Microsoft Entra SSO integration with Contentstack

In this tutorial, you'll learn how to integrate Contentstack with Microsoft Entra ID. When you integrate Contentstack with Microsoft Entra ID, you can:

  • Control in Microsoft Entra ID who has access to Contentstack.
  • Enable your users to be automatically signed-in to Contentstack with their Microsoft Entra accounts.
  • Manage your accounts in one central location.

Prerequisites

To integrate Microsoft Entra ID with Contentstack, you need:

  • A Microsoft Entra subscription. If you don't have a subscription, you can get a free account.
  • Contentstack single sign-on (SSO) enabled subscription.

Scenario description

In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

  • Contentstack supports both SP and IDP initiated SSO.
  • Contentstack supports Just In Time user provisioning.

To configure the integration of Contentstack into Microsoft Entra ID, you need to add Contentstack from the gallery to your list of managed SaaS apps.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > New application.
  3. In the Add from the gallery section, type Contentstack in the search box.
  4. Select Contentstack from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Microsoft Entra SSO for Contentstack

Configure and test Microsoft Entra SSO with Contentstack using a test user called B.Simon. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Contentstack.

To configure and test Microsoft Entra SSO with Contentstack, perform the following steps:

  1. Configure Microsoft Entra SSO - to enable your users to use this feature.
    1. Create a Microsoft Entra test user - to test Microsoft Entra single sign-on with B.Simon.
    2. Assign the Microsoft Entra test user - to enable B.Simon to use Microsoft Entra single sign-on.
  2. Configure Contentstack SSO - to configure the single sign-on settings on application side.
    1. Create Contentstack test user - to have a counterpart of B.Simon in Contentstack that is linked to the Microsoft Entra representation of user.
  3. Test SSO - to verify whether the configuration works.

Configure Microsoft Entra SSO

Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center.

  1. Sign in to the Microsoft Entra admin center as a Cloud Application Administrator and browse to Identity > Applications > Enterprise applications.

  2. Now click on + New Application and search for Contentstack then click Create. Once created, now go to Setup single sign on or click the Single sign-on link from the left menu.

    Screenshot shows the new application creation.

  3. Next, on the Select a single sign-on method page, select SAML.

    Screenshot shows how to select a single sign-on method.

  4. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

    Screenshot shows how to edit Basic SAML Configuration.

  5. In the Basic SAML Configuration section, you need to perform a few steps. To obtain the information necessary for these steps, you will first need to go to the Contentstack application and create SSO Name and ACS URL in the following manner:

    a. Log in to your Contentstack account, go to the Organization Settings page, and click on the Single Sign-On tab.

    Screenshot shows the steps for Basic SAML Configuration.

    b. Enter an SSO Name of your choice, and click Create.

    Screenshot shows how to enter or create name.

    Note

    For example, if your company name is “Acme, Inc.” enter “acme” here. This name will be used as one of the login credentials by the organization users while signing in. The SSO Name can contain only alphabets (in lowercase), numbers (0-9), and/or hyphens (-).

    c. When you click on Create, this will generate the Assertion Consumer Service URL or ACS URL, and other details such as Entity ID, Attributes, and NameID Format.

    Screenshot shows generating the values to configure.

  6. Back in the Basic SAML Configuration section, paste the Entity ID and the ACS URL generated in the above set of steps, against the Identifier (Entity ID) and Reply URL sections respectively, and save the entries.

    1. In the Identifier text box, paste the Entity ID value, which you have copied from Contentstack.

      Screenshot shows how to paste the Identifier value.

    2. In the Reply URL text box, paste the ACS URL, which you have copied from Contentstack.

      Screenshot shows how to paste the Reply URL.

  7. This is an optional step. If you wish to configure the application in SP-initiated mode, enter the Sign-on URL against the Sign-on URL section:

    Screenshot shows how to paste the Sign on URL.

    Note

    You will find the SSO One-Click URL (that is, the Sign on URL) when you complete configuring Contentstack SSO. Screenshot shows how to enable the access page.

  8. Contentstack application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

    Screenshot shows the image of attributes configuration.

  9. In addition to above, Contentstack application expects a few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements. This is an optional step.

    Name Source Attribute
    roles user.assignedroles

    Note

    Please click here to know how to configure Role in Microsoft Entra ID.

  10. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer.

    Screenshot shows the Certificate download link.

  11. On the Set up Contentstack section, copy the appropriate URL(s) based on your requirement.

    Screenshot shows to copy configuration URLs.

Create a Microsoft Entra test user

In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Users > All users.
  3. Select New user > Create new user, at the top of the screen.
  4. In the User properties, follow these steps:
    1. In the Display name field, enter B.Simon.
    2. In the User principal name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Select Review + create.
  5. Select Create.

