SSO & user roles

One login. Built for teams.

Give every buyer a single sign-on into your Pocketknife portal, then control exactly what each person can see and do. Custom roles map to the permissions that matter, and apply per company location, so a branch admin and an ordering-only buyer get very different portals from the same store.

Sign in your buyers' way
Passwords
Magic links
One-time codes
Passkeys
Biometrics
Authenticator apps
MFA
Social logins
OpenID Connect
SAML SSO
Google Microsoft Apple GitHub LinkedIn Facebook and more
Why it matters

Your customers have many people. They shouldn't share a login.

When a whole account signs in as one user, everyone can do everything and you can't tell who did what. Single sign-on plus roles gives each buyer their own login and only the access their job needs, without you managing passwords.

Single sign-on

One login for every buyer.

Buyers sign in through single sign-on rather than juggling extra passwords for your store, so access is quick and centrally controlled.

  • SAML, OpenID Connect and social logins.
  • Works with Shopify customer accounts.
  • Passwordless, magic links, passkeys and MFA.
Custom roles

Roles that match how you sell.

Build roles from a clear list of permissions and assign them to users, so each person gets exactly the portal their job needs.

  • Orders, invoices, quotes and approvals.
  • Pricing, users, roles and budgets.
  • Reusable across everyone on the account.
Per-location control

Access scoped to each location.

Permissions apply per company location, so one person can be an admin at one branch and ordering-only at another under the same account.

  • Per company location access.
  • Different roles per branch.
  • Invite and revoke from the portal.
How access is decided

From sign-in to the exact portal a buyer should see.

Every request is checked against the signed-in user's role for the location they are working in, so access stays correct as teams change.

1. Sign in

The buyer signs in once.

Buyers authenticate through single sign-on using your OpenID Connect identity provider or Shopify customer accounts, with a one-time code as a fallback.

2. Match account

They resolve to their company and location.

The user is matched to their B2B company and the location or locations they belong to, so context is set before anything loads.

3. Apply role

Their role decides what appears.

The role assigned for that location determines which pages and actions show, from viewing orders to approving quotes or managing users.

4. Manage centrally

Admins keep it current.

Account admins invite users, assign roles and revoke access from the portal, so leavers and new starters are handled without a support ticket.

A better way to manage access

Roles and SSO versus one shared account login.

Many B2B stores still hand a whole account one login, which is impossible to control and impossible to audit.

Capability
Shared login
Storefront default
Pocketknife
Sign-in
One password for everyone.
Per person, but no roles.
Single sign-on per person, no extra passwords.
Permissions
Everyone can do everything.
All or nothing.
Custom roles for orders, quotes, pricing, users and more.
Per-location access
Not possible.
Not really.
Different roles per company location.
Adding and removing people
Reshare the password.
Manual and limited.
Invite, assign a role and revoke from the portal.
SSO & user roles FAQ

What to know about login and permissions.

Answers for Shopify Plus B2B teams giving buyers single sign-on and role-based access across company locations, with orders, invoices and pricing tied to ERPs like Pronto Xi, Business Central, Apparel21, ASW, Exact and Oracle E-Business Suite.

How do buyers sign in to the portal?

Buyers sign in with single sign-on. Pocketknife uses OpenID Connect and Shopify customer accounts, with a one-time email code available as a fallback, so there is no separate password to manage.

Do you support SAML?

Yes. We support SAML and OpenID Connect single sign-on, plus social logins, so buyers can sign in with your existing identity provider or the accounts they already have.

Can we use our own identity provider?

Yes. Sign-in can delegate to an OpenID Connect identity provider so buyers authenticate against your existing directory before entering the portal.

Do buyers need a separate password for our store?

No. Single sign-on and one-time codes mean buyers do not create or manage another password just for the portal.

What are user roles?

A role is a named set of permissions. You build roles from permissions like viewing orders, approving orders, requesting quotes, seeing pricing and managing users, then assign them to people.

What can a role control?

Roles control access to orders, invoices, quotes and quote approvals, order approvals, pricing, recurring orders, budgets, and user and role management, so each person sees only what they should.

Can access differ per branch or location?

Yes. Roles are assigned per company location, so the same person can be a location admin at one branch and ordering-only at another under the same account.

Who can manage users and roles?

Only users whose role includes managing users and managing roles can invite people, change roles or remove access, so account administration stays in the right hands.

Can we invite our own users?

Yes. Account admins invite users by email, assign a role for the relevant location and send a welcome email, all from the portal.

Can we remove someone's access?

Yes. Access can be revoked for a single location or across the whole company, so leavers lose access immediately without changing anyone else's login.

Does this work for accounts with many buyers?

Yes. Roles and per-location access are built for B2B companies with multiple buyers, approvers and branches signing in to the same store.

Are permissions actually enforced?

Yes. The signed-in user's role is checked on every request, so permissions are enforced on the pages and actions, not just hidden in the menu.

Give every buyer one login. Built for teams.

We will set up single sign-on and the custom roles your accounts need, scoped per location, so buyers get a clean portal and you keep control of who can do what.

Talk through SSO and roles