SAML authentication for your organization

If your organization uses Security Assertion Markup Language (SAML) to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have theUsersorganization-level permission can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.

Before you set up SAML authentication

Submitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations:

• Create a backup account.

  如果有一个y issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication activated, and has theUsersaccess so that you can deactivate SAML in case of emergencies.

• Set up Shopify IDs.

  Because SAML authentication is based on domains, ensure that all the users in your organization have set up theirShopify IDusing email addresses that are associated with your organization's domain.

Setting up SAML authentication for your organization

Before you can set up your SAML configuration, you need toverify your domain。You don't have to wait until your domain verification is complete to start setting up your configuration.

设置配置s automatically

Configurations are currently available for the following identity service providers:

• Okta
• OneLogin
• Azure

Steps:

1. From your Shopify admin, clickSettings。
2. In theOrganizationsection, clickUsers>Security。
3. In theSAML configurationsection, click设置配置。
4. In your identity provider, add the Shopify Plus app and then configure the app with your unique single sign-on URL.
5. Your service provider will provide you with a metadata URL. Enter this in theIdentity provider metadata URLfield. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.
6. ClickAdd。

设置配置s manually

If you use an identity provider other than Okta, OneLogin, and Azure, then you need to manually enter configuration data.

Identity service providers might use different names for some values. For example, Google's SAML integration uses the termACS URLto refer to theSingle sign-on URL。If you encounter errors when setting up your configurations manually, then contact the identity service provider for assistance.

Steps:

1. From your Shopify admin, clickSettings。
2. In theOrganizationsection, clickUsers>Security。
3. In theSAML configurationsection, click设置配置。
4. ClickView SAML configuration settings。
5. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request:
   • Single sign-on URL:https://accounts.shopify.com/saml/consume/organization/{organization ID}。Each organization has a unique ID. Copy this value from theSingle sign-on URLentry in the SAML configuration details.
   • Audience URI (SP Entity ID):https://accounts.shopify.com/saml_sp
   • Name ID format:Persistent
   • Attribute Statements:first_name,last_name,email
6. Your service provider will provide you with a metadata URL. Enter this in theIdentity provider metadata URLfield. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.
7. ClickAdd。

Requiring SAML authentication

After you add your domain and set up your configuration, wait until verification is complete. When the status of your domain changes toVerified, you can change yourSAML authenticationsettings.

There are three settings for SAML authentication:要求,Specific users, andOff。

Considerations for SAML authentication

• If you selectSpecific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from theUserspage. Any user who isn't set to require SAML authentication can log in normally. If you select要求, then all users with the email domain that you set must use SAML authentication to log in, including the store owner and users outside the organization.

• The要求setting replaces all individual security requirements for your users. If you change your setting at a later date, then you need to manually change the settings for your users.

  For example, you have your domain set toSpecific usersand have three users set to require SAML authentication. You then set enforcement to要求, requiring all users who have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back toSpecific users。的三个用户被要求usi登录ng SAML authentication are no longer enforced, and must be set up again in their user detail page.

• Requiring a user to use SAML authentication makes existingtwo-factor authenticationrequirements redundant. If you set up SAML and require it to log in, then consider deactivating two-factor authentication to avoid users needing to authenticate twice.

• For users on a desktop device, SAML authentication sessions last for 14 days before your users are required to log in again. For users on a mobile device or POS, SAML authentication sessions expire after 14 days if the account is inactive; if the account is active, then sessions renew automatically within 14 days. If you remove a user from the Shopify application in your identity provider, then they can still access Shopify for up to 14 days.

  To prevent users from accessing Organization Settings, remove their organization accesses on theUserspage in Organization Settings.

Require SAML authentication

Steps:

1. From your Shopify admin, clickSettings。
2. In theOrganizationsection, clickUsers>Security。
3. In theSAML authenticationsection, clickChange setting。
4. Choose an authentication setting.
5. ClickSave。

Remove SAML authentication

When SAML authentication is set toOff, then all users in your organization who have Shopify IDs associated with your set email domain can log in using their password and email address.

Steps:

1. From your Shopify admin, clickSettings。
2. In theOrganizationsection, clickUsers>Security。
3. In theSAML authenticationsection, clickChange setting。
4. SelectOff。
5. ClickSave。

Related links

• Users
• Okta: How to Configure SAML 2.0 for Shopify Plus
• OneLogin: Configuring SSO for SAML-Enabled Applications
• Azure Active Directory single sign-on (SSO) integration with Shopify Plus