Shopify - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Shopify Plus using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization.
To set up Multi-Pass with Shopify Plus, ensure you meet the following requirements:
- Shopify Plus admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Shopify Plus are registered in your IdP and have the necessary permissions to access Shopify Plus.
- Shopify Plus admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Shopify Plus are registered in your IdP and have the necessary permissions to access Shopify Plus.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
Shopify - SSO configuration
Step 1 — Configure in Shopify
- Log in to your Shopify Admin.
- Go to Settings, click on Users.
- Select Security.
- In the SAML configuration section, click Set up configuration.
- Paste the Identity Provider metadata URL from your IdP.
- https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/descriptor
- If your IdP provides an XML file, upload it to Files in Shopify to generate a public metadata URL, then use that URL.
- Click Add to save.
- Wait until your domain verification is complete before enforcing SAML.
Recommendation: Test with Specific users first. Keep a backup admin account that is not on the SAML domain and has 2-step authentication.
Shopify SAML Settings
| Field | Value |
| Single Sign-On URL (ACS) | https://accounts.shopify.com/saml/consume/organization/{ORG_ID} |
| Audience URI (SP Entity ID) | https://accounts.shopify.com/saml_sp |
| Sign-On URL (SP-initiated) | https://shopify.plus/login |
| Name ID Format | Persistent |
| Attributes | first_name, last_name, email |
Step 2 — Configure in Multi-Pass
- Open Multi-Pass Dashboard
- Select your tenant.
- Go to Integrations
- Click on Applications.
- In the Custom section, choose SAML.
- You will arrive on the form to complete.
| Field | Value |
| SP Entity ID | https://accounts.shopify.com/saml_sp |
| ACS URL | https://accounts.shopify.com/saml/consume/organization/{ORG_ID} |
| NameID Format |
- Click on Advanced Console.
- Select Client, search for the integration you just created.
- Now you need to verify that the following fields are well completed :
General settings
| Field | Value |
| Client ID | https://accounts.shopify.com/saml_sp |
| Name | Shopify |
| Description | SAML integration for Shopify Plus |
| Always Display in UI | ON |
Access settings
| Field | Value |
| Home URL | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/ShopifyPlus |
| Valid Redirect URIs | https://accounts.shopify.com/saml/consume/organization/{ORG_ID} |
| IDP-Initiated SSO URL Name | ShopifyPlus |
SAML Capabilities
| Setting | Value |
| Force Name ID Format | ON |
| Force POST Binding | ON |
| Include AuthnStatement | ON |
Signature & Encryption
| Setting | Value |
| Sign Documents | OFF |
| Sign Assertions | ON |
- Now that you have checked the different parameters, change to the tab called Keys. Make sure that both parameters are switched to OFF.
- Now go to the Advanced tab. The field Assertion Consumer Service POST Binding URL must equal the Valid Redirect URIs (ACS).
- Go to client scope now,
- Select configure a new mapper
- Click on user attribute and you will create three mappers :
- Email
- Firstname
- Lastname
| Field | Value |
| Mapper Type | User attribute |
| Name | |
| User Attribute | |
| Friendly Name | |
| SAML Attribute Name |
First Name
| Field | Value |
| Mapper Type | User attribute |
| Name | First Name |
| User Attribute | firstName |
| Friendly Name | first_name |
| SAML Attribute Name | first_name |
Last Name
| Field | Value |
| Mapper Type | User attribute |
| Name | Last Name |
| User Attribute | lastName |
| Friendly Name | last_name |
| SAML Attribute Name | last_name |
Related Articles
D2L Brightspace - SSO Integration
This application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a step-by-step guide to ...Mulesoft - SSO Integration
This application has been formally tested by Kelvin Zero Inc. This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Mulesoft using Multi-Pass. SSO simplifies user authentication by allowing access to multiple ...Notion - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...Heap - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...NinjaOne - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...