Configure SSO into your Applications using Shopify Store Credentials

Configure Single Sign-On (SSO) Settings for SAML Apps:

• Click on the SAML tab and search for your Application.

• If you can't find your application in the below list then select Custom APP and you can also submit your app request to add the application as a pre-integrated app.

• Once you select the Custom App option, you will find a window similar to:

• Either you can Copy and Paste all the attributes of the Service Provider (SP), Or you can directly upload an XML file containing relative information.
• To upload the file, follow these steps: Click on the Import SP Metadata button.

• You will get a popup with the following options.


Here is the description of what each field means (present on the app configuration window).

SP Entity ID	SP Entity ID is used to identify your app against the SAML request received from SP. Make sure the SP Entity ID or Issuer is in this format: httpss://www.domain-name.com/a/[domain_name]/acs.
ACS URL	Assertion Consumer Service URL defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: httpss://www.domain-name.com/a/[domain_name]/acs.
Single Logout URL	A Single Logout URL defines where the user should be redirected after receiving the logout request from SP. You can mention your application logout page URL here. Make sure the Single Logout URL is in the format: httpss://mail.domain-name.com/a/out/tld/?logout.
Audience URI	Audience URI, as the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as the SP Entity ID. If the Audience URI is not specified separately by SP, leave it blank.
NameID	NameID defines what SP is expecting in the subject element of SAML Assertion. Generally, NameID is the Username or Email Address

• NameID Format defines the format of subject element content, i.e. NameID. For example, Email Address NameID Format defines that the NameID is in the form of an email address, specifically “addr-spec”. An addr-spec has the form local-part@domain, has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by “<” and “>”. If NameID Format is not externally specified by SP, leave it unspecified.
• You can Add Attributes to be sent in SAML Assertion to SP. The attributes include the user’s profile attributes such as first name, last name, fullname, username, email, custom profile attributes, and user groups, etc.
• The next section on the same window is for adding a policy for your app.

• Select a Group Name as Default for making Shopify as an Identity Provider.
• Give a policy name for the Custom App in Policy Name.
• Select the Login Method as Password for using Shopify as an Identity Provider
• Click on the Save button to add a policy for Apps (Single Sign-On).

Configure Service Provider (SP)

• Now navigate to the Select >> Metadata option against your configured application.

• Now click on Show Metadata Details under INFORMATION REQUIRED TO AUTHENTICATE VIA EXTERNAL IDPS section. Copy down these data as they will be used in configuring Shopify as SP in your IDP.