Single Sign-On (SSO) allows you to use your own company credentials to access Contentsquare.
- SSO is configured at the account level and makes user management easier while increasing security.
- The configuration establishes trust with your Identity Provider to create/authenticate users in Contentsquare.
- It is SAML 2.0 compatible, which is the most accepted standard protocol for this type of operation.
For users who already had CS credentials before SSO configuration—there is no need to delete old users/credentials in the console, users can simply begin to login using SSO.
For users who didn’t have CS credentials before the SSO configuration—their account will be automatically created in our system (without any password).
Please review the following eligibility checklist with your CSM before implementing SSO:
✅ Your domain email address is used only for one, single Contentsquare account (Customers & Partners included)
✅ If you have multi-factor authentication (MFA) set up you cannot also use SSO you will need to choose one or the other.
✅ All your Contentsquare users will use the SSO
✅ Your users will not need to access two Contentsquare accounts using the same email address (one user account = one email address)
How to configure
If you are not an IT professional, you may need assistance from one to complete this configuration.
Choose a method
Before you get started, choose between two SSO implementation methods: SP-Initiated or IDP-initiated.
SP-initiated (Service Provider Initiated)
The user goes to the login page of Contentsquare and uses their email to log in. Contentsquare recognizes the email domain and sends them to your IDP for credentials. Once authenticated on your ID, they are sent back to Contentsquare authenticated.
IDP-initiated (Identity Provider Initiated)
The user can only access Contentsquare from your IDP. Therefore, when going to the login page directly, they won’t be recognized.
Complete the following configurations of your IDP and Console to create trust between the two parties.
1. Configure your IDP
- Configure the application in your IDP based on Contentsquare’s metadata.
- We can’t provide a detailed step-by-step as this will depend on your IDP.
Both the SAML response and assertion need to be signed:
Okta SAML documentation Scroll to 'SAML Settings' section > 'Advanced Settings' list Onelogin SAML documentation Scroll to 'Change certificate signing options and signing algorithm' section Azure AD SAML documentation Follow full article instructions
2. Configure your Contentsquare Console
- Any administrator user on your side is able to access the SSO configuration form in our Console so that the configuration can be done autonomously.
- Go to the 'Console'
- Go to the 'Authentication' tab and then click 'Set up'
- Use metadata from your IDP to fill out the SSO configuration form shown below
|SSO Configuration Form||Form Details|
'Login flow' defines which SSO flow will be chosen
'SSO entity ID' represents the IDP, should be in your metadata.
'Login URL' is only required for the SP-initiated method. