FAQ / SSO x509 certificate expiration

On this page

Will my SSO be affected by this change?

Only SSO users who have enabled signature verification (aka fingerprint verification) for SAML authentication requests using Contentful’s current x509 certificate will be affected by this change.

Contentful SSO providers who allow signature verification, and therefore could be impacted, are as follows:

  • Microsoft Azure.

  • miniOrange.

  • Ping.

If you use one of the providers listed above and have NOT enabled signature verification, no action is required and the changes will not affect your SSO service for Contentful.

Providers who do not allow signature verification, and therefore will NOT be affected are as follows:

  • Okta.

  • OneLogin.

What is Contentful’s x509 certificate for SAML authentication requests valid until 1st November 2021?

Public key:

-----BEGIN CERTIFICATE-----
MIIDBTCCAe0CCQCqYpytPnpxrzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTE2MTExMDEyMzI0M1oXDTIxMTEwOTEyMzI0M1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEA
NmZ4ePP1nbWv4PrbC0QLyyCpB726DDqbI93ZIm16zn6iL/iqCmCdolmJ18XdqGDg
sJXiPknAmm1Wn/XU3fQZ4ioe00QCMJaZA8wpp1yUmiYjnjr+gsSzKQ41zN3+HOgM
EoZTDKVgJ2KH7SwFgzu8faeAY/QaTCIX13HKedu3Yh+cDiAFMCXERhbn/SiR8bg3
IymUaJXRcwYUxDDh2gCoyAIknQyL/6Yh7deadTKIQHgLAyeKAKtODi/ozbnihfKw
hSCZnNSsDd4ssaJbsPvDZfF0pbDm3v6MnbUwhqLf+rHyOH9CSVfLfqA+MQ8xv6nN
pu0vRxZvOPVPUADOObEI7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAUf5TNw/uW
og08dbXM/8CzteBe2FE//JmrmPBLsd6lrWMk71B4co23/qhNVFizpipFgTeqnacN
P/u1wkU9Q2ntFPx+kAht2eGob1Cvq8Sjq16ToOWZ6VxbAkJ00B5J9G/+SSJmD+jq
ur2Ry2VVuhBhIKd6sLW13iHU9qd6e/kLtAFd1XTWj2piat+ADIq4AsQtaIOLGZPX
pPhnNts1z/mBhSKHzP+p81isyhU9+0xBRr2IuRcqIj3vwEpzD2s6u0DQOUctL/Dq
1f2HijqwoG1uJU6Rqx72tTV8C1KDncGvnEb4sodXonDlUAoVI4FYMS3naP2yCq44
FxfdyWEAUg47
-----END CERTIFICATE-----

SHA1 Fingerprint=1E:F9:24:A1:4C:C5:8F:AF:8A:15:4E:75:BC:82:9B:88:5E:A5:D4:55

What is Contentful’s x509 certificate for SAML authentication requests valid after 1st November 2021 and until September 2026?

-----BEGIN CERTIFICATE-----
MIIDkDCCAngCCQCGLMR6kGDILzANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
REUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRgwFgYDVQQKDA9D
b250ZW50ZnVsIEdtYkgxFzAVBgNVBAMMDmNvbnRlbnRmdWwuY29tMSUwIwYJKoZI
hvcNAQkBFhZzdXBwb3J0QGNvbnRlbnRmdWwuY29tMB4XDTIxMTAwNjEyMDQ1NFoX
DTI2MDkyMzEyMDQ1NFowgYkxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4x
DzANBgNVBAcMBkJlcmxpbjEYMBYGA1UECgwPQ29udGVudGZ1bCBHbWJIMRcwFQYD
VQQDDA5jb250ZW50ZnVsLmNvbTElMCMGCSqGSIb3DQEJARYWc3VwcG9ydEBjb250
ZW50ZnVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsNKg+u
BrlLxL8DlHElpou0HHB4s4nZCpQjOBvwnytZSZ3oac/HV2bosY8vuNRoLSZZsy+X
fd63CZ/cqyVm1kBw8PHMpS2473OAMPtrCbADYmYSpx2PtZnVvkINc6Wi8rlygfuK
JYHv9bonJRn2v7Ak7vwvjoMk3me5vDQN0gn4toWMZGWkYVY79Fu4KBJc7uw8wEmk
w31sJ11gg+bXLwL5GldMjT0S/MLXu/kPQEbwO+Sy4X5rJtJOfuRayhwYJRO7fwTA
kqx9eg7Hs7Pvva1XbK169zuP+sD+Zpf7/uu3HlArNX7d8ckexgYefSy+hJoJqSvV
saUCTR4AbUvCx6sCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEApqNz0rLBKgrFnJUn
oIAZjs2WlPuG4teR3GHS+4EDeZTwBP4IwjDZTrGfNeILrDqCaLM5b8F5S5mtVeb8
uzPB/FsKRvcuHdYDXTdcGLviHzQwXoSTnllaA5+xQC12znawRxtnT/o4HmYd6ODk
y5qOu+ojOsRJSIskZLtrdkUG7sc1HlIZX999Pzr09ornu7hIkvUySFM6KjMOb3Zr
nkaLG68knO9Wf23U53nDi2QC9kd1Yczkb5AGiFjZ4GTd1RQ7bIThV10Ldy/p+5a8
CV38TGkTKmn4jm92Qq4sDYjsPUIu4Hg9+7DpERmTCsHHuGimS5zI8lf7q+Pm7Jhp
PPK1SQ==
-----END CERTIFICATE-----

You may also find it via https://be.contentful.com/sso/{YOUR-ORGANIZATION-ID}/metadata, where YOUR ORGANIZATION ID is the ID of your organization in Contentful.

To find your organization ID, navigate to the Organization Settings page and look in the browser URL.

How can I verify that the certificate change has worked?

Once the new certificate is in place, go to SSO login page at Contentful (NB go to Contentful page, not your Identity Provider login page) - in an incognito browser window and login to test if the new certificate is accepted to authenticate your log in.

Will users get signed out as a result of this change?

No, this will not affect users who are already signed in to Contentful via SSO.

The only disruption may happen if you put Contentful’s x509 certificate into your Identity Provider system, enabled signature verification, and don’t update the certificate to the new one on/by 1st November: your users will not be able to authenticate, and will receive an authentication error. 

When do I need to take action?

Urgent action is required if your organization has explicitly enabled signature verification (aka fingerprint verification) for SAML authentication requests using Contentful’s current x509 certificate. If your organization has not enabled signature verification for SAML authentication requests, then there will be no impact to your service when the new certificate is activated.

What if we are not able to make these changes before November 1st?

You may be able to disable the verification for SAML authentication requests in your Identity Provider admin dashboard. However, we do not endorse or recommend this course of action.

add-circle arrow-right remove style-two-pin-marker subtract-circle