SCIM user management for your organization

After you'veverified your domainandset up Security Assertion Markup Language (SAML) authenticationfor your organization, you can generate a System for Cross-domain Identity Management (SCIM) API token.

Features

Providing the SCIM API token to your identity service provider allows you to take the following actions through your identity provider:

  • Create users
  • Assign or update user roles
  • Deactivate users

Requirements

Before you set up SCIM user management, you need toverify your domainandcreate a SAML configuration. You can only manage users who are associated with a domain that you've verified.

Configure SCIM user management

  1. From your Shopify admin, clickSettings.
  2. In theOrganizationsection, clickUsers>Security.
  3. In theSCIM integrationsection, clickGenerate API token.
  4. ClickCopyto copy the generated token to your clipboard.
  5. Provide the token to your identity service provider. The procedure for adding the token depends on which identity service provider you use.


After your API token has been added to your identity service provider, you can add or remove users through that service. Depending on the status of that user within Shopify and your identity service provider, this can change how they log in to Shopify.

Effects of creating a user in an identity provider
User status Effect within Shopify
User already exists in your organization 如果你添加一个用户的身份提供服务r, then the user is required to log in using SAML authentication if all the following are true:

  • the user already exists in Shopify
  • the user already exists in your organization
  • you useSpecific usersenforcement
The effect of removing a user's access through your identity provider depends on theiruser status. If you remove an active user's access to Shopify using your identity service provider, then they're suspended in your organization. If you permanently delete a user using your identity service provider, then they might be deleted from your organization, depending on your identity provider setup.
User exists in Shopify, but not your organization 如果你添加一个用户的身份提供服务r, then the user is added to your organization and required to log in using SAML authentication if all the following are true:

  • the user already exists in Shopify
  • the user does not exist in your specific organization
  • you useRequiredorSpecific usersenforcement
User does not exist in Shopify 如果你添加一个用户的身份提供服务r, then the user is added to your organization and is required to log in using SAML authentication if all the following are true:

  • the user does not exist in Shopify
  • you useRequiredorSpecific usersenforcement
When the user signs in to the Shopify admin for the first time, then that user must do so through the identity provider, not through the Shopify login page.

After adding the API token, when you add a new user who didn't previously exist in Shopify either through your identity provider or Organization Settings, your new user is set topending status. If your user is required to log in using SAML, then they remain in pending status until they log in using your identity provider.

Role assignment in SCIM

After you complete SCIM configuration, you can optionally assignrolesSCIM用户通过你的身份提供服务er. Before you assign a role to a user, verify that the role exists in your organization. Existing SCIM users aren't updated if the role hasn't beencreatedfor your organization.

Assigning roles in supported identity service providers

Role assignment is supported in the Azure, OneLogin, and Okta apps. Role name creation and assignment differs for each identity provider.

Assigning roles in unsupported identity service providers

If your identity service provider doesn't have a Shopify Plus app, then you need to manually edit your SCIM configuration. Before you begin, verify that your identity service provider can add roles as a SCIM field.

To assign or update a SCIM user role, the JSON body inPOST,PUT, andPATCHrequests must include the following:

{"name":{"givenName":"given_name""familyName":"family_name"},"userName":"email","roles":[{"value":"role_name"}]}

The SCIM JSON body must include a key calledroles. Theroleskey must be an array which includes a hash that stores the role name. If multiple role name hashes are provided, then only the last role name hash is used to assign a role. If the role name is invalid, or the SCIM JSON body doesn't match the above template, then roles aren't assigned or updated.

Unassigning roles

To unassign a user role, use Organization Settings.Learn more about unassigning user roles in Shopify.

Remove SCIM integration

If you no longer require a SCIM integration, then you can remove it. This action can't be undone. If you need to reactivate your integration, then you need to generate a new API token.

Steps:

  1. From your Shopify admin, clickSettings.
  2. In theOrganizationsection, go toUsers>Security.
  3. In theSCIM integrationsection, click...beside the API token.
  4. ClickDelete token.

Restrictions

Store owners and organization owners can't be removed through an identity service provider. Both types of ownership must be transferred before the user can be removed. If you need to change the store owner, then you can do sofrom your Shopify admin. If you need to change the organization owner, then contact Shopify Plus Support.

Ready to start selling with Shopify?Try it free