年代AML authentication for your organization

This page was printed on Jan 14, 2023. For the current version, visit https://help.shopify.com/en/manual/shopify-plus/security/saml.

If your organization uses SAML to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have theUser managementaccess can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.

Before you set up SAML authentication

年代ubmitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations.

  • Create a backup account.

    In case there are any issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication enabled, and has theUser managementaccess so that you can disable SAML in case of emergencies.

  • 年代et up Shopify IDs.

    Because SAML authentication is based on domains, ensure that all the users in your organization have set up their年代hopify IDusing email addresses that are associated with your organization's domain.

年代et up SAML authentication for your organization

Before you can set up your SAML configuration, you need toverify your domain.

You don't have to wait until your domain is verified to start setting up your configuration.

年代etting up configurations automatically

Configurations are currently available for identity service providers Okta, OneLogin, and Azure.

年代teps:

  1. In your Shopify organization admin, go toUsers>年代ecurity.
  2. In the年代AML configuration部分中,点击年代et up configuration.
  3. In your identity provider, add the Shopify Plus app.
  4. Your service provider will provide you with a metadata URL. Enter this in theIdentity provider metadata URLfield. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.
  5. ClickAdd.

年代etting up configurations manually

If you use an identity provider other than Okta, OneLogin, and Azure, then you must manually enter configuration data.

Identity service providers might use different names for some values. For example, Google's SAML integration uses the termACS URLto refer to the年代ingle sign-on URL. If you encounter errors while setting up your configurations manually, then contact the identity service provider for assistance.

年代teps:

  1. In your Shopify organization admin, go toUsers>年代ecurity.
  2. In the年代AML configuration部分中,点击年代et up configuration.
  3. ClickView SAML configuration settings.
  4. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request.
    • 年代ingle sign-on URL:https://accounts.shopify.com/saml/consume/organization/{organization ID}. Each organization has a unique ID. Copy this value from the年代ingle sign-on URLentry in the SAML configuration details.
    • Audience URI (SP Entity ID):https://accounts.shopify.com/saml_sp
    • Name ID format:Persistent
    • Attribute statements:first_name,last_name,email
  5. Your service provider will provide you with a metadata URL. Enter this in theIdentity provider metadata URLfield. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.
  6. ClickAdd.

Requiring SAML authentication

在你添加你的域名和设置您的configuration, wait until verification is complete. When the status of your domain changes toVerified, you can change your年代AML authenticationsettings.

Considerations for SAML authentication

There are three settings for SAML authentication:Required,年代pecific users, andOff.

If you select年代pecific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from theUserspage. Any user who isn't set to require SAML authentication can log in normally. If you selectRequired, then all users with the email domain that you set must use SAML authentication to log in.

TheRequiredsetting replaces all individual security requirements for your users. If you change your setting at a later date, then you need to manually change the settings for your users.

For example, you have your domain set to年代pecific usersand have three users set to require SAML authentication. You then set enforcement toRequired, requiring all users who have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back to年代pecific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user detail page.

Requiring a user to use SAML authentication removes existingtwo-factor authenticationrequirements.

For users on a desktop device, SAML authentication sessions last for 14 days before your users are required to log in again. If you remove a user from the Shopify application in your identity provider, then they can still access Shopify for up to 14 days. To prevent users from accessing your organization admin, remove their organization accesses on theUserspagein the Shopify organization admin.

For users on a mobile device or POS, SAML authentication sessions expire after 14 days if the account is inactive. If the account is active, then sessions renew automatically within 14 days. If you remove a user from the Shopify application in your identity provider, then they can still access Shopify for up to 14 days. To prevent users from accessing your organization admin, remove their organization accesses on theUserspagein the Shopify organization admin.

Require SAML authentication

年代teps:

  1. In your Shopify organization admin, go toUsers>年代ecurity.
  2. In the年代AML authentication部分中,点击Change setting.
  3. Choose an authentication setting.
  4. Click年代ave.

Remove SAML authentication

When SAML authentication is set toOff, then all users in your organization who have Shopify IDs associated with your set email domain can log in using their password and email address.

年代teps:

  1. In your Shopify organization admin, go toUsers>年代ecurity.
  2. In the年代AML authentication部分中,点击Change setting.
  3. 年代electOff.
  4. Click年代ave.

Ready to start selling with Shopify?

Try it free