To configure Single Sign-On (SSO) in a Shopify Plus store, you will need to configure both the Service Provider (Shopify Plus) and the Identity Provider (Keycloak). You should perform steps in both the Keycloak admin console and your Shopify SSO Application.
Customers can log into your Shopify Storefront using their existing Keycloak credentials, eliminating the need to create and remember separate accounts for your online store. Keycloak can also act as the central Identity Provider (IdP) for customer accounts, enabling centralized management of customer data, preferences, and access permissions for Shopify Storefront.
Prerequisites:- miniOrange Shopify Single Sign-On (SSO) Application: Link
- Guide to configure SSO between Shopify and Keycloak: Link
Note: Our application supports all SSO protocols such as SAML, OAuth 2.0, OpenID Connect, and JWT (JSON Web Tokens).
- Log in to your Keycloak administration console with admin credentials.
- Create New Client: Click on Clients from the left menu and then click on the Create button to create a new SAML client/application.
- Set Protocol Type: Select SAML as the client protocol for secure authentication.
- Configure Client Details: Enter the Entity ID from Shopify as the Client ID and set the ACS URL as the Client SAML Endpoint from the Shopify Plus SSO App.
- Enable Client: Ensure the client status is set to "Enabled" in the settings.
- Configure Name ID: Set Name ID format to "email" and enable the "Force Name ID format" option.
- Setup Attribute Mapping: Create mappers in the Mappers tab to send user attributes like email, firstName, and lastName.
- Map User Properties: Link Keycloak user attributes to corresponding SAML attribute names expected by Shopify.
- Export Metadata: Go to Realm Settings > General and locate the SAML 2.0 Identity Provider Metadata endpoint.
- Save Metadata URL: Copy the metadata URL or download the XML file for Shopify Plus SSO configuration.
3. Testing and Verification:
- Test with a Single User: Before broad enforcement, test the integration with one user by setting their SAML authentication to "Required".
- Verify SSO Flow: Click on the Test Connection button. Confirm that the user can successfully log in using their Keycloak credentials. You will see a successful test window.
- Click on the Fetch Attributes button to fetch the IdP attribute. (Set the Name ID format to correct attribute mappings for email.)
- Enforce for all Users (if necessary): Once you're confident with the integration, set the SAML authentication to "Required" for the relevant domain to enforce it for all users within that domain.
- Go to the Connect Store tab and copy the Client ID, Client Secret, Post-Logout Redirect URL, and Discovery Endpoint URL.
- From your Shopify admin, go to Settings > Customer accounts.
- In the Identity provider section, click Manage.
- Click Connect to provider.
- Enter an Identity provider name for your authentication service.
- In the Application info section, fill in the required information such as the Discovery endpoint URL, Client ID, Client secret, Additional Scopes, and Post-logout redirect URI parameter.
- Click on Save.
- Click Test Connection to ensure that your identity provider authentication correctly redirects users to the customer account login page. If you're already logged in to your customer account, you may need to log out and log back in to experience the updated login flow.
- After testing your connection, click 'Activate'.
- After activation, an Active badge will appear next to your identity provider’s name in the Identity Provider section of your Customer Accounts settings.
By following these steps, you can successfully configure SSO in Shopify Plus Store using Keycloak, enhancing security and providing a streamlined login experience for your users.