Set up SSO with PingIdentity

This step-by-step guide explains how to set up Single Sign-On in Contentstack with PingIdentity as your SAML 2.0 Identity Provider (IdP).

To do so, this integration requires the following steps:

1. Create SSO Name and ACS URL in Contentstack
2. Configure Contentstack App in PingIdentity
3. Configure PingIdentity details in Contentstack
4. Add application to user groups for IdP Role Mapping 
5. Create Role Mappings in Contentstack
6. Test and Enable SSO

1. Create SSO Name and ACS URL in Contentstack

   link
   1. Log in to your Contentstack account, go to the “Organization Settings” page, and click on Single Sign-On.
      Click to enlarge
   2. Enter an SSO name of your choice, and click Create. For example, if your company name is “Acme, Inc.” enter “acme” here. This name will be used as one of the login credentials by the organization users while signing in.

      Note: The SSO Name once created, cannot be changed. It can contain only alphabets (in lowercase), numbers (0-9), and/or hyphens (-).

      Click to enlarge
      Let's use “sso-test” as the SSO Name.
   3. This will generate Assertion Consumer Service (ACS) URL and other details such as Entity ID, Attributes, and NameID Format. These details will be used in Step 2 for configuring the Contentstack app in PingIdentity.
      Click to enlarge
      
      Keep this window open, as you may need these details for setting up the Contentstack app in PingIdentity.

2. Configure Contentstack App in PingIdentity

   link

   Note: You will need to be a PingIdentity administrator to complete the below steps.

   1. Log into your PingIdentity Admin account, and click on Connections on the left navigation panel.
      Click to enlarge
      
      
   2. Click on the “Add Application” plus icon.
      Click to enlarge
      
      
   3. Next, under SELECT AN APPLICATION TYPE, click on WEB APP.
      Click to enlarge
      
      
   4. Choose the connection type as SAML and click on Configure.
      Click to enlarge
   5. Within the Create App Profile page, provide the appropriate APPLICATION NAME and click Next.
      Click to enlarge
   6. On the Configure SAML Connection page, perform the following steps:
      Click to enlarge
      1. Select the Manually Enter option.
      2. Under ACS URLS, copy the Assertion Consumer Service URL from SSO configurations in Contentstack.
      3. Set the Signing algorithm to RSA_SHA256 and download the signing certificate in Pem(.crt) format.
         Click to enlarge
      4. Copy the “Entity Id” from Contentstack and pass it under ENTITY ID.
      5. Set the ASSERTION VALIDITY DURATION (IN SECONDS) to 60.
      6. Click Save and Continue.
   7. On the Attribute Mapping screen, set the attributes as shown below, and click Save and Close.
      Click to enlarge
   8. Enable the created application by using the toggle button.
      Click to enlarge
      
      

3. Configure PingIdentity details in Contentstack

   link
   1. Head to the Contentstack SSO setup screen.
   2. Under the IdP Configuration tab, copy the SINGLE SIGNON SERVICE url from PingIdentity application Configuration to Single Sign-On Url* and upload the certificate that we had downloaded in step 2.f.
      Click to enlarge
      
      
   3. Head to the User Management screen and click Next.

4. Add application to user groups for IdP Role Mapping

   link

   After setting the necessary configurations in Contentstack, you need to assign the newly added application to your users.

   Create a group that corresponds to Contentstack roles in PingIdentity, say “ContentManager”.

   1. In your PingIdentity admin account, click on the Identities icon on the left navigation panel.
      Click to enlarge
   2. Select Groups, and click on the “Add Group” plus icon.
      Click to enlarge
      
      
   3. In the Create New Group form that opens up, enter the details as shown below, click Finish & Save.
      Click to enlarge
      
      
   4. You can add users to this group from within the Members tab.
      Click to enlarge
      
      
   5. Once done, click on the “Connections” tab and expand the application that you have configured.
      Click to enlarge
      
      
   6. Select the Attribute Mappings tab and click on the “Edit” icon.
      Click to enlarge
      
      
   7. Click on + ADD ATTRIBUTE, enter the details as shown below, and click Save and Close.
      Click to enlarge
      
      You can now proceed to create role mappings in Contentstack for the IdP roles you created. Go to the 3. User Management section of your Contentstack SSO settings and perform Step 5.

5. Create Role Mappings in Contentstack

   link

   In the User Management section, you will see the following steps:

   1. Strict Mode: Enable Strict Mode if you do not want any users to access the organization without SSO login.
   2. Session Timeout: The Session Timeout option lets you define the session duration for a user signed in through SSO. While the default is set to 12 hours, you can modify it as needed.
   3. Advanced Settings: Click on the advanced settings to expand the IdP Role Mapping section to map IdP roles to Contentstack.
      1. In the Add Role Mapping section, click on the + ADD ROLE MAPPING link to add new IdP role mapping and enter the following details:
         1. IdP Role Identifier: Enter the IdP group/role identifier, for example, “Contentstack Developers.”
         2. Organization Role: Assign either the Admin or Member role to the mapped group/role.
         3. Stack Roles (optional): Assign stacks as well as the corresponding stack-level roles to this role.
            Click to enlarge
            
            
         Likewise, you can add more role mappings for your Contentstack organization. To add a new Role mapping, click on + ADD ROLE MAPPING and enter the details.
      2. Keep Role Delimiter blank.
      3. Finally, check the Enable IdP Role Mapping checkbox to enable the feature.
   4. Save and click on Next to continue further.

   While some details about these steps are given below, you can refer to our general SSO guide for more information.

6. Test and Enable SSO

   link

   Next, you can try out the “Test SSO” and “Enable SSO” steps in Contentstack

   Test SSO

   link

   Before enabling SSO, it is recommended that you test the SSO settings configured so far. To do so, perform the following steps:

   1. Click on the Test SSO button and it will take you to Contentstack’s Login Via SSO page, where you need to specify your organization SSO name.
   2. Then, click on Continue to go to your IdP sign in page.
   3. Sign in to your account. If you are able to sign in to your IdP, your test is successful.On successful connection, you will see a success message as follows
      
      Click to enlarge

   4. But, if you have enabled IdP Role Mapping, you’ll find the following details in a new page:

      Click to enlarge
      • SSO connection established successfully - A success message is displayed.
      • IdP Roles received - The list of all the roles assigned to you in your IdP.
      • Contentstack-IdP role mapping details - The details of all the Contentstack Organization-specific and Stack-specific roles mapped to your IdP roles.
   5. Click on the Close button. Now, you can safely enable SSO for your organization.

   Note While testing SSO settings with IdP Role Mapping enabled, the test will be performed only for the IdP roles of the currently logged-in user (i.e., the Owner performing the test).

   Enable SSO

   link

   Once you have tested your SSO settings, click Enable SSO to enable SSO for your Contentstack organization.

   Click to enlarge

   Confirm your action by clicking on Yes.

   Once this is enabled, users of this organization can access the organization through SSO. If needed, you can always disable SSO from this page as well.

   Click to enlarge