Setting Up SSO for Shopify Plus B2B

Introduction

Shopify Plus's B2B features have made it easier than ever to serve wholesale and enterprise customers. But as your B2B business grows, managing access for hundreds or thousands of buyer accounts becomes challenging. Single Sign-On (SSO) solves this by letting your B2B customers log in using their own corporate identity providers.

This tutorial walks you through setting up SSO for Shopify Plus B2B using SecurePie.

Prerequisites

Before starting, ensure you have:

• [ ] Shopify Plus plan with B2B features enabled
• [ ] SecurePie app installed from Shopify App Store
• [ ] At least one B2B company set up in Shopify
• [ ] Access to your customer's identity provider settings (or a contact who does)

Understanding B2B SSO Architecture

How It Works

Buyer visits your B2B portal

SecurePie detects their company (via email domain or subdomain)

Redirect to customer's IdP (Okta, Azure AD, etc.)

Customer authenticates with their corporate credentials

IdP sends assertion back to SecurePie

SecurePie creates/updates Shopify customer and logs them in

Buyer lands on B2B portal with company-specific pricing and catalog

Key Benefits for B2B

• For you (the merchant):

- No password management headaches

- Automatic user provisioning/deprovisioning

- Enterprise customers love it

- Reduced support tickets

- Higher security posture

• For your customers:

- Single set of credentials

- IT controls access centrally

- Automatic offboarding when employees leave

- Compliance requirements met

Step-by-Step Setup

Step 1: Create a Company SSO Configuration

Log in to your Shopify admin

Navigate to Apps > SecurePie

Click B2B SSO Configurations

Click Add Configuration

Enter the company name (must match Shopify company)

Choose the connection type:

- SAML 2.0 - Most common for enterprise

- OpenID Connect - For Google Workspace, etc.

Step 2: Configure SAML Settings

For SAML connections, you'll need to exchange information with your customer's IT team.

Information to provide to your customer:

``

SP Entity ID: https://sso.securepie.com/saml/sp/{your-store}

ACS URL: https://sso.securepie.com/saml/acs/{your-store}

SLO URL: https://sso.securepie.com/saml/slo/{your-store}

NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

`

Information you need from your customer:

• IdP Entity ID
• IdP SSO URL
• IdP Certificate (X.509)
• Attribute mapping (if non-standard)

Step 3: Configure Attribute Mapping

Map the attributes from your customer's IdP to SecurePie fields:

| SecurePie Field | Common SAML Attributes |

|-----------------|------------------------|

| Email | email, mail, emailAddress |

| First Name | firstName, givenName |

| Last Name | lastName, surname, sn |

| Department | department |

| Title | title, jobTitle |

Advanced: Custom Attributes

You can map custom attributes to Shopify customer metafields:

`json

{

"costCenter": "metafield:custom.cost_center",

"approvalLimit": "metafield:custom.approval_limit",

"region": "metafield:custom.region"

}

`

Step 4: Configure Email Domain Routing

SecurePie needs to know which SSO configuration to use for each customer.

Option A: Email Domain Matching

Simplest approach—route based on email domain.

In the SSO configuration, add domains:

- acmecorp.com

- acme.co.uk

- acme-corp.com

When users with these domains visit, they're routed to Acme's IdP.

Option B: Company Subdomain

Each company gets their own login URL.

• https://yourstore.com/b2b/acmecorp
• https://yourstore.com/b2b/globex

Option C: Login Page Company Selector

Users select their company from a dropdown on the login page.

Step 5: Test the Connection

Before rolling out to your customer:

Create a test user in your customer's IdP

Navigate to your B2B login page

Enter the test user's email or select their company

You should be redirected to their IdP

Authenticate as the test user

Verify you land on the B2B portal with correct company association

Troubleshooting checklist:

• [ ] Certificate is valid and not expired
• [ ] Entity IDs match exactly
• [ ] ACS URL is correct (check for trailing slashes)
• [ ] Clock skew is within tolerance
• [ ] Email attribute is being sent

Step 6: Configure User Provisioning

Decide how SecurePie should handle new users:

Just-in-Time (JIT) Provisioning:

• Users created automatically on first SSO login
• Customer contact added to Shopify company
• Simplest approach

SCIM Provisioning:

• Users synced proactively from IdP
• Includes deprovisioning when removed from IdP
• Better for compliance requirements

Manual Approval:

• New users flagged for review
• Admin approves before access granted
• Most control, most friction

Step 7: Roll Out to Customer

Inform your customer's IT team that testing is complete

They assign users/groups to the application in their IdP

Send login instructions to end users

Monitor for issues in SecurePie logs

Advanced Configuration

Multiple Companies, Different IdPs

Each company can have its own SSO configuration:

| Company | IdP | Domain |

|---------|-----|--------|

| Acme Corp | Okta | acmecorp.com |

| Globex | Azure AD | globex.com |

| Initech | Google | initech.io |

| No SSO Co | Password | nosso.com |

Role-Based Access via Groups

Map IdP groups to B2B roles:

`json

{

"groupMapping": {

"B2B-Admin": "company_admin",

"B2B-Purchaser": "purchaser",

"B2B-Browser": "catalog_viewer"

}

}

``

Location-Specific Access

For customers with multiple locations:

Send location attribute from IdP

Map to Shopify company location

User sees location-specific pricing/catalog

Approval Workflows

Integrate with customer's approval workflows:

IdP sends approval limit as attribute

Orders above limit require manager approval

Approval request sent via Shopify Flow

Common Scenarios

Scenario: Customer Uses Google Workspace

Create OIDC configuration in SecurePie

Customer creates OAuth app in Google Admin

Exchange client ID and secret

Map Google attributes (email, name, etc.)

Scenario: Customer Uses Okta

Customer creates SAML app from SecurePie template

Download Okta metadata XML

Upload to SecurePie

Configure attribute statements in Okta

Scenario: Customer Has Strict Security Requirements

For customers requiring enhanced security:

• Request signed assertions AND encrypted assertions
• Enable certificate rotation support
• Implement IP allowlisting
• Require MFA at the IdP

Monitoring and Maintenance

Health Checks

• Monitor SSO success/failure rates
• Alert on certificate expiration (30 days before)
• Track user provisioning events

Regular Reviews

• Quarterly: Review active SSO configurations
• Annually: Recertify customer contacts
• As needed: Update certificates

Conclusion

B2B SSO transforms your Shopify Plus wholesale portal from a password management headache into a seamless extension of your customers' IT infrastructure. With SecurePie, you can offer enterprise-grade SSO without enterprise-level complexity.

Start with your largest or most security-conscious customers, prove the value, and expand from there. Before long, you'll wonder how you ever managed B2B accounts without SSO.

Need help with your B2B SSO setup? Contact our team for personalized guidance.