Shopify

Configure SSO in Shopify Plus using Keycloak

24 views 0

To configure Single Sign-On (SSO) in a Shopify Plus store, you will need to configure both the Service Provider (Shopify Plus) and the Identity Provider (Keycloak). You should perform steps in both the Keycloak admin console and your Shopify SSO Application.

Customers can log into your Shopify Storefront using their existing Keycloak credentials, eliminating the need to create and remember separate accounts for your online store. Keycloak can also act as the central Identity Provider (IdP) for customer accounts, enabling centralized management of customer data, preferences, and access permissions for Shopify Storefront.

Prerequisites:
  • miniOrange Shopify Single Sign-On (SSO) Application: Link
  • Guide to configure SSO between Shopify and Keycloak: Link

Note: Our application supports all SSO protocols such as SAML, OAuth 2.0, OpenID Connect, and JWT (JSON Web Tokens).

1. Configure Keycloak (Identity Provider):

Create a SAML Client:

  • Create New Client: Click on Clients from the left menu and then click on the Create button to create a new SAML client/application.
  • Set Protocol Type: Select SAML as the client protocol for secure authentication.
  • Configure Client Details: Enter the Entity ID from Shopify as the Client ID and set the ACS URL as the Client SAML Endpoint from the Shopify Plus SSO App.
Configure SAML Client Settings:

  • Enable Client: Ensure the client status is set to "Enabled" in the settings.
  • Configure Name ID: Set Name ID format to "email" and enable the "Force Name ID format" option.
Configure Attribute Mappers:

  • Setup Attribute Mapping: Create mappers in the Mappers tab to send user attributes like email, firstName, and lastName.
  • Map User Properties: Link Keycloak user attributes to corresponding SAML attribute names expected by Shopify.
Obtain Keycloak Metadata:

  • Export Metadata: Go to Realm Settings > General and locate the SAML 2.0 Identity Provider Metadata endpoint.
  • Save Metadata URL: Copy the metadata URL or download the XML file for Shopify Plus SSO configuration.
2. Complete SAML Configuration in Shopify Plus SSO:

  • Log in to your Shopify Plus organization admin and navigate to the Shopify Single Sign-On (SSO) application.
  • Select the SAML protocol and from the list of IdPs, select Keycloak.
  • Provide Keycloak Metadata: Click on the Import IdP Metadata button. Paste the Keycloak metadata URL you obtained into the "Identity provider metadata URL" field. Alternatively, if you have a metadata XML file, you can upload it to the Files section in your Shopify admin and use the generated public URL.
  • Add the IdP Name and click on Save.


  • 3. Testing and Verification:

    • Test with a Single User: Before broad enforcement, test the integration with one user by setting their SAML authentication to "Required".
    • Verify SSO Flow: Click on the Test Connection button. Confirm that the user can successfully log in using their Keycloak credentials. You will see a successful test window.
    • Click on the Fetch Attributes button to fetch the IdP attribute. (Set the Name ID format to correct attribute mappings for email.)
    • Enforce for all Users (if necessary): Once you're confident with the integration, set the SAML authentication to "Required" for the relevant domain to enforce it for all users within that domain.
    4. Test the SSO integration:

    • Go to the Connect Store tab and copy the Client ID, Client Secret, Post-Logout Redirect URL, and Discovery Endpoint URL.
    • From your Shopify admin, go to Settings > Customer accounts.
    • In the Identity provider section, click Manage.
    • Click Connect to provider.
    • Enter an Identity provider name for your authentication service.
    • In the Application info section, fill in the required information such as the Discovery endpoint URL, Client ID, Client secret, Additional Scopes, and Post-logout redirect URI parameter.
    • Click on Save.
    • Click Test Connection to ensure that your identity provider authentication correctly redirects users to the customer account login page. If you're already logged in to your customer account, you may need to log out and log back in to experience the updated login flow.
    • After testing your connection, click 'Activate'.
    • After activation, an Active badge will appear next to your identity provider’s name in the Identity Provider section of your Customer Accounts settings.

    By following these steps, you can successfully configure SSO in Shopify Plus Store using Keycloak, enhancing security and providing a streamlined login experience for your users.

    Was this helpful?


    Hello there!

    Need Help? We are right here!

    support