Talk Handout · SCD 2026
Identity & Access Management in Shopware
One identity, every door. A practical look at how modern logins, identity providers and protocols make access simpler, safer and ready for the real world.
Fewer passwords, fewer problems
Humans are bad at passwords. We reuse them, we forget them, and every additional one we are asked to remember is one more secret that can be phished, leaked or written on a sticky note. The most effective way to make logins safer is therefore not a stricter password policy. It is reducing the number of passwords people need in the first place.
That is what identity & access management does: one trusted identity, reused across every system, so the question stops being “what was my password again?” and becomes “why am I not already logged in?” Below are the building blocks and the points where we already bring them to Shopware 6.
Go deeper
Want to look under the hood? Start with our open-source plugin, then read the standards it builds on:
Same effort, very different reach
Creating a classic administration account and wiring up a standards-based login requires roughly the same six pieces of information. One of them only ever serves a single app, the other can serve all of them.
Classic account
A Shopware administration account
Roughly six fields to fill in:
- First name, last name and e-mail address
- Username, password and permissions
And then again …
- for every account and every environment
- still needs two pieces of info to actually log in
Works everywhere
An OpenID Connect based login
Also about six inputs:
- Name, permissions and scopes
- OpenID config, client ID and client secret
But this time …
- set up once per audience and environment
- a single click or an auto-redirect logs the user in
We bring this to Shopware 6
This is not just theory: we ship it in both directions. With our free SSO Admin Login plugin, your team signs in to the Shopware 6 administration with the identity they already have, through Microsoft Entra (Azure AD) and other OAuth2 providers. No separate admin password to create, rotate or lose.
And the other way round: our Shopware as an OAuth provider extension lets your customers reuse their shop account to sign in to third-party services. A “Log in with your brand” button you own end to end.
Done right, the move is seamless for existing users too: customers keep their accounts and transition to the new login without disruption.
OAuth, both ways
- Microsoft Login – OAuth2 sign-in for the Shopware 6 administration (Microsoft Entra / Azure AD, Atlassian Access)
- Shopware as an OAuth provider – let customers log in to other services with their shop account
The language of identity
A quick reference for the terms that keep coming up when people talk about logins, identity providers and access management.
- SSO – Single Sign-On
- Log in once, stay logged in everywhere. One authenticated session is trusted by every connected application, so users never re-enter credentials when they move from your shop to the helpdesk to the admin panel – one identity instead of a separate account per tool.
- IdP – Identity Provider
- The single system that knows who everyone is and issues the tokens the other applications trust. Use a managed one in the cloud (Microsoft Entra, Google Workspace, Okta, cidaas …) or run your own. Keycloak being the classic self-hosted choice when you want the data to stay on your servers.
- Workforce Identity Management
- The logins of your own employees and administrators – joiners, movers and leavers. The value is governance: who may access what, and access that is revoked the moment someone leaves.
- Customer Identity Management
- The logins of your customers, usually at a far larger scale. Here the priorities are a frictionless sign-up, self-service and one account that works across shop, support and services.
- OAuth 2.0 & OpenID Connect
- OAuth 2.0 is a delegated authorization framework: an application is granted limited, scoped access on a user’s behalf without ever seeing their password. OpenID Connect adds an authentication layer on top, so the app also learns who the user is. Together they power most modern “Log in with …” buttons – and the flow our Shopware plugin uses.
- SAML
- An older but rock-solid standard that exchanges identity assertions as XML, usually relayed through the visitor’s browser. Still the default in many enterprise and Workforce SSO setups.
- SCIM
- Keeps users and groups in sync automatically: when someone is added, changed or disabled in your IdP, SCIM provisions or de-provisions them in the connected applications – without maintaining each account by hand.
- cXML / OCI PunchOut
- Procurement protocols rather than pure login standards, and they work both ways: your shop can be the catalogue that buyers punch into from their own procurement system, or your shop can punch out into a supplier’s catalogue. Either way the identity travels along, so every basket and order stays tied to the right person.
What you can do with it
Identity is not an abstract security topic – it shows up in onboarding, in warehouses, at the front door and in the systems that talk to each other on their own.
Host your own IdP
Your data, your control, your sovereignty – it stays close to your own servers. Host your own tools and let users sign in to all of them with the same login they already use in the shop.
FIDO2 with a hardware token
Store the login on a hardware token such as a YubiKey – your fingerprint can be the login. The same idea reaches into the physical world with customer account cards that unlock venues people bought access to online.
Use logins in the real world
Doors, MDM and WiFi run on the same identity: the same login that opens a door also unlocks the network behind it. A new MacBook recognises who you are at onboarding and installs what you need up front – UniFi and cidaas integrate neatly into real life.
Service accounts with OAuth2
Identities do not have to be human. Service accounts that act on behalf of a role can use the very same protocols – OAuth2 included – to authenticate.
Chain identity providers
Want to use Keycloak but already live in Microsoft? Google Workspace but need Microsoft too? Many providers let one provider log in through another, so you can connect what you already have.
Time-based policies
Use time-based rules for automated off-boarding or self-onboarding – access that grants and revokes itself when it should.
Ask yourself
The next time a login slows you down, two questions are worth keeping in mind:
- Why am I not yet logged in?
- What data do I actually have?
If the answer is “because identity wasn’t designed in from the start”, that is exactly where we can help.
Stay in contact
Questions about identity & access management for your shop or organisation?
Talk to us
