SSO & user roles FAQ
What to know about login and permissions.
Answers for Shopify Plus B2B teams giving buyers single sign-on
and role-based access across company locations, with orders,
invoices and pricing tied to ERPs like Pronto Xi, Business
Central, Apparel21, ASW, Exact and Oracle E-Business Suite.
How do buyers sign in to the portal?
Buyers sign in with single sign-on. Pocketknife uses OpenID
Connect and Shopify customer accounts, with a one-time email
code available as a fallback, so there is no separate password
to manage.
Do you support SAML?
Yes. We support SAML and OpenID Connect single sign-on, plus
social logins, so buyers can sign in with your existing identity
provider or the accounts they already have.
Can we use our own identity provider?
Yes. Sign-in can delegate to an OpenID Connect identity provider
so buyers authenticate against your existing directory before
entering the portal.
Do buyers need a separate password for our store?
No. Single sign-on and one-time codes mean buyers do not create
or manage another password just for the portal.
What are user roles?
A role is a named set of permissions. You build roles from
permissions like viewing orders, approving orders, requesting
quotes, seeing pricing and managing users, then assign them to
people.
What can a role control?
Roles control access to orders, invoices, quotes and quote
approvals, order approvals, pricing, recurring orders, budgets,
and user and role management, so each person sees only what they
should.
Can access differ per branch or location?
Yes. Roles are assigned per company location, so the same person
can be a location admin at one branch and ordering-only at
another under the same account.
Who can manage users and roles?
Only users whose role includes managing users and managing roles
can invite people, change roles or remove access, so account
administration stays in the right hands.
Can we invite our own users?
Yes. Account admins invite users by email, assign a role for the
relevant location and send a welcome email, all from the portal.
Can we remove someone's access?
Yes. Access can be revoked for a single location or across the
whole company, so leavers lose access immediately without
changing anyone else's login.
Does this work for accounts with many buyers?
Yes. Roles and per-location access are built for B2B companies
with multiple buyers, approvers and branches signing in to the
same store.
Are permissions actually enforced?
Yes. The signed-in user's role is checked on every request, so
permissions are enforced on the pages and actions, not just
hidden in the menu.