How to Achieve SSO (Single Sign-On) Between Shopify and an External Website?

Shopify Plus
, , , ,
1

Hi Shopify Community,

I would like to seek advice on how we can implement a Single Sign-On (SSO) solution between our Shopify store and an external website (built outside of Shopify). We are using Customer Legacy Account in Shopify

Specifically, we are looking to achieve the following behavior:

  1. When a customer logs in on our external website, they are automatically logged into our Shopify store as well without needing to log in again.

  2. Vice versa, when a customer logs in via our Shopify store, the external website session is also authenticated automatically.

In other words, we want both platforms to share the same user session, so that login from one system reflects on the other seamlessly.

Questions:- What are the possible approaches to implement this?

  • Does Shopify support session sharing or authentication token exchange with an external system?

  • Is there an official Shopify-supported SSO flow for Legacy/Classic Customer accounts (not staff/admin accounts)?

  • Can Shopify Legacy Customer Accounts (Classic/Legacy) support OAuth, JWT, or OpenID Connect integrations?

  • Are there any API limitations or security considerations we should be aware of?

Additional Context:- We are using Customer Legacy Account in Shopify

  • Our external website has its own user authentication system.

  • We are looking for the most secure, scalable, and Shopify-compliant method to synchronize logins between the two platforms.

  • Logout synchronization is also something we are considering—i.e., logging out from one platform should log out from the other.

I researched that Multipass is an option to achieve this, but I cannot confirm whether it will achieve all the behavior listed above. Any advice, experiences, or suggestions from the community or Shopify staff would be greatly appreciated.

Thank you very much!

2

Hey @RKRX

You’re tackling a tricky corner of Shopify that a lot of people bump into when trying to build real SSO between Shopify and an external site. Let’s break this down piece by piece:

1. Does Shopify natively support session sharing for Customer (Legacy/Classic) accounts?
Short answer: No. Shopify does not have built-in session sharing with external sites for customer accounts. The only official method that comes close is Multipass — but there’s a catch:

  • Multipass is only available on Shopify Plus plans.

  • It only works for logging customers into Shopify from an external identity provider — not the other way around.

  • There’s no direct way to push a Shopify login session back to your external site automatically.

2. What about OAuth, JWT, or OpenID Connect?

  • Legacy Customer Accounts in Shopify don’t expose OAuth or OpenID for customer login like you’d see on modern custom apps.

  • Shopify’s OAuth is for app installations — not customer logins.

  • There’s no built-in JWT token handshake for customer sessions either.

So you can’t just plug in an external OAuth provider and expect Shopify to handle it.

3. Is there any workaround?
Some brands get creative:

Use Multipass to bring users from your external site INTO Shopify seamlessly (if you’re on Plus).
Set up your external site as the primary login — handle all authentication there, and use Multipass to generate a secure redirect that logs them into Shopify.
Vice versa — when they log out on your external site, hit Shopify’s logout URL too, to clear both sessions.

But going the other way (logging into Shopify first, then passing that session back to your external site) is basically a no-go unless you build custom middle layers:

  • Shopify won’t share raw session cookies or customer passwords (for obvious security reasons).

  • You’d need to build a custom app that listens for customer login events (webhooks), but you still can’t pull the customer’s password to log them in elsewhere.

4. Is this secure & Shopify-compliant?
Multipass is the only officially supported flow for this scenario. Anything else means custom middleware, token brokers, or iframe-based hacks — all of which get messy and risky fast.

5. Does logout sync work?
Not out-of-the-box. You’d need to script it yourself: when your external site logs out, hit /account/logout on Shopify via a redirect or embedded iframe. Same for the reverse, but there’s no official webhook to detect customer logout in Shopify — so you’d probably have to use session expiry or custom theme scripts.

Final thoughts

If you’re on Shopify Plus — Multipass is your only legit option.
If you’re not on Plus — there’s no official, secure, or reliable SSO method for customers.
Most stores pick one source of truth for login — usually the external site — and just push customers into Shopify with Multipass or a customer creation API + forced redirect.

TL;DR:

  • Shopify = not a true Identity Provider.

