If you want more control over security, you can work with your IT Team to enable Single Sign-On (SSO) for Contently. SSO allows users to log into Contently using the same credentials they use to log into your corporate intranet, identity management solution, or other trusted platform—instead of using a password they set on Contently.    

When you enable SSO, users will still need to be provisioned and given accounts in Contently before they can log into the platform.

Contently uses SAML 2.0 to securely exchange authentication data between your company’s identity management provider and Contently. SAML 2.0 is the industry standard for identity management and is supported by major identity management solutions such as Microsoft’s ActiveDirectory, Google’s G-Suite, and Okta.

If you are ready to start using SSO, please follow the instructions below.

1. Contently's Service Provider Settings for our production environment are below. Please share these settings with your IT Team and have them enable SSO for Contently. Your IT Team can choose to enable SSO in your IdP staging or production environment. 

Protocol: SAML 2.0
Federation Process:  SP Initiated
Environment: Staging or Production
Consumer Binding: HTTP POST Binding
Service Provider Entity ID:  https://contently.com/saml/metadata
Assertion Consumer URL:  https://contently.com/saml
NameID Attribute: Email
NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Public Certificate:

2. Once your IT Team enables SSO in your system, contact your Customer Success lead and let them know you want to use SSO. Your Customer Success lead will need some information from you. Please indicate that your IT Team enabled SSO using Contently's Service Provider production environment settings. Please also send your IdP settings including: Metadata URL, SSO Target URL, and the Public Certificate associated with your SSO IdP. Your IT Team should be able to give you this information. Please also indicate whether your IT Team enabled SSO in your company's IdP staging or production environment. Once your Customer Success lead has this information, we will be able to configure SSO for your organization. This configuration is usually pretty quick. If you need SSO enabled during a specific time window for testing purposes, please let your Customer Success lead know; we will need at least 24 hours notice in this scenario.

3. Once your IT Team enables SSO in staging and your Customer Success lead tells you that your configuration is complete on Contently's side, your IT Team will be able to test the SSO configuration. They can visit www.contently.com/signin and use an existing Contently account for this testing. If you requested a specific testing window in step 2, we will aim to enable SSO at the beginning of that window. 

Note: Because your IT Team enabled SSO in your IdP staging environment, once Contently enables SSO for your organization, your users will not be able to log into Contently until your IT Team completes their testing and transitions SSO to your IdP production environment.

4. Once your IT Team completes their testing, they will need to transition SSO to your IdP production environment. Once enabled in production, please email your Metadata URL, SSO Target URL, and Public Certificate to your Customer Success lead in case any of these settings have changed. Let them know that SSO has been moved to your IdP production environment and you are ready for the final installation phase.
Continue to step 5 below.

5. Once your IT Team enables SSO in production and your Customer Success lead tells you that your configuration is complete on Contently's side, your users will be able to log into Contently using their SSO credentials. Remember that users need to be provisioned and given accounts in Contently before they can log into the platform.

Note: If you are unable to log into Contently after we enable SSO for your organization, please reach out to your IT Team to make sure that they enabled SSO for Contently in your IdP production environment using the correct Service Provider production settings listed above. If you still cannot log in, please reach out to your Customer Success lead.

WHO SSO WILL BE ENABLED FOR: By default, SSO will be enabled for everyone who logs into Contently using an email domain that is tied to your organization. Your organization might have multiple email domains attached to it. If you need to check which email domains are tied to your organization, please ask your Customer Success lead. If you only want to enable SSO for a specific list of users, please tell your Customer Success lead.

MULTIPLE CONTENTLY PUBLICATIONS: As noted above, by default, SSO will be enabled for your entire organization. If you have more than one Contently publication, SSO will be turned on for all of your publications. If you only want to enable SSO for a specific list of users, please tell your Customer Success lead.

CHAINED SSO CERTIFICATES: Contently does not currently support chained certificates. To enable SSO, we will need your root certificate.

TERMINATING SSO SESSIONS: If you want to end a user's SSO session each time they close their browser, let your Customer Success lead know and we can enable this functionality for your organization. 

REDIRECTING LOGGED OUT USERS: If you want to choose which URL your users get redirected to when they log out of Contently, let your Customer Success lead know which URL you want to use and we can enable this functionality for your organization.

SIGNING SAML REQUESTS: Contently will expect SAML requests to be signed by default. If your IDP does not support signed SAML requests, please let us know so that we can make the necessary adjustments on our end. As long as your SAML endpoint uses SSL / TLS, the authentication will still be secure whether or not the SAML requests are signed.