Single Sign-on (SSO) with Shopify as an IDP

Seamless Single Sign-On (SSO) using Shopify as Identity Provider, allows your Shopify users to log into any SAML 2.0, OAuth 2.0, OpenID Connect, JWT compliant platforms or applications using their Shopify credentials. Enable secure SSO access to any LMS or CMS platform using Shopify as IDP. Connect multiple Shopify Stores, websites or custom applications and allow one-click access to any connected platform from your Shopify Plus or Non-Plus Store.

Page and Post Restriction for WordPress (WP) banner

Key Features

Single Sign-On (SSO)

Easy and seamless access to all resources. Single Sign-On (SSO) into any SAML2.0, WS-FED or JWT Application using Shopify credentials.

User Attribute Mapping

Allow Service providers to mapped user details directly from Shopify IDP (First Name, Last Name, Phone number, Email id, etc.)

User Groups Mapping

Allows service Providers to map user’s Group from Identity Provider to service provider groups. The user groups are updated on SSO.

Custom Redirect URL

Configure the URL wherever you want to redirect your Single Sign-On users after SSO login or after logout.

Single Logout

When the Shopify IDP session expires, log out the user from all service providers.

Easily Integrate

Easily integrate the login link from your Shopify site using short code for IDP initiated SSO.

SSO is based on a trust relationship between the identity provider and service provider. This secure authentication is based upon a certification that is exchanged between the Shopify identity provider and the service provider you have chosen.

The certificate can be used to sign identity details sent from the Shopify identity provider to the service provider, ensuring that the service provider is receiving it from a reliable source (Shopify IDP). This identity data is stored in Shopify SSO as tokens, which contain identifying details about the user such as an email address or a username, among other things.

Use cases achieved by our Shopify Store as IDP (Identity Provider) Application

Use your Shopify Store as an Identity Provider (IDP) such that users stored in your Shopify Store can login using their Shopify credentials to any of the connected platforms or websites.
Login to LMS platforms like Docebo, Thinkific, etc. using your Shopify credentials without requiring re-authentication and sync your user base in Shopify & all other connected platforms.
Connect two or more Shopify Stores with each other to sync the user base between all the connected stores and use one of the stores as Identity Provider (IDP) so that users can hop on to any of the connected stores using a single set of Shopify credentials.
Allow access to your community platform only to restricted users. Enable SSO Login to platforms or websites and allow access to users based on tags assigned to them in Shopify.
Sell courses or merchandise on Shopify and activate their license or access these courses in Thinkific without requiring to re-authenticate users on your Thinkific website.
Connect your Shopify Store to different applications providing memberships, subscription services etc and manage user’s membership based on their Shopify customer attributes.
Sync user information and customer attributes between Shopify & other platforms along with enabling Single Sign-On Login to any platform using Shopify as Identity Provider.
Login to any CMS platform like WordPress, Joomla, Drupal, Magento, WoCommerce, etc using your Shopify Store as an Identity Provider (IDP).
Integrate Community forums providing services like Tribe, Circle, Discourse, Buddy Boss, Vanilla Forums etc with your Shopify Store and enable one-click login to community platforms from your Store.

Utilise your Shopify Store to its fullest and integrate different applications, platforms and websites in your business architecture with Shopify such that your Shopify users can use their Shopify credentials to access any of the platforms connected with your Shopify Store.

Step-by-Step Guide for Configuring Shopify as an Identity Provider (IDP) App

Pre-requisite : Store as IDP- SSO Login Application

To configure SSO into your application with Shopify as IDP, you will need to install the miniOrange Store as IDP- SSO Login Application on your store

Shopify Single Sign-On (SSO) in wordpress oauth provider

Store as IDP- SSO login to Apps

By miniOrange

miniOrange Provides Secure Single Sign-On (SSO) access to your application using Shopify Store as IDP.

Get this application

Step 1: Install and Setup App

Click on Add App in Login with Customer Account application on Shopify App Store.
Click on Install App button at right bottom of screen.
Accept the recurring charges shown by our App. After that you’ll be automatically redirected to the Application home page.
Enter primary domain of your Shopify store in Domain Settings Section of the Application. After that click on Save.

Single Sign-On (SSO)for Shopify (Plus and Non Plus),set your domain

Step 2: Configure Application for enabling Single Sign On

Click on Setup Application in the top left in the navigation bar of Shopify as Identity Provider App. You’ll be redirected to the Add Application menu of miniOrange.

Single Sign-On (SSO)for Shopify (Plus and Non Plus), setup-application

Click on Add Application button.

Single Sign-On (SSO)for Shopify (Plus and Non Plus), configure-apps

Select the protocol which you Application support in which you want to integrate SSO through Shopify as Identity Provider

SAML

Configure Single Sign-On (SSO) Settings for SAML Apps:

Click on the SAML tab and search for your Application. If you can't find your application in the below list then select Custom APP and you can also submit your app request to add the application as a pre-integrated app.

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, Details of SP metadata

Once you select the Custom App option, you will find a window similar to :

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, custom-app

Either you can Copy Paste all the attributes of Service Provider (SP), Or you can directly upload an XML file containing relative information.
To upload the file, follow these steps: Click on Import SP Metadata button

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, import SP metadata

You will get a popup with following options.