  • You need Shopify Plus + Multipass to get halfway there.

  • Full two-way SSO is not feasible without heavy custom engineering (and it still won’t be fully supported).

Hope this works!

3

Hello @RKRX,

Based on the detailed requirement, I can understand that you are looking to perform Single Sign-On (SSO) between your Shopify Store and your external site (or Identity Provider) while using Shopify’s Legacy Customer Accounts.

I would like to confirm that this is completely possible using our miniOrange Shopify Single Sign-On solution ((miniOrange Single Sign On‑SSO - Shopify Single Sign-On (SSO) - Login with Okta, Entra ID... | Shopify App Store). With this solution, once users are authenticated against their IDP credentials, they will be able to log in to the Shopify store, and a user account will be created in Shopify without having to log in separately.

Since you mentioned that your external website has its own user authentication system, we could potentially use it as the Identity Provider (IdP), where all user identities are stored. If the external site supports standard user authentication protocols such as SAML, OAuth, or JWT, we can use one of these protocols to configure SSO between your external site and the Shopify store using legacy accounts and your existing authentication system.

Using our SSO solution, you can also achieve session sharing between Shopify and an external site, enabling authentication token exchange across both platforms. SSO flows for Legacy/Classic Customer Accounts on Shopify Plus and non-Plus stores are fully supported using this solution. Additionally, Shopify Legacy Customer Accounts (Classic/Legacy) can be made compatible with OAuth, JWT, or OpenID Connect integrations through the same approach.

To add more context, since you are using Shopify Legacy Customer Accounts, our SSO solution allows you to integrate those accounts with your external website as the Identity Provider (IdP), enabling users to log in to Shopify using their existing IdP credentials. This ensures a secure and seamless login experience across both platforms. Furthermore, we can configure Single Logout (SLO), ensuring that user sessions are terminated on both Shopify and the external website when logging out from either.

TL;DR:

  • Yes, Single Sign-On (SSO) between your Shopify store (using Legacy Customer Accounts) and your external site is fully possible using the miniOrange SSO app.
  • We support integration with standard protocols like SAML, OAuth, JWT, and can enable session sharing, Single Logout (SLO), and seamless user login across both platforms.
  • We would be glad to assist you further. Please drop us an email at ecommercesupport@xecurify.com.
4

Hi there,

You’re essentially looking to implement true SSO between Shopify Customer Accounts (Legacy) and an external authentication system. Here are some points to help clarify:

1. Shopify Legacy Customer Accounts

  • Unfortunately, Legacy/Classic Customer Accounts don’t support modern SSO standards like OAuth, OpenID Connect, or JWT.

  • Shopify doesn’t provide a direct API to “log in” a customer from an external session — login is handled via Shopify’s native auth flow.

2. Multipass Login (Shopify Plus only)

  • Multipass is the closest official solution Shopify offers for this scenario, but it’s only available on Shopify Plus.

  • It allows you to authenticate users on your external site, then generate a secure Multipass token to log them into Shopify without entering credentials again.

  • Key note: Multipass is one-way (external → Shopify). It doesn’t automatically propagate logins or logouts back to your external site if the user signs in/out directly on Shopify.

  • Logout synchronization (Shopify → external) isn’t built in — you’d need custom handling via scripts or external API endpoints.

3. Alternative Approaches (if not on Plus)

  • Without Multipass, the most practical solution is to choose a primary identity provider (usually the external website’s auth system) and then:

    • Sync customer accounts via the Admin API (create/update customers when users sign up externally).

    • Deep-link into Shopify’s login flow if they need to access the storefront.

  • True session sharing (auto-login both ways) is not supported natively in Legacy accounts.

4. Customer Accounts (New System)

  • Shopify has been rolling out the new Customer Accounts system which is powered by Shopify’s own Identity platform and does use OpenID Connect.

  • If migrating is possible, this would give you a much more flexible and future-proof path to integrate SSO between systems.

5. Security Considerations

  • Be careful about attempting to “inject” sessions or share cookies — this would violate Shopify’s security model.

  • The only compliant path for auto-login is Multipass (Plus) or the new Customer Accounts system.

Thanks