Okta

How to Configure SAML 2.0 for Shopify Plus


Eligibility

The Okta and Shopify Plus connector is currently only available for select Shopify Plus merchants. It will become available to all Shopify Plus merchants in the coming months.

Contact Shopify Plus Support if you’re a current merchant and need access.

Contents


Supported Features

The Okta/Shopify Plus SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

  1. Log in to Shopify Plus.

  2. Go to Users > Security

  3. Go to SAML configuration and do the following:

    • Single sign-on URL: Make a copy of this value.

    • Identity provider metadata URL: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • Click Add and confirm the metadata is correct.

    • Click Add domain: Enter the email domain you would like to use with SAML. This must be a domain that’s within your Okta instance.

    • Click Submit and repeat for any other domains you’d like to enforce with SAML.

  4. In Okta, select the Sign On tab for the Shopify Plus app, then click Edit.

    • Scroll down to the ADVANCED SIGN-ON SETTINGS section.

    • Enter the Single sign-on URL you made a copy of (step 4) into the corresponding field.

    • Select the required value for the Email SAML attribute. If you are going send Okta Username value; you need to select Username. By default the Email SAML attribute is mapped to the Email field from Okta user profile.

    • Application username format: Select Email.

    • Click Save:

    enter Single sign-on URL, set Application username format to Email

  5. Enforce SAML for your users:

    Note: We recommend testing the integration with individual users before applying broadly.

    1. Individual users:

      • Go to an individual user’s page in Shopify Plus with an email domain that’s managed by Okta and verified in Shopify Plus.

      • In the SAML authentication section, click Edit, select Required, then click Save.

      • Test that this user is able to log in properly via idP-initiated and SP-initiated flows.

    2. For all users under an email domain:

      • Go back to the Security page.

      • Select Required for your SAML authentication setting. This enforces SAML for all users with that email domain across Shopify Plus.

      • Click Save.

    3. Important: Enabling of SAML for all users under email domain will affect all users who use this application, which means that users will not be able to sign in through their regular log in page. They will only be able to access the app through the Okta service. Shopify does not provide backup log-in URL where users can sign-in using their normal username and password. You can contact Shopify Support to turn off SAML, if necessary.

  6. Done!


Notes

The following SAML attributes are supported:


SP-initiated SSO

  1. Go to: https://shopify.plus/login

  2. Enter your Email, then click Next.

  3. Click Login with SSO to log in via Okta.