This step-by-step guide explains how to set up Single Sign-On in Contentstack with OneLogin as your SAML 2.0 Identity Provider (IdP).
In a nutshell, this integration requires four steps:
- Create SSO Name and ACS URL in Contentstack
- Configure Contentstack App in OneLogin
- Configure OneLogin details in Contentstack
- Manage users access controls in OneLogin
Let’s see each of the processes in detail.
Step 1 - Create SSO Name and ACS URL in Contentstack
- Log in to your Contentstack account. Go to the ‘Organization Settings’ page and click on the ‘Single Sign-On’ tab on the left.
- Enter an SSO name of your choice, and click Create. For example, if your company name is 'Acme, Inc.' enter 'acme' here. This name will be used as one of the login credentials by the organization users while signing in.
Note: The SSO Name can contain only alphabets (in lowercase), numbers (0-9), and/or hyphens (-).
Let's use 'test-sso' as the SSO Name.
- This will generate Assertion Consumer Service (ACS) URL and other details such as Entity ID, Attributes and NameID Format. These details will be used in Step 2 for configuring Contentstack app in OneLogin.
Keep this window open, as you may need these details for setting up Contentstack app in OneLogin.
Step 2 - Configure Contentstack App in OneLogin
Note: You will need to be a OneLogin administrator to complete the below steps.
- Log into your OneLogin Admin account, click on the 'APPS' tab and click on the ‘ADD APP’ button on the top right corner. Use the ‘SAML Test Connector (IdP)’ application.
- Set the display name for your Contentstack application, for example ‘Contentstack’ and click ‘Save’ at the top right corner.
- Log into your Contentstack account as administrator and get your ‘Single sign on URL’ for OneLogin. In Contentstack, it’s called ‘Assertion Consumer URL’ and can be found in Organization Settings > Single Sign-On.
- Now, click on the ‘Configuration’ tab. Copy the ACS URL from the above step and paste it into the ‘ACS (Consumer) URL Validator’ field in OneLogin. Paste the same value into the ‘ACS (Consumer) URL’ field as well.
- Go to the ‘Parameters’ tab and add parameters. By default, the first parameter is ‘NameID’. We will set its value to ‘Email’ by clicking on the parameter and selecting it from the dropdown.
- Click on ‘Add parameter’ link to add a parameter named ‘first_name’ and select the ‘Include in SAML assertion’ checkbox.
Similarly, add another parameter named ‘last_name’.
- Next, we will assign values for the created fields. Click on the ‘first_name’ attribute and select ‘First Name’ from the ‘Value’ dropdown.
Similarly, select ‘Last Name’ for the ‘last_name’ attribute. Finally, your attribute list will look as follows:
Step 3 - Configure OneLogin details in Contentstack
- Click on the ‘SSO’ tab of your Contentstack application in OneLogin, you will see the ‘SAML 2.0 Endpoint (HTTP)’ URL field.
- Click on the ‘Copy to Clipboard’ icon beside the ‘SAML 2.0 Endpoint (HTTP)’ field or you can just manually copy the URL. Then, in Contentstack SSO settings page, go to ‘IdP Configuration’, and paste the copied URL into the ‘Single Sign-on URL’ field.
- Now, in the ‘SSO’ tab, click on ‘View Details’ under the ‘X.509 Certificate’ parameter.
- The ‘Standard Strength Certificate (2048-bit)’ window displays the details of the certificate. Click on the ‘DOWNLOAD’ button to download the certificate.
- Upload the X.509 certificate that you downloaded into the ‘Certificate’ field in Contentstack.
Step 4 - Manage users access control in OneLogin
- You can assign a single user under ‘Users’ > ‘All Users’. OneLogin will automatically retrieve the list of potential users that are currently logged in in OneLogin based on the user’s email address.
- Click on ‘NEW USER’ button at the top right corner to add new users to Contentstack. Add the user’s ‘Email’ address, ‘First Name’, and ‘Last Name’.
- Now, click on the ‘Applications’ tab. Click on the ‘+’ icon beside the ‘Applications’ bar and select your app in the ‘Select Application’ dropdown. Click on ‘CONTINUE’.
You will be led to the ‘Edit Contentstack Login For Demo User’ window where you can verify the details. Click on ‘Save’.
With this, you are done with setting up the new Contentstack app in OneLogin. Proceed to configuring the remaining steps in Contentstack SSO.
In Contentstack, save your settings and go to ‘3. User Management’.
Enable Strict Mode if you do not want any users to access the organization without SSO login. Learn More.
Session Timeout lets you define the session duration for a user signed in through SSO. While the default is set to 12 hours, you can modify it as per your requirement. Learn more.
Test & Enable
Go to '4. Test & Enable' in Contentstack.
Click the Test SSO button to check if your SSO settings have been configured properly. It is highly recommended that you test your settings before enabling SSO. Learn more.
To enable SSO for your Contentstack organization, click on Enable SSO. Once this is enabled, users of this organization can access the organization through SSO. You can then disable SSO from the same page when required. Learn more.