Overview

This use case describes how a Shopify merchant, catering to B2B and B2C clients, handled multiple user logins to their store by allowing B2B customers to log in using Single Sign-On, i.e. using their existing credentials, while directing regular users to the default Shopify login. With advanced miniOrange solutions like Shopify Single Sign-On, they were able to provide seamless Shopify login using email domain mapping and secure store access by automatically deprovisioning inactive users.

Prerequisites:

In this section, we’ll discuss everything from requirements and implementation process to results.

• Key Requirements:

Single Sign-On SSO

Enable single sign-on into Shopify using identity provider credentials.

Install Application

SyncUP: User Sync

To sync users & courses between Shopify and platforms using SCIM.

Install Application

• Features that will play an important role:

Domain Mapping

You can allow/deny the user login based on the email domain.

Developer Documentation

Scenario

I am running a Shopify store that caters to both B2B clients and regular customers. Our B2B users belong to various different companies and are managed through an identity provider. I needed a solution that would help me streamline the login experience for both types of users, by enabling B2B customers to login using their corporate credentials, and redirecting regular users to the default login page for Shopify.

However, there are some challenges we observed:

Challenge 1:
Currently, the default Shopify B2B login requires users to authenticate via email OTP to log into Shopify. Since our B2B customers already have existing corporate credentials, asking them to authenticate again could create friction in the login process. We also needed a simple, unified login experience, because if we provide multiple login options, it may be confusing for users to understand which login option they have to choose.

Challenge 2:
We needed a way to prevent inactive B2B users in our system from accessing our store after a specific period automatically, without having to manually update permissions on Shopify. For this, we needed a streamlined approach to provision and deprovision users in real time, directly between our identity provider and the store.

Challenge 3:
Since we cater to B2B users from multiple domains and organizations, we required a login flow that was flexible enough to securely and efficiently manage access without any manual updates.

Requirements

In order to streamline the login process, we needed a solution that would provide:

• A single login field where users are directed to SSO or regular login based on their tag, which would be identified after entering their email.
• Detect the user’s tag in Shopify and automatically route them to SSO if tagged as 'b2b', or standard login if not tagged, after the email is entered.
• Update user status in real time between the IDP and Shopify, and deny login access if the user is marked as inactive.

Solution

To fulfill the client’s requirement for a simplified and secure login process across diverse user types, miniOrange implemented a smart authentication flow using the Shopify Single Sign-On (SSO) application and also recommended a solution for enhanced account lifecycle management. This combined approach was suggested to improve Shopify login using email domain mapping for B2B/B2C users while safeguarding store access.

Solution 1: Smart Login Redirection Using Shopify Single Sign-On

Using the Shopify SSO application, the Shopify business can validate the users based on their email domain and their assigned customer tags when they attempt to log in. If the user has a ‘b2b’ tag assigned, they will be directed to their respective identity provider to complete Single Sign-On. For all other users who do not have a tag, they will be guided to Shopify’s default login page, to gain access to the store. By implementing this flow for Shopify login using email domain mapping, the business can set up a seamless login flow and remove confusion regarding multiple login options.

Solution 2: Recommended Real-Time User Provisioning with SCIM

miniOrange also recommended the use of the SCIM solution to address the customer’s requirement for preventing inactive users from accessing the store. Using this solution, any user removed from the IDP or inactive for a certain period would automatically be denied access, even if they attempted to use spoof authentication methods like password resets. This solution would help the merchant ensure that only authorized users are able to login to their store, aligning with their inactivity policy and reducing the need for manual user status updates.

Key Benefits

• Automatically direct users to the appropriate Shopify login using email domain mapping (SSO for B2B users and Shopify login for regular users) based on customer tags.
• Identify B2B users by matching email domains and customer tags, ensuring only verified users are routed through the SSO login flow.
• Enable secure, hassle-free login for B2B users via IDP with one-click access, enhancing the overall user experience.
• Automatically provision and deprovision users in real time between the IDP and Shopify, ensuring only authorized users have access to the store.
• Enhance convenience by directing users to the most relevant page after login, tailored to their role or access level.
• Instantly block access for inactive or removed users, reducing security risks and ensuring only current users can access the store.

Results & Impact

By integrating a customized SSO flow with real-time user provisioning, the Shopify store was able to achieve a unified and secure Shopify login using email domain mapping for both B2B and regular customers. B2B users could authenticate easily using their corporate credentials, while regular customers continued to use the default Shopify login without disruption. The solution improved user experience, enhanced security by complying with the strict inactivity policy of the business, and simplified user access management.