SAML authentication for your organization

If your organization uses SAML to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have the User management access can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.

Before you set up SAML authentication

Submitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations.

  • Create a backup account.

    In case there are any issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication enabled, and has the User management access so that you can disable SAML in case of emergencies.

  • Set up Shopify IDs.

    Because SAML authentication is based on domains, ensure that all the users in your organization have set up their Shopify ID using email addresses that are associated with your organization's domain.

Set up SAML authentication for your organization

Before you can set up your SAML configuration, you need to verify your domain.

You don't have to wait until your domain is verified to start setting up your configuration.

Setting up configurations automatically

Configurations are currently available for identity service providers Okta, OneLogin, and Azure.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML configuration section, click Set up configuration.
  3. In your identity provider, add the Shopify Plus app.
  4. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.
  5. Click Add.

Setting up configurations manually

If you use an identity provider other than Okta, OneLogin, and Azure, then you must manually enter configuration data.

Identity service providers might use different names for some values. For example, Google's SAML integration uses the term ACS URL to refer to the Single sign-on URL. If you encounter errors while setting up your configurations manually, then contact the identity service provider for assistance.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML configuration section, click Set up configuration.
  3. Click Show SAML configuration settings.
  4. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request.
    • Single sign-on URL: https://accounts.shopify.com/saml/consume/organization/{organization ID}. Each organization has a unique ID. Copy this value from the Single sign-on URL entry in the SAML configuration details.
    • Audience URI (SP Entity ID): https://accounts.shopify.com/saml_sp
    • Name ID format: Persistent
    • Attribute statements: first_name, last_name, email
  5. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.
  6. Click Add.

Requiring SAML authentication

After you have added your domain and set up your configuration, wait until verification is complete. When the status of your domain changes to Verified, you can change your SAML authentication settings.

Considerations for SAML authentication

There are three settings for SAML authentication: Required, Specific users, and Off.

If you select Specific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from the Users page. Any user who isn't set to require SAML authentication can log in normally. If you select Required, then all users in your organization with the set email domain must use SAML authentication to log in.

The Required setting replaces all individual security requirements for users in your organization. If you change your setting at a later date, then you need to manually change the settings for your users.

For example, you have your domain set to Specific users and have three users set to require SAML authentication. You then set enforcement to Required, requiring all users who have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back to Specific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user detail page.

Requiring a user to use SAML authentication removes existing two-factor authentication requirements.

SAML authentication sessions last for six days before your users are required to log in again. If you remove a user from the Shopify application in your identity provider, then they will still be able to access Shopify for up to six days. To prevent users from accessing your organization admin, remove their organization accesses on the Users page in the Shopify organization admin.

Require SAML authentication

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Change setting.
  3. Choose an authentication setting.
  4. Click Save.

Remove SAML authentication

When SAML authentication is set to Off, then all users in your organization who have Shopify IDs associated with your set email domain can log in using their password and email address.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Change setting.
  3. Select Off.
  4. Click Save.

Ready to start selling with Shopify?

Try it free