OAuth Single Sign-On (SSO) For Shopify Using AWS Cognito as Identity Provider
miniOrange allows AWS Cognito to act as an IDP (Identity Provider), which allows users to Single Sign-On (SSO) into Shopify using AWS Cognito Credentials. Our application is compatible with all the SAML / OAuth-compliant Identity Providers. We will go through a step-by-step guide to configure Single Sign-On (SSO) into Shopify using AWS Cognito as IdP (Identity Provider) and Shopify store as SP (Service Provider).
Pre-requisite: Single Sign-On - SSO Application
To configure SSO into Shopify with AWS Cognito as IDP, you will need to install the miniOrange Shopify Single Sign On - SSO Login Application on your store:
miniOrange Provides Secure Single Sign-On (SSO) access to your Shopify store (both plus and Non-plus).
Setup guide for Configuring AWS Cognito as IDP for SSO into Shopify
Step 1: Step to get the Redirect URI for the OAuth Server
- Go to your Shopify store, click on the Apps tab, and select the Single Sign On - SSO Login application.
- Click on the Setup IDP button in the top left of the navigation bar.
- From the left navigation bar select Configure SSO and click on Add Identity provider button.
- You can find the OAuth Callback URL/ Redirect URI in the OAuth 2.0 section. Keep the OAuth callback URL handy as you will need it later.
Step 2: Configuring miniOrange as a Service Provider (SP) in AWS Cognito
- First of all, go to Amazon Console and sign up/log in to your account to Configure AWS Cognito.
- Search for Cognito in the AWS Services search bar as shown below.
- Click on Create a User Pool to create a new User Pool.
- Choose the attributes in your user pool to be used during the sign-in process
- Set up a strong password to configure your security requirements. Go ahead with the ‘No MFA’ option if you want users to only sign in with a single authentication factor. If you wish to enable MFA (Multi-factor authentication) it will require SMS messages which are charged separately by Amazon SNS. Learn more about that here. Click Next.
- Configure attributes that would be required during the user sign-up flow.
- Choose additional attributes if you wish to. Click Next.
- Configure how your user pool sends email messages to users.
- Enter a name for your user pool, Also Under the Hosted authentication pages, check ‘Use the Cognito Hosted UI’.
- Now, Under the Domain section choose the domain type as ‘Use a Cognito domain’. Enter a domain name for your Cognito app.
- Under the Initial app client section, Enter a name for your app client and check on Generate a client secret.
- Now enter your Callback/Redirect URL which you will get from your miniOrange plugin present on your Client side and paste it under the Allowed callback URLs text field. Also, refer to the following image for choosing the authentication flows for your app.
- Now, Under Advanced app client settings. Select Identity provider as Cognito user pool and select Authorization code grant under the OAuth 2.0 grant types and also select openid, email, and profile checkboxes under the OpenID Connect scopes section (Please refer to the image below). Click on the Next button to save your configurations.
- Now, Review your selection of requirements. Click Create user pool to confirm the selection and create a user pool.
- After successfully creating your user pool, Select your pool name from the list of pools to start with user creation.
- Go to the Users tab, and click Create user.
- Enter details such as username, email address & password. Click on Create user to save the details.
- After the successful creation of the user, you will need a copy of the Cognito
domain, Client ID, and Client Secret. Go to the 'App Integration' section and
copy the complete domain name {your domain name}.auth.{region name}.amazoncognito.com. This should be
entered into the endpoints field under
in the miniOrange OAuth Single Sign-On (SSO) plugin. - To get the Client ID and Client Secret, stay on the same 'App Integration' tab and scroll down to the 'App clients and analytics' section. Click on your App client name to see the Client ID and Client Secret.
You have completed the AWS Cognito side configuration.
Step 3: Configure AWS Cognito as IDP in miniOrange
- Again, go to your Shopify store, click on the Apps tab, and select the Single Sign On - SSO Login application.
- Click on the Setup IDP button in the top left of the navigation bar.
- From the left navigation bar select Configure SSO and click on Add Identity provider button.
- Go to the OAuth 2.0 tab and select the IDP name as a Custom Provider from the dropdown.
- Now, fill in the required details like Client ID, Client Secret, Endpoints, and Scope.
- Please refer to the below table for configuring the values.
- Now you can click on Save.
| IdP Name | Custom Provider |
| IdP Display Name | Choose the appropriate name |
| OAuth Authorize Endpoint | https://{cognito-app-domain}/oauth2/authorize |
| OAuth Access Token Endpoint | https://{cognito-app-domain}/oauth2/token |
| OAuth Get User Info Endpoint (optional) | https://{cognito-app-domain}/oauth2/userInfo |
| Client ID | from Step 2 |
| Client secret | from Step 2 |
| Scope | openid |
You have completed the Shopify side configuration.
4. Test Connection
- Go to the Configure SSO tab.
- Click on the Select >> Test Connection option against the Identity Provider you configured.
- On entering valid AWS Cognito credentials you will see a pop-up window which is shown in the below screen.
5. Testing SSO for your Shopify Store
- Go to your Shopify Store login page.(https://<your-shopify-storedomain>/account/login)
- Click on the login button you customized earlier.
- You’ll be redirected to the login page of the IDP you configured in the previous step. Log in with your IDP account credentials.
- You’ll be successfully logged in to your Shopify store.
In this Guide, you have successfully configured AWS Cognito Single Sign-On (SSO) by configuring AWS Cognito as an OAuth Provider and Shopify as an OAuth Client using our Shopify Single Sign-On - SSO Login App. This solution ensures that you are ready to roll out secure access to your Shopify Store using AWS Cognito login credentials within minutes.
Troubleshooting
invalid_request
This may be because your primary domain would be different from your Shopify domain. To check your primary domain and make SSO work, follow the steps given here.
shopify_plan_expired
This issue arises when either the trial period of your Development plan is expired. Or if your plan is not auto-renewed from the Shopify end. Contact us at shopifysupport@xecurify.com to resolve the plan upgrade issue and get smooth functioning of the SSO – Single Sign On Application.
invalid_attributes_received
As email is a required entity in Shopify for account creation as well as login operation, Single Sign On is not successful in this case. To resolve this error, please follow given here.
encountered_an_error
When I am performing SSO, I am getting ‘Please verify if Shopify App is installed’ error. To resolve this error, please follow given here.
If your error or query is not listed here, click here to see others.
Frequently Asked Questions (FAQs)
I have followed the steps to set IdP but where can I check SSO?
Follow the steps outlined here. to configure SSO in Shopify with your preferred IDP.
I installed the Shopify SSO application. I clicked on the “SETUP IDP” option but nothing opened up.
Redirection to any other site might be blocked in the browser. Please follow the steps given here to resolve the issue.
When I try to perform SSO, I get redirected to the “Incorrect App Configuration” page and then after subsequent attempts, I get redirected to https://store.xecurify.com/moas/login page.
You might be trying to perform SSO in the different tab of the same browser where you have opened
our Single Sign-On – SSO Application or accessed the configuration portal of our application. In
this case, SSO will be restricted due to security reasons.
Try to perform Single Sign On in a new incognito/private window or in a different
browser in order to make SSO work.
After performing SSO, I want my customers to redirect to the collections or discount offer page.
Follow the steps outlined here. to redirect your customer to collections/cart or any other page.
Choose your preferred Identity Provider and start setting up SSO for Shopify right away
Additional Resources
If you are looking for anything that you cannot find, please drop us an email at shopifysupport@xecurify.com
Need Help? We are right here!
