Contents

Single Sign-On (SSO) into Shopify Using Keycloak as IDP (OAuth)

Shopify Keycloak OAuth SSO for Shopify uses the OAuth Authorization flow to provide users secure access to the Shopify Store. The Shopify SSO application enables Keycloak to serve as the OAuth provider, ensuring secure SSO login to your Shopify store.

The Shopify Keycloak Integration streamlines and protects the login process using Keycloak (OAuth). This solution allows employees to access their Shopify Store with a single click using their Keycloak credentials, completely removing the need to store, remember, and reset multiple passwords.

Pre-requisite : Single Sign On - SSO Application

To configure SSO into Shopify using Keycloak (OAuth) as IDP, you will need to install the miniOrange Single Sign On - SSO Application on your Shopify store:

Shopify Single Sign-On (SSO)

By miniOrange

miniOrange Provides Secure Single Sign-On (SSO) access to your Shopify Store(both plus and Non plus Stores).

Get this application

Step by Step guide to setup (OAuth) Single Sign-On in Shopify Store Using Keycloak as IDP

1. Get Redirect URI from Shopify SSO Application

Go to your Shopify store and navigate to the App section and click on Single Sign On - SSO login application.

Shopify Okta SSO Login - Add SSO Application

Click on the Add identity Provider button to add your IDP.

Shopify Okta SSO Login - Add Identity Provider

Select OAuth 2.0 protocol.

Shopify Okta SSO Login - Select SAML Protocol

Now choose Keycloak from the list of IDPs.

Shopify Okta SSO Login - Select Okta from IDP List

Copy the OAuth Callback URL and kepp it handy as it will be used in furthur step.

Shopify Okta SSO Login - Click on Get Metadata

2. Configure Shopify as SP (Service Provider) in Keycloak

First of all, Download Keycloak and install it.
Start the keycloak server based on your keycloak version. (See table below)

For the Keycloak Version 16 and below	Go to the Root Directory of keycloak bin standalone.sh
For the Keycloak Version 17 and above	Go to the Root Directory of keycloak bin kc.bat and run the below commands. 1. kc.bat build 2. kc.bat start-dev

Version 18 and below
Version 19 and above

Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.

Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.

Create OpenID client: Click on the Clients and choose create to create a new client. Enter Client ID and select client protocol openeid-connect and select Save. Keep this value handy as this will be used in furthur steps.

Change Access type: After client is created change its access type to confidential.

Shopify Keycloak OAuth SSO - change access type

Enter Valid Redirect URIs: Paste the copied Callback URL from Step 1 and then click on SAVE.

Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here. Keep the Client Secret value handy as this will be used in furthur step.

Shopify Keycloak OAuth SSO - client id client secret

Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.

User Configuration: After user is created following action needs to be performed on it.

Credentials

Shopify Keycloak OAuth SSO - set password

NOTE : Disabling Temporary will make user password permanent.

Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.

Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.

Step 1.1: Steps to fetch Keycloak Groups [Premium]

Create groups: Click on the Groups and choose New to create a new group.

Shopify Keycloak OAuth SSO - create group

Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.

Shopify Keycloak OAuth SSO - assign group

Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in Client section, select your client and then click on mapper->create.

Shopify Keycloak OAuth SSO - group mapper

Now, select mapper type as Group Membership and enter the name and token claim name i.e the attribute name corresponding to which groups will be fetched. Turn Off the full group path, Add to ID token and Add to access token options, and click on Save.

Note: -- If full path is on group path will be fetched else group name will be fetched.

Step 1.2: Steps to fetch Keycloak Roles [Premium]

Keycloak Role Mapper: Now to get role details for a successful Keycloak Single Sign-On (SSO) we need to perform its client mapping with role membership else role details will not be fetched. So in Client section, select your client and then click on mapper->create.

Now, select mapper type as user realm Role Membership and enter the name. and token claim name i.e the attribute name corresponding to which groups will be fetched. Add to ID token and Add to access token options, and click on Save.

In conclusion, you have successfully configured Keycloak as OAuth Provider, for achieving SSO into Shopify for user authentication.

