Building your agentic foundation | Save your spot!
CS-log-dark.svg

Single Sign-On (SSO) & IdP Configuration

1. Resolving SSO Login Requirement After Disabling Strict Mode

A message stating access is allowed only through SSO appears even after Strict Mode has been disabled, blocking login with credentials. This occurs when the system incorrectly mandates SSO access for non-SSO users.

Root cause

A known UI issue prevents the "Allow Access without SSO" checkbox from appearing as expected when adding a user to an organization.

Resolution

  1. Navigate to the organization settings to add the user.
  2. Refresh the page while adding the user to make the checkbox visible.
  3. Locate the "Allow Access without SSO" checkbox that appears after the refresh.
  4. Select the "Allow Access without SSO" checkbox.
  5. Save the settings to allow the user to log in without SSO.

After saving the settings, attempt to log in using standard credentials. If the login is successful without an SSO redirect, the issue is resolved.

2. Training Organization Missing After SSO Login

Training organizations fail to appear in the organization dropdown after a successful SSO login.

Root cause

A regional mismatch exists between the location of the training instance and the user's SSO login region, preventing the organization from being displayed.

Resolution

  1. Create a training instance in a region that aligns with the SSO login region.
  2. Use new email credentials to set up the instance.

After creating the instance in the correct region and logging in, check the organization list to verify if the training organization is visible.

3. Login Failure Due to Missing or Incorrect SSO Details

Login attempts fail when the provided SSO details are missing or incorrect.

Root cause

The login failure occurs because the correct SSO name for the organization has not been provided.

Resolution

  1. Contact the organization owner or admin to obtain the correct SSO name.
  2. Select "Log in via Email" to access the account using credentials.

After entering the correct SSO name or selecting the email login option, attempt to log in to verify if access is restored.

4. Resolving Unexpected SSO Session Timeouts and Logouts

Unexpected daily logouts occur for SSO users regardless of Identity Provider session settings. Automatic logouts occur once the Contentstack SSO session timeout expires.

Root cause

The SSO session timeout is controlled by Contentstack settings, which default to 12 hours and override the session duration set by the Identity Provider.

Resolution

  1. Access the SSO session timeout settings in Contentstack.
  2. Update the SSO session timeout value to a preferred duration between 1 and 24 hours.
  3. Note that each SSO login starts a new session; logging out and back in resets the session timer, but the session duration cannot exceed the configured limit.

After updating the timeout settings, verify if the session duration reflects the new configuration.

5. Login Failure in SSO-Enabled Organizations via Credentials

Login attempts fail for SSO-enabled organizations even when "Strict SSO" is disabled. Despite the setting, the system displays an error message stating that access is restricted to SSO authentication only.

Root cause

The "Allow Access Without SSO" configuration is not explicitly enabled for the specific user within the organization settings.

Resolution

  1. Access the Organization User settings.
  2. Explicitly enable the Allow Access Without SSO setting for the affected user.
  3. If the user still cannot access the platform, remove and re-invite the user to refresh their access permissions and SSO-related flags.

After updating the user settings or re-inviting the user, verify if the account can successfully authenticate without using SSO.

6. Newly Invited SSO User Unable to Proceed Past Login Screen

Accessing Contentstack as a newly invited SSO user may fail at the login screen.

Root cause

The user account is in a locked state, which prevents authentication even when the user has valid invitations and credentials.

Resolution

  1. Reset the login lock for the affected user.
  2. Ask the user to attempt to log in to Contentstack.

If the user successfully proceeds past the login screen, the issue is resolved.

7. SSO Login Failure Due to Expired or Outdated Certificate

Attempting to log in via SSO as an organization owner may fail when the SSO certificate is not updated.

Root cause

The SSO certificate has expired or is outdated, preventing successful authentication between the Identity Provider and Contentstack.

Resolution

  1. Navigate to the SSO configuration settings in Contentstack.
  2. Update the SSO certificate with the current valid certificate from the Identity Provider.
  3. Save the configuration changes.

After updating the SSO certificate, attempt to log in using SSO. If the login is successful, the issue is resolved.