On 1 November 2021 at 10:00am CET, Contentful will make an important security update to our SSO (single-sign on) configuration.

We will replace the x509 certificate that we use to sign SSO login requests with a new certificate, in order to ensure we maintain the highest level of security for our customers.

Depending on how your organization has implemented SSO for Contentful, this may require you to update configuration settings in your Identity Provider to reflect this change. If you need to make these updates and do not, you will not be able to log in after 1st November.

SSO providers that support this feature and could be affected

• Microsoft Azure AD
• miniOrange
• Ping Identity

Urgent action is required if your organization has explicitly enabled signature verification (aka fingerprint verification) for SAML authentication requests using Contentful’s current x509 certificate.

To prevent issues with SSO login, make sure to specify Contentful’s NEW x509 certificate in your Identity Provider’s Admin dashboard and reenable the verification on the 1st of November. If you would like to replace the certificate before the 1st of November 10:00am CET, contact our Support team via support@contentful.com, and we will arrange a mutually convenient time to switch you to the new certificate

If your organization has not enabled signature verification for SAML authentication requests, then there will be no impact to your service when the new certificate is activated and no action is required.

SSO Providers that are not affected by this change

• Okta
• OneLogin

If you’re unsure of how your implementation has been configured, please contact your Security or IT teams to verify.

For more information on the transition process, and to check our current certificate, please check our FAQs for SSO and for the x509 certificate update process.