Single sign-on (SSO)

Is the single sign-on feature available for all customers?

The single sign-on feature (SSO) is available free of charge on all enterprise customers on current plans. To enable SSO for your organization, navigate to the SSO configuration option in Organization settings and follow the guided setup process. This option is accessible by your organization administrator.

How do I sign into Contentful with my corporate credentials?

If your organization has the single sign-on (SSO) option enabled, on the Login page click on the "Login via SSO" link at the bottom.

Single sign-on login

Next, provide the SSO name of your organization. If you are not sure about the name, contact your organization administrator.

Single sign-on login

Login via your corporate Identity Provider. Note that if you already had a valid Contentful account, at this point, you will be prompted to confirm your email by clicking a link. This step helps to bind your existing Contentful account to the corporate account.

Single sign-on login

After completing these steps, you should be successfully logged into Contentful. When you sign out of Contentful, you will be redirected to a dedicated SSO logout page. Bookmark this page for one-click access to Contentful in the future.

Single sign-on login

What Identity Providers (IdP) does Contentful support?

Contentful SSO works with all the Identity Providers supporting the SAML 2.0 protocol, including Okta, Ping Identity, Ping Federate, OneLogin, Microsoft Azure, Bitium, LastPass, Centrify, Clearlogin, Auth0, G Suite, and many others.

How do I set up a single sign-on access for my organization?

Your organization admin can request SSO within the web app. They will first need to select an SSO provider, as the provider name and details will be needed when setting SSO up within Contentful.

If SSO has never been previously set up, a first-time prompt screen will appear. Following the instructions given, the setup process is straightforward and easy. Note that you can leave the setup page and return to continue where you left off at any time.

1. Contentful Service Provider Configuration

Fill in the form to provide us with details about your selected SSO provider, redirect URL and X.509 certificate.

  • SSO Service URL: URL of the SSO endpoint specified by your Identity Provider, for example, ttps://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=idpid
  • Signing certificate: a valid X.509 public signing certificate provided by your Identity Provider, used to sign SSO responses. Note that if you would like to set up a SHA fingerprint of your certificate, please contact Contentful customer support.

2. Identity Provider Configuration

Once SSO is enabled on the Contentful side, your organization's SSO administrator will have to complete the setup process on the Identity Provider side as well as ensure that any other relevant settings on internal networks and applications are updated to allow employees access Contentful via SSO.

Additionally, your SSO administrator will need to map the user attributes required by Contentful with the corresponding user attributes in your Identity Provider. These attributes are named as follows:

  • givenName: the given name (or first name) of the user
  • surname: the surname (or last name) of the user
  • email: the email address of the user

Many identity providers will also ask you to configure the Name ID attribute. Contentful uses this attribute to identify your users on subsequent SSO log-ins. As a result, the Name ID should be mapped to a field that uniquely identifies your individual users, such as email address, employee number, or a unique user ID made available by your Identity Provider.

  • Note: Most of the required technical details are included in the metadata file provided by your Identity Provider. Your organization's SSO administrator should have access to this file.

Test the connection

Once you have completed the above, you should be presented with a screen that has a button to test the connection. Clicking on the button, you will be brought to the IDP login screen. After logging in, you will be returned to the setup page, which will now indicate the pass/fail status of setup

3. SSO name and confirmation

Wrap up the setup process by inputting your SSO name. It's important to note that the SSO name has to conform to the following requirements:

  • is composed in lowercase
  • use only the following symbols 0-9, a-z, and =-_~\/
  • contains no spaces
  • be unique across all Contentful organizations

Confirm the enabling of SSO in the dialog box that follows to complete SSO setup

How can I change or disable SSO access for my organization?

To change the configuration or disable SSO for your organization, please contact Contentful customer support.

Why do I get signed out of Contentful when using a single sign-on?

For security purposes, users accessing Contentful via SSO are confined to sessions of a limited duration. The standard SSO session time is set at 12 hours, but the administrator at your organization can extend or shorten this period, provided your identity provider supports the sessionNotOnOrAfter parameter, according to internal needs and security policies. If your Identity Provider does not offer this feature, contact our customer service for assistance in configuring a custom SSO session duration.

How does SSO Restricted Mode work?

Enabling SSO Restricted Mode prevents organization's members from logging into Contentful via email or third-party services (Github, Google, and Twitter); the only permitted authentication method is via SSO.

Restricted Mode comes with two caveats. The following types of users can continue logging into Contentful via email and third-party services even when the option is enabled:

  • users who are owners of the organization
  • users who belong to more than one Contentful organization
  • users outside of your organization (for example, freelance contributors) explicitly exempted from Restricted Mode

Users who were logged into Contentful before Restricted Mode is enabled can continue using Contentful and are forced to login via SSO only after the current session expires.

Note that Restricted Mode is an optional feature. To enable this, please contact Contentful customer service with the list of users to be exempted from SSO login.

How are invited users affected by the use of a single sign-on?

When a user with pending invitations from multiple Contentful organizations accepts an invitation from the organization with Restricted Mode, all other invitations are purged and the user is removed from other organizations. If the user wishes to be a member of multiple organizations, they have to accept the invitation from the non-SSO organization first or be manually exempted from Restricted Mode in the SSO-enabled organization.

How do I deprovision users?

Deprovisioning a user on the IdP side will have an immediate effect of preventing the user from logging into Contentful. However, the user will still be listed as a member of the Contentful organization - and incur user fees - until they are manually removed by the organization admin.