SAML authentication for your organization

If your organization uses SAML to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have the User management access can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.

Before you start

Submitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations.

  • Create a backup account.

    In case there are any issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication enabled, and has the User management access so that you can disable SAML in case of emergencies.

  • Set up Shopify IDs.

    Because SAML authentication is based on domains, ensure that all the users in your organization have set up their Shopify ID using email addresses that are associated with your organization's domain.

  • Set up interim security measures.

    Verifying your organization's domain is a process that can take a few days, so you should consider setting up alternate means of authentication in the meantime, such as requiring two-factor authentication.

  • Review your domains.

    Domains are associated with one organization only. Use domains that are exclusive to your organization for SAML authentication. If you use a domain that is also claimed by another organization, then that organization can't use the domain for their own SAML authentication.

    For example, assume that your organization is a subsidiary of a larger entity. You might have users whose logins are based on email addresses from both your organization and from the parent company. If you set up SAML authentication for your subsidiary organization using both your domain and the parent company's, then the parent company's domain would become unavailable for use by any other organization that uses Shopify.

    If you have users who are associated with a domain that is needed for another organization in Shopify, then don't claim that domain.

Set up SAML authentication for your organization

Before you can set up your SAML configuration, you need to verify your domain.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the Domain verification section, click Add domain.
  3. Enter the name of your domain and click Add.

The domain is now in Pending status. The process of verifying your domain can take a few days. After the process is complete, the status of your domain is updated to Verified or Rejected, and you're sent a notification email with more information. If you think your domain has been rejected in error, then contact Shopify Plus Support.

You don't have to wait until your domain is verified to start setting up your configuration. Configurations are currently available for identity service providers Okta and Azure. If you use a different identity provider, then you must manually enter configuration data.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML configuration section, click Set up configuration.
  3. Add the Shopify Plus app in your identity provider.
  4. Optional: you can set up an app in your identity provider manually.
    1. Click Show SAML configuration settings.
    2. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request:
      • Single sign-on URL
      • Audience URI (SP Entity ID)
      • Name ID format
      • first_name
      • last_name
      • email
  5. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.

  6. Click Add.

After you have added your domain and set up your configuration, wait until verification is complete. When the status of your domain changes to Verified, you can change your SAML authentication settings.

Requiring SAML authentication

After setup is complete, you can require users in your organization that have Shopify IDs associated with the set email domain to log in using SAML authentication.

Considerations for SAML authentication

There are three settings for SAML authentication: Required, Specific users, and Off.

If you select Specific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from the Users page. Any user who isn't set to require SAML authentication can log in normally. If you select Required, then all users in your organization with the set email domain must use SAML authentication to log in.

The Required setting replaces all individual security requirements for users in your organization. If you change your setting at a later date, then you need to manually change the settings for your users.

For example, you have your domain set to Specific users and have three users set to require SAML authentication. You then set enforcement to Required, requiring all users who have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back to Specific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user detail page.

Two-step authentication settings aren't affected by SAML authentication. If two-factor authentication is required for your users to log in to your SAML identity provider and you require two-factor authentication for users to log in to Shopify, then your users will need to authenticate twice. Consider deactivating two-factor authentication within Shopify after SAML authentication is set up and required.

SAML authentication sessions last for six days before your users are required to log in again. If you remove a user from the Shopify application in your identity provider, then they will still be able to access Shopify for up to six days. To prevent users from accessing your organization admin, remove their organization accesses on the Users page in the Shopify organization admin.

Require SAML authentication

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Edit.
  3. Choose an authentication setting.
  4. Click Save.

Remove SAML authentication

When SAML authentication is set to Off, then all users in your organization who have Shopify IDs associated with your set email domain can log in using their password and email address.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the SAML authentication section, click Edit.
  3. Select Off.
  4. Click Save.

Remove domains

If you no longer require a domain, or have added one in error, then you can remove it. To remove a domain, you can't have your SAML authentication set to Required, and there can't be any users that have Shopify IDs associated with the set email domain using SAML authentication.

Steps:

  1. In your Shopify organization admin, go to Users > Security.
  2. In the Domain verification section, click the delete icon.

Ready to start selling with Shopify?

Try it free