针对您的组织的 SAML 身份验证

如果您的组织使用 SAML 对用户进行身份验证,则可以将 Shopify 作为应用添加到您的身份信息提供商。设置应用后,具有用户管理访问权限的用户可以要求您组织中的单个用户或所有用户使用您的 SAML 身份信息提供商进行身份验证。

本页相关主题

  • 设置 SAML 身份验证之前

  • 为组织设置 SAML 验证

  • 要求 SAML 验证

  • 删除 SAML 验证

  • 相关链接

设置 SAML 身份验证之前

提交要验证的域名会影响在 Shopify 中登录您组织的用户。在开始之前,请查看以下注意事项。

  • 创建备份账户。

  • 设置 Shopify ID。

为组织设置 SAML 验证

您需要先验证您的域名,然后才能设置 SAML 配置。

您不必等到您的域名通过验证即可开始设置配置。

自动设置配置

目前,身份服务提供商 Okta、OneLogin 和 Azure 提供这些配置。

步骤:

  1. 在您的 Shopify 组织后台中,前往用户 > 安全

  2. 在 SAML 配置部分中,点击设置配置

  3. 在您的身份信息提供商中,添加 Shopify Plus 应用。

  4. 您的服务提供商将为您提供元数据 URL。在身份信息提供商元数据 URL 字段中输入此信息。输入 URL 后,SAML 配置详细信息会自动填充,目前无法手动编辑。

  5. 点击添加

手动设置配置

如果您使用的是 Okta、OneLogin 和 Azure 之外的身份信息提供商,则必须手动输入配置数据。

身份服务提供商可能会为某些值使用不同的名称。例如,Google 的 SAML 集成使用 ACS URL 一词来表示单点登录 URL。如果您在手动设置配置时遇到错误,请联系身份服务提供商获取帮助。

步骤:

  1. 在您的 Shopify 组织后台中,前往用户 > 安全

  2. 在 SAML 配置部分中,点击设置配置

  3. 点击显示 SAML 配置设置

  4. 复制以下值,并将其提供给您的身份信息服务提供商,同时提供身份信息提供商可能请求的任何其他信息。

    • 单一登录 URLhttps://accounts.shopify.com/saml/consume/organization/{organization ID}。每个组织都有唯一的 ID。请在 SAML 配置详细信息中的单一登录 URL 条目中复制此值。

    • 受众 URI(SP 实体 ID): https://accounts.shopify.com/saml_sp

    • 姓名 ID 格式: Persistent

    • 属性声明first_namelast_name、 email

  5. 您的服务提供商将为您提供元数据 URL。在身份信息提供商元数据 URL 字段中输入此信息。输入 URL 后,SAML 配置详细信息会自动填充,并且无法手动编辑。

  6. 点击添加

要求 SAML 验证

添加域名并设置配置后,请等待验证完成。当您的域名状态更改为已验证后,您便可以更改 SAML 身份验证设置。

SAML 身份验证的注意事项

SAML 身份验证有三个设置:必需特定用户关闭

如果您选择特定用户,则可以为 Shopify ID 与用户页面中已设定电子邮件域名关联的用户设置特定的登录要求。任何未设为要求 SAML 身份验证的用户都可以正常登录。如果选择必需,则组织中使用已设定电子邮件域名的所有用户都必须使用 SAML 身份验证进行登录。

必需设置会替换您组织中用户的所有个人安全要求。如果您稍后更改设置,则需要手动更改用户的设置。

例如,您已将域名设置为特定用户,并且将三位用户设置为需要 SAML 身份验证。然后,您将强制措施设置为必需,要求 Shopify ID 与已设定电子邮件域名关联的所有用户使用 SAML 身份验证。稍后,您将强制措施重新设置为特定用户。系统不再强制要求之前的三位用户使用 SAML 身份验证登录,您需要在其用户详细信息页面中再次设置。

要求用户使用 SAML 验证时,系统就会删除现有双重验证的要求。

SAML 身份验证会话持续 6 天,然后您的用户就需要再次登录。如果您从身份信息提供商的 Shopify 应用程序中删除用户,他们仍可在最多 6 天时间内访问 Shopify。若要阻止用户访问组织后台,请在 Shopify 组织后台的用户页面上删除其组织访问权限。

要求 SAML 验证

步骤:

  1. 在您的 Shopify 组织后台中,前往用户 > 安全

  2. 在 SAML 验证部分,点击更改设置

  3. 选择验证设置。

  4. 单击保存

删除 SAML 验证

如果 SAML 身份验证设置为关闭,您组织中 Shopify ID 与设定电子邮件域名关联的所有用户都可以使用他们的密码和电子邮件地址登录。

步骤:

  1. 在您的 Shopify 组织后台中,前往用户 > 安全

  2. 在 SAML 验证部分,点击更改设置

  3. 选择关闭

  4. 单击保存

相关链接

  • 用户

  • 安全

  • Okta:如何为 Shopify Plus 配置 SAML 2.0

  • Azure Active Directory 单点登录 (SSO) 与 Shopify Plus 集成

Shopify商户官网原文详情:

SAML authentication for your organization

If your organization uses SAML to authenticate users, then you can add Shopify as an app with your identity provider. After your app has been set up, users who have the User management access can require either individual users or all the users in your organization to authenticate their identity using your SAML identity provider.

