Single sign-on (SSO)

Is the single sign-on feature available for all customers?

The single sign-on feature (SSO) is available free of charge on select enterprise plans. If you are an enterprise customer and would like to enable SSO for your organization, get in touch with our sales team.

How do I sign into Contentful with my corporate credentials?

If your organization has the single sign-on (SSO) option enabled, on the Login page click on the "Login via SSO" link at the bottom.

Next, provide the SSO name of your organization. If you are not sure about the name, contact your organization administrator.

Login via your corporate Identity Provider. Note that if you already had a valid Contentful account, at this point, you will be prompted to confirm your email by clicking a link. This step helps to bind your existing Contentful account to the corporate account.

After completing these steps, you should be successfully logged into Contentful. When you sign out of Contentful, you will be redirected to a dedicated SSO logout page. Bookmark this page for one-click access to Contentful in the future.

What Identity Providers (IdP) does Contentful support?

Contentful SSO works with all the Identity Providers supporting the SAML 2.0 protocol, including Okta, Ping Identity, Ping Federate, OneLogin, Microsoft Azure, Bitium, LastPass, Centrify, Clearlogin, Auth0, G Suite, and many others.

How do I set up a single sign-on access for my organization?

If you would like to provision SSO for your organization, please contact Contentful customer service.

Contentful Service Provider Configuration

To complete the setup, you will need to provide us with the following technical details from your Identity Provider*:

• Entity ID: the unique ID of your organization on your Identity Provider, used in the single sign-on authentication flow
• SSO Service URL: URL of the SSO endpoint specified by your Identity Provider, for example, ttps://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=idpid
• SLO target URL (optional): the logout URL specified by your Identity Provider, for example, https://sso.connect.pingidentity.com/sso/initslo/?page=landing-page-url
• Signing certificate: a valid X.509 public signing certificate provided by your Identity Provider, used to sign SSO responses. Note that a SHA fingerprint of your certificate is also acceptable.

Identity Provider Configuration

Once SSO is enabled on the Contentful side, your organization's SSO administrator will have to complete the setup process on the Identity Provider side as well as ensure that any other relevant settings on internal networks and applications are updated to allow employees access Contentful via SSO.

Additionally, your SSO administrator will need to map the user attributes required by Contentful with the corresponding user attributes in your Identity Provider. These attributes are named as follows:

• givenName: the given name (or first name) of the user
• surname: the surname (or last name) of the user
• email: the email address of the user

* Note: Most of the required technical details are included in the metadata file provided by your Identity Provider. Your organization's SSO administrator should have access to this file.

What SSO name can I choose for my organization?

Contentful customer service will assist you in setting up the SSO name for your organization. It's important to know that the SSO name has to conform to the following technical guidelines:

• has to be composed in lowercase
• use only the following symbols 0-9, a-z, and =-_~\/
• contain no spaces
• be unique across all Contentful organizations

Why do I get signed out of Contentful when using a single sign-on?

For security purposes, users accessing Contentful via SSO are confined to sessions of a limited duration. The standard SSO session time is set at 12 hours, but the administrator at your organization can extend or shorten this period, provided your identity provider supports the sessionNotOnOrAfter parameter, according to internal needs and security policies. If your Identity Provider does not offer this feature, contact our customer service for assistance in configuring a custom SSO session duration.

How does SSO Restricted Mode work?

Enabling SSO Restricted Mode prevents organization's members from logging into Contentful via email or third-party services (Github, Google, an Twitter); the only permitted authentication method is via SSO.

Restricted Mode comes with two caveats. The following types of users can continue logging into Contentful via email and third-party services even when the option is enabled:

• users who are owners of the organization
• users who belong to more than one Contentful organization
• users outside of your organization (for example, freelance contributors) explicitly exempted from Restricted Mode

Users who were logged into Contentful before Restricted Mode is enabled can continue using Contentful and are forced to login via SSO only after the current session expires.

Note that Restricted Mode is an optional feature. To exempt external users from Restricted Mode, contact Contentful customer service with the list of users to be exempted from SSO login.

How are invited users affected by the use of a single sign-on?

When a user with pending invitations from multiple Contentful organizations accepts an invitation from the organization with Restricted Mode, all other invitations are purged and the user is removed from other organizations. If the user wishes to be a member of multiple organizations, she has to accept the invitation from the non-SSO organization first or be manually exempted from Restricted Mode in the SSO-enabled organization.

How do I deprovision users?

Deprovisioning a user on the IdP side will have an immediate effect of preventing the user from logging into Contentful. However, the user will still be listed as a member of the Contentful organization - and incur user fees - until he is manually removed by the organization admin.