The single sign-on feature (SSO) is available free of charge on select enterprise plans. If you are an enterprise customer and would like to enable SSO for your organization, get in touch with our sales team.
If your organization has the single sign-on (SSO) option enabled, on the Login page click on the "Login via SSO" link at the bottom.
Next, provide the SSO name of your organization. If you are not sure about the name, contact your organization administrator.
Login via your corporate Identity Provider. Note that if you already had a valid Contentful account, at this point, you will be prompted to confirm your email by clicking a link. This step helps to bind your existing Contentful account to the corporate account.
After completing these steps, you should be successfully logged into Contentful. When you sign out of Contentful, you will be redirected to a dedicated SSO logout page. Bookmark this page for one-click access to Contentful in the future.
Contentful SSO works with all the Identity Providers supporting the SAML 2.0 protocol, including Okta, Ping Identity, Ping Federate, OneLogin, Microsoft Azure, Bitium, LastPass, Centrify, Clearlogin, Auth0, G Suite, and many others.
If you would like to provision SSO for your organization, please contact Contentful customer service.
To complete the setup, you will need to provide us with the following technical details from your Identity Provider*:
Once SSO is enabled on the Contentful side, your organization's SSO administrator will have to complete the setup process on the Identity Provider side as well as ensure that any other relevant settings on internal networks and applications are updated to allow employees access Contentful via SSO.
Additionally, your SSO administrator will need to map the user attributes required by Contentful with the corresponding user attributes in your Identity Provider. These attributes are named as follows:
Many identity providers will also ask you to configure the Name ID attribute. Contentful uses this attribute to identify your users on subsequent SSO log-ins. As a result, the Name ID should be mapped to a field that uniquely identifies your individual users, such as email address, employee number, or a unique user ID made available by your Identity Provider.
* Note: Most of the required technical details are included in the metadata file provided by your Identity Provider. Your organization's SSO administrator should have access to this file.
Contentful customer service will assist you in setting up the SSO name for your organization. It's important to know that the SSO name has to conform to the following technical guidelines:
For security purposes, users accessing Contentful via SSO are confined to sessions of a limited duration. The standard SSO session time is set at 12 hours, but the administrator at your organization can extend or shorten this period, provided your identity provider supports the sessionNotOnOrAfter parameter, according to internal needs and security policies. If your Identity Provider does not offer this feature, contact our customer service for assistance in configuring a custom SSO session duration.
Enabling SSO Restricted Mode prevents organization's members from logging into Contentful via email or third-party services (Github, Google, an Twitter); the only permitted authentication method is via SSO.
Restricted Mode comes with two caveats. The following types of users can continue logging into Contentful via email and third-party services even when the option is enabled:
Users who were logged into Contentful before Restricted Mode is enabled can continue using Contentful and are forced to login via SSO only after the current session expires.
Note that Restricted Mode is an optional feature. To exempt external users from Restricted Mode, contact Contentful customer service with the list of users to be exempted from SSO login.
When a user with pending invitations from multiple Contentful organizations accepts an invitation from the organization with Restricted Mode, all other invitations are purged and the user is removed from other organizations. If the user wishes to be a member of multiple organizations, she has to accept the invitation from the non-SSO organization first or be manually exempted from Restricted Mode in the SSO-enabled organization.
Deprovisioning a user on the IdP side will have an immediate effect of preventing the user from logging into Contentful. However, the user will still be listed as a member of the Contentful organization - and incur user fees - until he is manually removed by the organization admin.