On this page

  • Before you set up SAML authentication

  • Set up SAML authentication for your organization

  • Requiring SAML authentication

  • Remove SAML authentication

  • Related links

Before you set up SAML authentication

Submitting a domain to be verified has implications for the users logging in to your organization on Shopify. Before you begin, review the following considerations.

  • Create a backup account.

    In case there are any issues with your SAML authentication integration or interruptions with your identity provider, create a backup account that isn't associated with the domain that you use for SAML authentication. Ensure that this account is an active user in your organization, has two-step authentication enabled, and has the User management access so that you can disable SAML in case of emergencies.

  • Set up Shopify IDs.

    Because SAML authentication is based on domains, ensure that all the users in your organization have set up their Shopify ID using email addresses that are associated with your organization's domain.

Set up SAML authentication for your organization

Before you can set up your SAML configuration, you need to verify your domain.

You don't have to wait until your domain is verified to start setting up your configuration.

Setting up configurations automatically

Configurations are currently available for identity service providers Okta, OneLogin, and Azure.

Steps:

  1. In your Shopify organization admin, go to Users > Security.

  2. In the SAML configuration section, click Set up configuration.

  3. In your identity provider, add the Shopify Plus app.

  4. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and currently can't be edited manually.

  5. Click Add.

Setting up configurations manually

If you use an identity provider other than Okta, OneLogin, and Azure, then you must manually enter configuration data.

Identity service providers might use different names for some values. For example, Google's SAML integration uses the term ACS URL to refer to the Single sign-on URL. If you encounter errors while setting up your configurations manually, then contact the identity service provider for assistance.

Steps:

  1. In your Shopify organization admin, go to Users > Security.

  2. In the SAML configuration section, click Set up configuration.

  3. Click View SAML configuration settings.

  4. Copy the following values and provide them to your identity service provider, along with any additional information the identity provider might request.

    • Single sign-on URLhttps://accounts.shopify.com/saml/consume/organization/{organization ID}. Each organization has a unique ID. Copy this value from the Single sign-on URL entry in the SAML configuration details.

    • Audience URI (SP Entity ID)https://accounts.shopify.com/saml_sp

    • Name ID formatPersistent

    • Attribute statementsfirst_namelast_nameemail

  5. Your service provider will provide you with a metadata URL. Enter this in the Identity provider metadata URL field. After the URL has been entered, the SAML configuration details are populated automatically, and can't be edited manually.

  6. Click Add.

Requiring SAML authentication

After you have added your domain and set up your configuration, wait until verification is complete. When the status of your domain changes to Verified, you can change your SAML authentication settings.

Considerations for SAML authentication

There are three settings for SAML authentication: RequiredSpecific users, and Off.

If you select Specific users, then you can set specific login requirements for your users that have Shopify IDs associated with the set email domain from the Users page. Any user who isn't set to require SAML authentication can log in normally. If you select Required, then all users in your organization with the set email domain must use SAML authentication to log in.

The Required setting replaces all individual security requirements for users in your organization. If you change your setting at a later date, then you need to manually change the settings for your users.

For example, you have your domain set to Specific users and have three users set to require SAML authentication. You then set enforcement to Required, requiring all users who have Shopify IDs associated with the set email domain to use SAML authentication. Later, you set your enforcement back to Specific users. The three users that were required to log in using SAML authentication are no longer enforced, and must be set up again in their user detail page.

Requiring a user to use SAML authentication removes existing two-factor authentication requirements.

SAML authentication sessions last for six days before your users are required to log in again. If you remove a user from the Shopify application in your identity provider, then they will still be able to access Shopify for up to six days. To prevent users from accessing your organization admin, remove their organization accesses on the Users page in the Shopify organization admin.

Require SAML authentication

Steps:

  1. In your Shopify organization admin, go to Users > Security.

  2. In the SAML authentication section, click Change setting.

  3. Choose an authentication setting.

  4. Click Save.

Remove SAML authentication

When SAML authentication is set to Off, then all users in your organization who have Shopify IDs associated with your set email domain can log in using their password and email address.

Steps:

  1. In your Shopify organization admin, go to Users > Security.

  2. In the SAML authentication section, click Change setting.

  3. Select Off.

  4. Click Save.

Related links

  • Users

  • Security

  • Okta: How to Configure SAML 2.0 for Shopify Plus

  • Azure Active Directory single sign-on (SSO) integration with Shopify Plus


文章内容来源:Shopify商户官方网站

(本文内容根据网络资料整理,出于传递更多信息之目的,不代表连连国际赞同其观点和立场)