General

To enable SSO, you need to meet these two conditions:

• You must be the owner of the organization
• SSO must be a part of your Contentstack plan

If you meet these two conditions, you can set up SSO for your organization by following the Set up SSO guide.

When a user is included in an SSO-enabled Organization, he/she accesses the Organization through SSO using their IdP credentials instead of their Contentstack credentials (which they might not have created). If, later on, SSO is disabled for the Organization, the user will not be able to log in to Contentstack through IdP. However, the user is still part of the Organization.

To access the same organization, the user will have to perform the following steps:

1. Open Contentstack’s login page and click the Forgot Password? link.
2. Enter the email address and click SEND INSTRUCTIONS.

Now, the user will receive the password reset instructions on the email address. The user needs to follow the instruction and login to their Contentstack account.

An organization owner can always use his Contentstack credentials to log in to Contentstack and make relevant changes, irrespective of whether SSO has been enabled or not.

If the IdP experiences system fails, then the owner can perform the following steps:

1. Log in to the Contentstack account.
2. Open the Organization Users setting, disable Strict Mode, and grant access to the required user(s) by checking the Allow access without SSO option.

These users will now be able to access the organization using their Contentstack credentials, instead of through SSO (IdP credentials).

However, if the user does not have a Contentstack account, he/she will receive an email with the account setup instructions to create an account in Contentstack. Post setting up their account, they will be able to access the Organization content.

To sign in to an SSO-enabled organization in Contentstack, perform the following steps:

1. Open the login page of Contentstack and click the Login via SSO link.
2. Then, enter your organization SSO Name, and click on Continue. This will open your corporate IdP login page.
   Note: You must have received the SSO name in your stack or organization invitation email. If you do not know your organization SSO Name, contact your organization owner or admin.
3. Finally, sign in to your Contentstack account by entering your IdP login details.

To invite users that are not in your IdP, perform the following steps:

1. Log in to your Contentstack account, go to Organization Settings page, open the 3 User Management tab, and disable the Strict Mode.
2. Then, go to the USERS tab located at the header, and invite users.
3. While inviting, select the Allow Access Without SSO checkbox. This will allow the invited user to access the SSO-enabled organization through Contentstack credentials.

No. You do not have to send an invitation again since the existing users continue to remain part of the organization, even after SSO is enabled. 

Nothing changes for the existing users, except that they are required to sign in using SSO, instead of normal Contentstack username/password login. However, if any existing user is not part of your identity provider, you may have to disable Strict Mode and update the user in Contentstack by assigning permission to Allow Access Without SSO.

Adding encryption to SAML attributes adds another layer of security, ensuring that personal or corporate information is not compromised.

Your SAML attributes such as email, first name, and last name that are mapped with your IdP are encrypted. Learn more about SAML encryption.

You need to enable SAML encryption in Contentstack and your IdP settings.

To enable SAML encryption in Contentstack, follow the steps given below:

1. Log in to your Contentstack account, go to the Organization Settings page, and click on the Single Sign-On tab.
2. Click on the 2. IdP Configuration tab.
3. Check the Enable SAML Encryption checkbox, and click on Save.

Provide the following details in your IdP to enable SAML encryption:

1. In the Single Sign-on URL field, provide the ACS URL that was generated for your organization in Contentstack.
2. Use Contentstack’s Entity ID (generated in Step 1) in your IdP in Audience URI, SP Entity ID, SAML Issuer ID, or fields similar to these.
3. In the NameID Format, select or enter EmailAddress. This defines the parameter that your IdP should use to identify Contentstack users.
4. [Optional Step] If you want to encrypt your SAML attributes, you need to enable SAML encryption in your IdP and upload the Contentstack Public Certificate.