies.

Set up Shopify IDs

SAML authentication is based on domains, so you should ensure that all the users in your organization have set up their Shopify ID using email addresses associated with your organization's domain.

Review domains

Domains can be associated with one organization only. You should use domains exclusive to your organization for SAML authentication, because any domain claimed can't be used for SAML authentication in another organization.

For example, suppose your organization is a subsidiary of a larger entity. You could have users with logins based on email addresses from both your organization and from the parent company. If you set up SAML authentication using both domains, then the parent company's domain would become unavailable for use by any other organization that uses Shopify.

If you have users associated with a domain that is needed for another organization in Shopify, then don't claim that domain.

Set up interim security measures

Verifying your organization's domain is a process that can take a few days, so you might want to set up alternate means of authentication in the meantime, such as requiring two-factor authentication.

Set up SAML authentication for your organization

Configurations are currently available for identity service providers Okta and Azure. If you use a different identity provider, then you can manually enter configuration data.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the Domain verification section, click Add domain.
  3. Enter the name of your domain and click Add.

The domain is now in Pending status. The process of verifying your domain can take a few days. After the process is complete, the status of your domain is updated to Verified or Rejected, and you're sent a notification email with more information. If you think your domain has been rejected in error, then contact Shopify Plus Support.

You don't have to wait until your domain is verified to start setting up your configuration.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML configuration section, click Set up configuration.
  3. Add the Shopify Plus app in your identity provider.
  4. Optional: you can set up an app in your identity provider manually.
    1. Click Show SAML configuration settings.
    2. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request:
      • Single sign-on URL
      • Audience URI (SP Entity ID)
      • Name ID format
      • first_name
      • last_name
      • email
  5. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.

  6. Click Add.

After you have added your domain and set up your configuration, wait until verification is complete. When the status of your domain changes to Verified, you can change your SAML authentication settings.

Require SAML authentication

After setup is complete, you can require users in your organization that have Shopify IDs associated with the set email domain to log in using SAML authentication.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Edit.
  3. Choose an authentication setting.
  4. Click Save.

If you select Specific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from the Users page. Any user who isn't set to require SAML authentication can log in normally. If you select Required, then all users in your organization with the set email domain must use SAML authentication to log in.

The Required setting replaces all individual security requirements for users in your organization. If you change your setting at a later date, then you need to manually change the settings for your users. For example, suppose that you have your domain set to Specific users and have three users set to require SAML authentication. You then set enforcement to Required, requiring all users that have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back to Specific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user page.

Two-factor authentication settings aren't affected by SAML authentication. If two-factor authentication is required for your users to log in to your SAML identity provider and you require two-factor authentication for users to log in to Shopify, then your users will need to authenticate twice. Consider deactivating two-factor authentication within Shopify after SAML authentication is set up and required.

SAML authentication sessions last for 6 days before your users are required to log in again. If you remove a user from the Shopify Plus application in your identity provider, then they will still be able to access Shopify for up to six days. To completely remove access for a user, remove them on the Users page in the Shopify organization admin.

Remove SAML authentication

If SAML authentication is set to Off, then all users in your organization that have Shopify IDs associated with your set email domain can log in using their password and email address.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Edit.
  3. Select Off.
  4. Click Save.

Remove domains

If you no longer require a domain, or have added one in error, then you can remove it. To remove a domain, you can't have your SAML authentication set to Required, and there can't be any users that have Shopify IDs associated with the set email domain using SAML authentication.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the Domain verification section, click the delete icon.

Ready to start selling with Shopify?

Try it free