3. Scope and Endpoints

Please refer the below table for configuring the scope & endpoints for Keycloak Version 18 and above in the plugin.

Scope:	email profile openid
Authorize Endpoint:	<keycloak domain>/realms/{realm-name}/protocol/openid-connect/auth
Access Token Endpoint:	<keycloak domain>/realms/{realm-name}/protocol/openid-connect/token
Get User Info Endpoint:	<keycloak domain>/realms/{realm-name}/protocol/openid-connect/userinfo
Custom redirect URL after logout: [optional]	https://{keycloak domain}/realms/{realm-name}/protocol/openid-connect/logout?post_logout_redirect_uri={encodedRedirectUri}&id_token_hint=##id_token##

Please refer the below table for configuring the scope & endpoints for Keycloak Version 17 and below in the plugin.

Scope:	email profile openid
Authorize Endpoint:	<keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/auth
Access Token Endpoint:	<keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/token
Get User Info Endpoint:	<keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/userinfo
Custom redirect URL after logout: [optional]	<keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri

4. Configure Keycloak as IDP in Shopify

Navigate back to the miniOrange Single Sign On-SSO application and click on Add identity Provider button.

Shopify Okta SSO Login - go to SSO application

Select OAuth 2.0 protocol.

From the list of IDPs, select Keycloak.

Shopify Okta SSO Login - Choose Okta IDP

Fill out the following fields by referring the below table.

IDP Display Name	Keycloak
Client ID	from Step 2
Client secret	from Step 2
Scope and Endpoint	from Step 3

In conclusion, you have configured Shopify as service provider, for achieving SSO into Shopify using Keycloak as IDP for user authentication.

5. Test Connection

After saving the IDP configuration, you will be redirected to Test Connection step.
Please perform Test Connection before mapping or fetching attributes, test connection ensures that your IDP configuration is correct.
Click on the Test Connection button.

Shopify Okta SSO Login - test Connection

On entering valid Keycloak account credentials you will see a pop-up window which is shown in the below screen.

Shopify Okta SSO Login - SSO Sucess Test Connection

Click on the Fetch Attributes button to fetch IDP attribute.

Shopify Okta SSO Login - Fetch Attributes

6. Attribute Mapping

Click on the + Attribute Mapping button to map attributes between Shopify and Azure B2C .

Map the attributes by refering the table below:

Attribute Name in Shopify	Choose the attribute from the list of predefined attributes
Attribute Type	IDP Attribute
Attribute Value	Select the attribute value you have fetched from your IDP

Click on Save.

Shopify Okta SSO Login - Save Attribute Mapping

Navigate to the application home page. Go to More actions against the IDP you have configured and click on Make Default button to make the IDP default.

Shopify Okta SSO Login - Make application Default

7. Testing Single Sign-On (SSO) for your Shopify Store

Go to your Shopify Store login page.(https://<your-shopify-storedomain>/account/login)
Click on the login button you customized earlier.

miniorange Shopify SSO - login with miniorange shopify - click on login button

You’ll be redirected to the login page of the IDP you configured in previous step. Log in with your IDP account credentials.
You’ll be successfully logged in to your Shopify store.

Hence you have successfully configured Shopify Single Sign-On (SSO) using Keycloak (OAuth) as IDP and Shopify as SP using miniOrange Single Sign-On (SSO) login application. This solution ensures that you are ready to roll out secure access to your Shopify store using Keycloak login credentials within minutes.

I have followed the steps to set IdP but where can I check SSO?

Follow the steps outlined here. to configure SSO in Shopify with your preferred IDP.

I installed the Shopify SSO application. I clicked on the “SETUP IDP” option but nothing opened up.

Redirection to any other site might be blocked in the browser. Please follow the steps given here to resolve the issue.

When I try to perform SSO, I get redirected to the “Incorrect App Configuration” page and then after subsequent attempts, I get redirected to https://store.xecurify.com/moas/login page.

You might be trying to perform SSO in the different tab of the same browser where you have opened our Single Sign-On – SSO Application or accessed the configuration portal of our application. In this case, SSO will be restricted due to security reasons.
Try to perform Single Sign On in a new incognito/private window or in a different browser in order to make SSO work.