Single Sign-On (SSO) into Shopify Using Keycloak as IDP (OAuth)
Shopify Keycloak OAuth SSO for Shopify uses the OAuth Authorization flow to provide users secure access to the Shopify Store. The Shopify SSO application enables Keycloak to serve as the OAuth provider, ensuring secure SSO login to your Shopify store.
The Shopify Keycloak Integration streamlines and protects the login process using Keycloak (OAuth). This solution allows employees to access their Shopify Store with a single click using their Keycloak credentials, completely removing the need to store, remember, and reset multiple passwords.
Pre-requisite : Single Sign On - SSO Application
To configure SSO into Shopify using Keycloak (OAuth) as IDP, you will need to install the miniOrange Single Sign On - SSO Application on your Shopify store:
miniOrange Provides Secure Single Sign-On (SSO) access to your Shopify Store(both plus and Non plus Stores).
Step by Step guide to setup (OAuth) Single Sign-On in Shopify Store Using Keycloak as IDP
1. Get Redirect URI from Shopify SSO Application
- Go to your Shopify store, click on the Apps tab, and select the Single Sign On - SSO Login application.
- Click on the Setup IDP button in the top left of the navigation bar.
- From the left navigation bar select Configure SSO and click on Add Identity provider button.
- You can find the OAuth Callback URL/ Redirect URI in the OAuth 2.0 section. Keep the OAuth callback URL handy as you will need it later.
2. Configure Shopify as SP (Service Provider) in Keycloak
- First of all, Download Keycloak and install it.
- Start the keycloak server based on your keycloak version. (See table below)
| For the Keycloak Version 16 and below |
Go to the Root Directory of keycloak bin standalone.sh |
| For the Keycloak Version 17 and above |
Go to the Root Directory of keycloak bin kc.bat and run the below commands.
|
- Add Realm : Now login to keycloak administration console and navigate to your desired realm. You can add new realm by selecting Add Realm option.
- Create realm: Enter Realm Name and keep the realm name handy as it will required later to configure the Realm under the OAuth Client plugin. Click on CREATE to add realm.
- Create OpenID client: Click on the Clients and choose create to create a new client. Enter Client ID and select client protocol openeid-connect and select Save. Keep this value handy as this will be used in furthur steps.
- Change Access type: After client is created change its access type to confidential.
- Enter Valid Redirect URIs: Paste the copied Callback URL from Step 1 and then click on SAVE.
- Get Client Secret: Now we need to get client secret. So select Clients and select credentials and copy your secret from here. Keep the Client Secret value handy as this will be used in furthur step.
- Add User: We need to add users to realm who will be able to access the resources of realm. Click on the Users and choose to Add a new User.
- User Configuration: After user is created following action needs to be performed on it.
- Map User: We need to map user to a role. Click on Role Mappings and assign the user desired role from available roles and clicking on add selected.
- Create ROLE: The Role will be used by your applications to define which users will be authorized to access the application. Click on the Roles and choose Add Role.
- Create groups: Click on the Groups and choose New to create a new group.
- Assign user to group: Select the user whom you want to add in group. Choose Groups option from tab and then select the group-name and click on join.
- Keycloak Group Mapper: Now to get group details we need to perform its client mapping with group membership else group details will not be fetched. So in Client section, select your client and then click on mapper->create.
- Now, select mapper type as Group Membership and enter the name and token claim name i.e the attribute name corresponding to which groups will be fetched. Turn Off the full group path, Add to ID token and Add to access token options, and click on Save.
- Keycloak Role Mapper: Now to get role details for a successful Keycloak Single Sign-On (SSO) we need to perform its client mapping with role membership else role details will not be fetched. So in Client section, select your client and then click on mapper->create.
- Now, select mapper type as user realm Role Membership and enter the name. and token claim name i.e the attribute name corresponding to which groups will be fetched. Add to ID token and Add to access token options, and click on Save.
- 1) Setting a password for it so click on Credentials and set a new Password for
the user.
NOTE : Disabling Temporary will make user password permanent.
Step 1.1: Steps to fetch Keycloak Groups [Premium]
Note: -- If full path is on group path will be fetched else group name will be fetched.
