- About Contentful
- Backup, security and hosting
- Best practices
- Client libraries
- Content migrations
- Content operations
- Legacy spaces
- Managing organizations and spaces
- Personal access tokens
- Rich text
- Search and content organization
- Security and privacy
- Single sign-on (SSO)
- SSO x509 certificate expiration
- Technology and features
- Two-factor authentication (2FA)
- Web app
FAQ / Single sign-on (SSO)
On this page
- How do I sign into Contentful with my corporate credentials?
- How can I disable SSO access for my organization?
- Is the single sign-on feature available for all customers?
- What Identity Providers (IdP) does Contentful support?
- Why do I get signed out of Contentful when using a single sign-on?
- How do I set up a single sign-on access for my organization?
- How does SSO Restricted Mode work?
- How are invited users affected by the use of a single sign-on?
- How do I deprovision users?
How do I sign into Contentful with my corporate credentials?
If your organization has the single sign-on (SSO) option enabled, on the Login page click on the "Login via SSO" link at the bottom.
Next, provide the SSO name of your organization. If you are not sure about the name, contact your organization administrator.
Login via your corporate Identity Provider. Note that if you already had a valid Contentful account, at this point, you will be prompted to confirm your email by clicking a link. This step helps to bind your existing Contentful account to the corporate account.
After completing these steps, you should be successfully logged into Contentful. When you sign out of Contentful, you will be redirected to a dedicated SSO logout page. Bookmark this page for one-click access to Contentful in the future.
How can I disable SSO access for my organization?
To disable SSO for your organization, please contact Contentful customer support.
Is the single sign-on feature available for all customers?
The single sign-on feature (SSO) is available free of charge on all enterprise customers on current plans. To enable SSO for your organization, navigate to the SSO configuration option in Organization settings and follow the guided setup process. This option is accessible by your organization administrator.
What Identity Providers (IdP) does Contentful support?
Contentful SSO works with all Identity Providers that support the SAML 2.0 protocol, including Okta, Microsoft Azure AD, OneLogin, Ping Identity, Auth0 and G Suite.
Search for predefined Contentful SAML 2.0 integrations in these IdPs:
Microsoft Azure AD
Why do I get signed out of Contentful when using a single sign-on?
For security purposes, users accessing Contentful via SSO are confined to sessions of a limited duration. The standard SSO session time is set at 12 hours, but the administrator at your organization can extend or shorten this period, provided your identity provider supports the sessionNotOnOrAfter parameter, according to internal needs and security policies. If your Identity Provider does not offer this feature, contact our customer support for assistance in configuring a custom SSO session duration.
How do I set up a single sign-on access for my organization?
Your organization admin can request SSO within the web app. They will first need to select an SSO provider, as the provider name and details will be needed when setting SSO up within Contentful.
If SSO has never been previously set up, a first-time prompt screen will appear. Following the instructions given, the setup process is straightforward and easy.
NOTE: You can leave the setup page and return to continue where you left off at any time.
1. Contentful Service Provider Configuration
Fill in the form to provide us with details about your selected SSO provider, redirect URL and X.509 certificate.
SSO Service URL: URL of the SSO endpoint specified by your Identity Provider, for example, https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=idpid
Signing certificate: a valid X.509 public signing certificate provided by your Identity Provider, used to sign SSO responses.
NOTE: If you would like to set up a SHA fingerprint of your certificate, contact our customer support.
2. Identity Provider Configuration
Once SSO is enabled on the Contentful side, your organization's SSO administrator will have to complete the setup process on the Identity Provider side as well as ensure that any other relevant settings on internal networks and applications are updated to allow employees access Contentful via SSO.
Additionally, your SSO administrator will need to map the user attributes required by Contentful with the corresponding user attributes in your Identity Provider. These attributes are named as follows:
givenName: the given name (or first name) of the user
surname: the surname (or last name) of the user
email: the email address of the user
Many identity providers will also ask you to configure the Name ID attribute. Contentful uses this attribute to identify your users on subsequent SSO log-ins. As a result, the Name ID should be mapped to a field that uniquely identifies your individual users, such as email address, employee number, or a unique user ID made available by your Identity Provider.
NOTE: Most of the required technical details are included in the metadata file provided by your Identity Provider. Your organization's SSO administrator should have access to this file.
Test the connection
Once you have completed the above, you should be presented with a screen that has a button to test the connection. Clicking on the button, you will be brought to the IDP login screen. After logging in, you will be returned to the setup page, which will now indicate the pass/fail status of the setup.
3. SSO name and confirmation
Wrap up the setup process by inputting your SSO name. It's important to note that the SSO name has to conform to the following requirements:
is composed in lowercase
use only the following symbols 0-9, a-z, and =-_~\/
contains no spaces
be unique across all Contentful organizations
Confirm the enabling of SSO in the dialog box that follows to complete the SSO setup.
How does SSO Restricted Mode work?
Enabling SSO Restricted Mode prevents organization's members from logging into Contentful via email or third-party services (Github, Google, and Twitter); the only permitted authentication method is via SSO.
NOTE: Restricted Mode is an optional feature. Contact our customer support with the list of users to exempt from SSO login.
Restricted Mode comes with two caveats. The following types of users can continue logging into Contentful via email and third-party services even when the option is enabled:
Owners of the organization.
Those who belong to more than one organization.
Those outside of your organization (for example, freelance contributors) are explicitly exempted from Restricted Mode.
Users who were logged into Contentful before Restricted Mode is enabled can continue using Contentful and are forced to log in via SSO only after the current session expires.
How are invited users affected by the use of a single sign-on?
When a user with pending invitations from multiple Contentful organizations accepts an invitation from the organization with Restricted Mode, all other invitations are purged and the user is removed from other organizations. If the user wishes to be a member of multiple organizations, they have to accept the invitation from the non-SSO organization first or be manually exempted from Restricted Mode in the SSO-enabled organization.
How do I deprovision users?
Deprovisioning a user on the IdP side will have an immediate effect of preventing the user from logging into Contentful. However, the user will still be listed as a member of the Contentful organization - and incur user fees - until they are manually removed by the organization admin.
NOTE: If your organization has not enabled restricted mode, users will be able to log in with their login credentials.