Overview

This use case explores how Shopify merchants with organization-specific access requirements manage user logins via IDP, department-based permissions, and vendor access without a centralized Identity Provider. With robust solutions such as Shopify Single Sign-On (SSO), SCIM-based user sync, and Content Restriction from miniOrange, businesses can implement Shopify Organisation provisioning, control access using email domain-based provisioning in Shopify, and dynamically manage user roles.

Prerequisites:

In this section, we'll discuss everything from requirements and implementation process to results.

• Key Requirements:

Single Sign-On SSO

Enable single sign-on into Shopify using identity provider credentials.

Install Application

SyncUP: User Sync

To sync users & courses between Shopify and platforms using SCIM.

Install Application

• Features that will play an important role:

LockOn Content Restriction

Restrict product visibility or pricing based on customer tags and email domains.

Install Application

Use Case Scenarios

Scenario 1: Company-Based Access Using Different IDPs

I manage a Shopify store that lists products from multiple partner companies. Each company has its own Identity Provider (IDP), and their employees need to log in and view their respective product catalogs. I wanted to enable Shopify login using company email domain or company name to determine which IDP a user should authenticate with.

We also needed to restrict Shopify content visibility by company. For example, only users from Company A should see Company A's products or pricing.

Requirements:

• Identify users during login using their email domain or company name attribute.
• Redirect users to the appropriate IDP for Shopify Login via company specific IDP.
• Assign customer tags during login to reflect company affiliation.
• Restrict product visibility or pricing based on these tags to implement email domain-based access in Shopify.

Scenario 2: Department-Based Access Within a Single Company

I run a Shopify store for a large organization that manages all its employees under one Identity Provider. The organization includes several departments, and each department should have access only to relevant store sections. We required an automated way to synchronize and update these permissions in real-time, in the event that employees' roles changed.

Requirements:

• Provision users in Shopify from IDP based on department data.
• Automatically update roles and tags if an employee changes departments or leaves the company.

Scenario 3: Vendor Access Without an Identity Provider

I needed to provide store access to third-party vendors who do not have a centralized Identity Provider. These vendors log in to the Shopify store using the default B2B OTP login process. However, I still wanted to grant certain benefits or access to some vendors based on their company.

Requirements:

• Identify vendors using their email domain.
• Provision companies and assign access rules using email domain-based login in Shopify.
• Implement domain-based vendor provisioning in Shopify to tailor content visibility without manual updates.

Solutions

Solution 1: Shopify SSO + LockOn

The Shopify Single Sign-On solution from miniOrange allows users to log in using their respective company's Identity Provider. Users are redirected to the correct IDP based on their email domain or company name attribute. Upon successful login, users are automatically tagged with their company identity for Shopify Company provisioning.

To restrict content visibility, the LockOn Content Restriction app is used. This app enables merchants to display company-specific catalogs or pricing by assigning access rules based on the tags assigned to users. Using email domain based login in Shopify, users from each company only see relevant content, achieving precise organization provisioning in Shopify based on email domain.

Solution 2: SCIM-Based Provisioning

The SyncUP solution enables real-time Shopify Organizational roles and access provisioning for departments within a company. If any employee data changes in the company's IDP, e.g., a department switch or account deactivation, the user sync solution updates or deactivates the Shopify customer profile in real time.

Real-time role provisioning through SCIM in Shopify helps merchants manage access for departments within the company efficiently. It also ensures dynamic access updates for department changes in Shopify, reducing manual workload and improving security.

Solution 3: Content Restriction

In the absence of an identity provider, the LockOn Content Restriction application allows Shopify store owners to set access policies for vendors that log in using Shopify's default email OTP flow. By mapping email IDs to specific companies, LockOn enables domain-based vendor provisioning in Shopify, assigning relevant tags and restricting or displaying content as needed.

This approach ensures seamless email domain-based provisioning in Shopify, even for vendors who do not have an IDP, and helps maintain tailored store experiences.

Key Benefits

• Enable Shopify login using company email domain with support for multiple Identity Providers, allowing users to authenticate through their organization-specific IDPs.
• Map essential user details like name, email, and department directly from the IDP to Shopify customer accounts, using attribute mapping to automate Shopify Company provisioning.
• Maintain up-to-date user data with two-way profile sync between Shopify and the IDP, ensuring dynamic access updates for department changes in Shopify.
• Facilitate email domain-based access in Shopify by restricting store visibility and login to verified domains, supporting secure domain-based vendor provisioning in Shopify.
• Apply Shopify tag-based restrictions to control access to pages, products, and collections, aligning store visibility with company or department-specific roles.

Results & Impact

By implementing miniOrange's comprehensive provisioning solutions, Shopify merchants were able to offer a seamless login flow tailored by company or department, ensuring that each user is routed to the correct authentication method and store view. Customer roles were automatically assigned and updated based on IDP data or email domains, minimizing the need for manual tagging or access configuration. Merchants could easily restrict or personalize content to match the organization or vendor profile, enhancing both user experience and security.

Additionally, implementing auto role provisioning through SCIM in Shopify, access control, and deprovisioning helped merchants save significant time and reduce administrative effort. These capabilities allowed stores to maintain secure, role-based access while keeping the login process simple and intuitive for users across different organizational structures.