Step 1.2: Steps to fetch Keycloak Roles [Premium]
3. Scope and Endpoints
Please refer the below table for configuring the scope & endpoints for Keycloak Version 18 and above in the plugin.
| Scope: | email profile openid |
| Authorize Endpoint: | <keycloak domain>/realms/{realm-name}/protocol/openid-connect/auth |
| Access Token Endpoint: | <keycloak domain>/realms/{realm-name}/protocol/openid-connect/token |
| Get User Info Endpoint: | <keycloak domain>/realms/{realm-name}/protocol/openid-connect/userinfo |
| Custom redirect URL after logout: [optional] | https://{keycloak domain}/realms/{realm-name}/protocol/openid-connect/logout?post_logout_redirect_uri={encodedRedirectUri}&id_token_hint=##id_token## |
Please refer the below table for configuring the scope & endpoints for Keycloak Version 17 and below in the plugin.
| Scope: | email profile openid |
| Authorize Endpoint: | <keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/auth |
| Access Token Endpoint: | <keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/token |
| Get User Info Endpoint: | <keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/userinfo |
| Custom redirect URL after logout: [optional] | <keycloak domain>/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri |
4. Configure Keycloak as IDP in Shopify
- Go to your Shopify store, click on the Apps tab and select the Single Sign On - SSO Login application.
- Click on the Setup IDP button in the top left in the navigation bar.
- From the left navigation bar select Configure SSO and click on Add Identity provider button.
- Go to the OAuth 2.0 tab and select the IDP name as a Custom Provider from the dropdown.
- Now, fill in the required details like Client ID, Client Secret, Endpoints, and Scope.
- Please refer to the below table for configuring the values.
- Click on Save button.
| IdP Name | Keycloak |
| IdP Display Name | Choose the appropriate name |
| Client ID | from Step 2 |
| Client secret | from Step 2 |
| Scope and Endpoint | from Step 3 |
In conclusion, you have successfully configured Shopify as service provider, for achieving SSO into Shopify using Keycloak as IDP for user authentication.
5. Test Connection
- Go to Identity Providers tab.
- Click on Select >> Test Connection option against the Identity Provider you configured.
- On entering valid Keycloak credentials you will see a pop-up window which as shown in below screen.
- Hence your configuration of Keycloak as IDP in Shopify is sucesssfully completed.
6. Testing SSO for your Shopify Store
- Go to your Shopify Store login page.(https://<your-shopify-storedomain>/account/login)
- Click on the login button you customized earlier.
- You’ll be redirected to the Keycloak login page. Log in with your Keycloak account credentials.
- You’ll be successfully logged in to your Shopify store.
Troubleshooting
invalid_request
This may be because your primary domain would be different from your Shopify domain. To check your primary domain and make SSO work, follow the steps given here.
shopify_plan_expired
This issue arises when either the trial period of your Development plan is expired. Or if your plan is not auto-renewed from the Shopify end. Contact us at shopifysupport@xecurify.com to resolve the plan upgrade issue and get smooth functioning of the SSO – Single Sign On Application.
invalid_attributes_received
As email is a required entity in Shopify for account creation as well as login operation, Single Sign On is not successful in this case. To resolve this error, please follow given here.
encountered_an_error
When I am performing SSO, I am getting ‘Please verify if Shopify App is installed’ error. To resolve this error, please follow given here.
If your error or query is not listed here, click here to see others.
Frequently Asked Questions (FAQs)
I have followed the steps to set IdP but where can I check SSO?
Follow the steps outlined here. to configure SSO in Shopify with your preferred IDP.
I installed the Shopify SSO application. I clicked on the “SETUP IDP” option but nothing opened up.
Redirection to any other site might be blocked in the browser. Please follow the steps given here to resolve the issue.
When I try to perform SSO, I get redirected to the “Incorrect App Configuration” page and then after subsequent attempts, I get redirected to https://store.xecurify.com/moas/login page.
You might be trying to perform SSO in the different tab of the same browser where you have opened
our Single Sign-On – SSO Application or accessed the configuration portal of our application. In
this case, SSO will be restricted due to security reasons.
Try to perform Single Sign On in a new incognito/private window or in a different
browser in order to make SSO work.
After performing SSO, I want my customers to redirect to the collections or discount offer page.
Follow the steps outlined here. to redirect your customer to collections/cart or any other page.
Choose your preferred Identity Provider and start setting up SSO for Shopify right away
Additional Resources
If you are looking for anything which you cannot find, please drop us an email on shopifysupport@xecurify.com
Need Help? We are right here!