Here is the description of what each field means (present on the app configuration window).

SP Entity ID	SP Entity ID is used to identify your app against the SAML request received from SP. Make sure the SP Entity ID or Issuer is in this format: httpss://www.domain-name.com/a/[domain_name]/acs.
ACS URL	Assertion Consumer Service URL defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: httpss://www.domain-name.com/a/[domain_name]/acs.
Single Logout URL	Single Logout URL defines where the user should be redirected after receiving the logout request from SP. You can mention your applications logout page URL here. Make sure the Single Logout URL is in the format: httpss://mail.domain-name.com/a/out/tld/?logout.
Audience URI	Audience URI, as the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as SP Entity ID. If Audience URI is not specified separately by SP, leave it blank.
NameID	NameID defines what SP is expecting in the subject element of SAML Assertion. Generally, NameID is Username of Email Address

NameID Format defines the format of subject element content, i.e. NameID. For example, Email Address NameID Format defines that the NameID is in the form of an email address, specifically “addr-spec”. An addr-spec has the form local-part@domain, has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by “<” and “>”. If NameID Format is not externally specified by SP, leave it unspecified.
You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, fullname, username, email, custom profile attributes, and user groups, etc.
The next section on the same window is for adding a policy for your app.

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, add-policy

Select a Group Name as Default for making Shopify as Identity Provider.
Give a policy name for Custom App in Policy Name.
Select the Login Method as Password for using Shopify as Identity Provider
Click on Save button to add a policy for Apps (Single Sign-On).

Configure Service Provider (SP)

From the list of Apps configured, you can locate the app you created, you can see the Metadata option present in front of that specific app.

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, click-on-metadata

Click on the Metadata option, you will get a window similar to:

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, view metdata

If you want to make it quick and easy, click on the Download Metadata button to get XMl file which you can upload while configuring SP.
When you want to make Shopify as the Identity Provider, you have to use different set of URLs listed under "Information required to Authenticate with External IDPs" heading (as shown in the following image)

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, download-metadata

OAuth

Configure Single Sign-On (SSO) Settings for OAuth Apps:

Click on OAuth/OIDC tab. and search for your Application. If you can't find your application in the below list then select Custom OpenID Connect APP and you can also submit your app request to add the application as a pre-integrated app

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, selectapp

You can add any OAuth Client app here to enable Shopify as OAuth Server . Few popular OAuth client apps for single sign-on are Salesforce, WordPress, Joomla, Atlassian, etc.

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, custom-oauth

Enter the Client Name.
Make sure Redirect-URL is in this format https://< mycompany.domain-name.com >.
Add Description if you required.

Single Sign-On (SSO) for Shopify (Plus and Non Plus), SAML SSO, client-id

Click on Save button.

You can edit Application by using the following steps:

Login as a customer from the Admin Console.
Go to Apps >> Manage Apps.
Search for your app and Click on edit in Action menu against your app.
Provide the required settings to your OAuth Client Application in which you want Single Sign On via Shopify As Identity Provider:

Application Name	Enter Application Name
Client Name	Enter Client Name
Client ID	Enter Client ID
OAuth Authorize URL	https://<store.xecurify.com>/moas/broker/login/oauth/<customerid> -Use this endpoint when you want use Shopify as Identity Provider
OAuth Token Endpoint URL	https://<store.xecurify.com>/moas/rest/oauth/token
OAuth User Info Endpoint URL	https://<mycompany.domainname.com>/moas/rest/oauth/getuserinfo

JWT

Configure Single Sign-On (SSO) Settings for JWT Apps:

Navigate to the External/JET/PwdLess tab and then select External App section.

Once you select the Custom App option, you will find a window similar to :

Enter the values by referring the below table.

Custom Application Name	Choose an appropriate name according to your choice.
Description	Add appropriate description according to your choice.
Redirect-URL	Endpoint of your application, which will receive the JSON Web token and process it.
Group Name	Default.
Policy Name	Add policy name according to your Preference.
Login Method	Password.

In case you are setting up SSO with Mobile Applications where you can't create an endpoint for Redirect or Callback URL, use below URL.
https://login.xecurify.com/moas/jwt/mobile
Click on Save button.

Configure Service Provider (SP)

Go to Edit against your configured app, Apps>>Select your app>>Edit.

Client ID	If your application provides its own client ID, you can configure it by clicking on the Customize button.
App Secret	You can find App Secret by clicking on the icon as shown below.
Description	Add appropriate description according to your choice.
Signature Algorithm	Select your signature algorithm from the dropdown.
Redirect URL	Given below is your app url where you will receive your token. RSA 256 : `<your_app-login-url>` (Here token will be added by the system) HS256 : `<app-login-url/?id_token=>`

Now, You can access you application Using IDP credentials through the Single-sign-on URL.

Step 3: Test the Single Sign On

Initiate Single Sign On(SSO) from the configured Application.
It will redirect you to Shopify Store Login Page if user is not already logged in to store .
Enter Your Shopify Store customer credentials .
After Successful authentication you’ll be redirected back to configured Application and you’ll be logged in.