SSO x509 certificate expiration

When do I need to take action?

Urgent action is required if your organization has explicitly enabled signature verification (aka fingerprint verification) for SAML authentication requests using Contentful current x509 certificate. If your organization has not enabled signature verification for SAML authentication requests, then there will be no impact to your service when the new certificate is activated.

What is Contentful’s x509 certificate for SAML authentication requests valid after 1st November 2021 and until September 2026?

Contentful’s x509 certificate for SAML authentication requests valid after 1st November 2021

You may also find it via https://be.contentful.com/sso/{YOUR-ORGANIZATION-ID}/metadata, where YOUR ORGANIZATION ID is the ID of your organization in Contentful.

To find your organization ID, navigate to the Organization Settings page and look in the browser URL.

What is Contentful’s x509 certificate for SAML authentication requests valid until 1st November 2021?

Public key:

Contentful certificate valid until November 1st

SHA1 Fingerprint=1E:F9:24:A1:4C:C5:8F:AF:8A:15:4E:75:BC:82:9B:88:5E:A5:D4:55

Will my SSO be affected by this change?

Only SSO users who have enabled signature verification (aka fingerprint verification) for SAML authentication requests using Contentful’s current x509 certificate will be affected by this change.

Contentful SSO providers who allow signature verification, and therefore could be impacted, are as follows:

  • Microsoft Azure.

  • miniOrange.

  • Ping.

If you use one of the providers listed above and have NOT enabled signature verification, no action is required and the changes will not affect your SSO service for Contentful.

Providers who do not allow signature verification, and therefore will NOT be affected are as follows:

  • Okta.

  • OneLogin.

What if we are not able to make these changes before November 1st?

You may be able to disable the verification for SAML authentication requests in your Identity Provider admin dashboard. However, we do not endorse or recommend this course of action.

Will users get signed out as a result of this change?

No, this will not affect users who are already signed in to Contentful via SSO.

The only disruption may happen if you put Contentful’s x509 certificate into your Identity Provider system, enabled signature verification, and don’t update the certificate to the new one on/by 1st November: your users will not be able to authenticate, and will receive an authentication error. 

How can I verify that the certificate change has worked?

Once the new certificate is in place, go to SSO login page at Contentful (NB go to Contentful page, not your Identity Provider login page) - in an incognito browser window and login to test if the new certificate is accepted to authenticate your log in.