Assign the Microsoft Entra test user

In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Contentstack.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > Contentstack.
  3. In the app's overview page, select Users and groups.
  4. Select Add user/group, then select Users and groups in the Add Assignment dialog.
    1. In the Users and groups dialog, select B.Simon from the Users list, then click the Select button at the bottom of the screen.
    2. If you are expecting a role to be assigned to the users, you can select it from the Select a role dropdown. If no role has been set up for this app, you see "Default Access" role selected.
    3. In the Add Assignment dialog, click the Assign button.

Configure Contentstack SSO

  1. Log in to your Contentstack company site as an administrator.

  2. Go to the Organization Settings page and click on the Single Sign-On tab on the left menu.

  3. In the Single Sign-On page, navigate to SSO Configuration section and perform the following steps:

    1. Enter a valid SSO Name of your choice and click Create.

      Screenshot shows settings of the configuration.

      Note

      For example, if your company name is “Acme, Inc.” enter “acme” here. This name will be used as one of the login credentials by the organization users while signing in. The SSO Name can contain only alphabets (in lowercase), numbers (0-9), and/or hyphens (-).

    2. When you click on Create, this will generate the Assertion Consumer Service URL or ACS URL, and other details such as Entity ID, Attributes, and NameID Format and click Next.

      Screenshot shows the configuration values.

  4. Navigate to Idp Configuration tab and perform the following steps:

    Screenshot shows the login values from Identity.

    1. In the Single Sign-On Url textbox, paste the Login URL, which you have copied from the Microsoft Entra admin center.

    2. Open the downloaded Certificate (Base64) from Microsoft Entra admin center and upload into the Certificate field.

    3. Click Next.

  5. Next, you need to create role mapping in Contentstack.

    Note

    You will only be able to view and perform this step if IdP Role Mapping is part of your Contentstack plan.

  6. In the User Management section of Contentstack's SSO Setup page, you will see Strict Mode (authorize access to organization users only via SSO login) and Session Timeout (define session duration for a user signed in through SSO). Below these options, you will also see the Advanced Settings option.

    Screenshot shows User Management section.

  7. Click on the Advanced Settings to expand the IdP Role Mapping section to map IdP roles to Contentstack. This is an optional step.

  8. In the Add Role Mapping section, click on the + ADD ROLE MAPPING link to add the mapping details of an IdP role which includes the following details:

    Screenshot shows how to add the mapping details.

    1. In the IdP Role Identifier, enter the IdP group/role identifier (for example, "developers"), which you can use the value from your manifest.

    2. For the Organization Roles, select either Admin or Member role to the mapped group/role.

    3. For the Stack-Level Permissions (optional) assign stacks and the corresponding stack-level roles to this role. Likewise, you can add more role mappings for your Contentstack organization. To add a new Role mapping, click on + ADD ROLE MAPPING and enter the details.

    4. Keep Role Delimiter blank as Microsoft Entra ID usually returns roles in an array.

    5. Finally, select the Enable IdP Role Mapping checkbox to enable the feature and click Next.

    Note

    For more information, please refer Contentstack SSO guide.

  9. Before enabling SSO, it is recommended that you need to test the SSO settings configured so far. To do so, perform the following steps:

    1. Click the Test SSO button and it will take you to Contentstack’s Log in via SSO page where you need to specify your organization's SSO name.
    2. Then, click on Continue to go to your IdP sign in page.
    3. Sign in to your account and if you are able to sign in to your IdP, your test is successful.
    4. On successful connection, you will see a success message as follows.

    Screenshot shows the successful test connection.

  10. Once you have tested your SSO settings, click Enable SSO to enable SSO for your Contentstack organization.

    Screenshot shows the enable testing section.

  11. Once this is enabled, users can access the organization through SSO. If needed, you can also Disable SSO from this page as well.

    Screenshot shows disabling the access page.

Create Contentstack test user

In this section, a user called Britta Simon is created in Contentstack. Contentstack supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Contentstack, a new one is created after authentication.

Test SSO

In this section, you test your Microsoft Entra single sign-on configuration with following options.

SP initiated:

  • Click on Test this application in Microsoft Entra admin center. This will redirect to Contentstack Sign-on URL where you can initiate the login flow.

  • Go to Contentstack Sign-on URL directly and initiate the login flow from there.

IDP initiated:

  • Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the Contentstack for which you set up the SSO.

You can also use Microsoft My Apps to test the application in any mode. When you click the Contentstack tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Contentstack for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Contentstack you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.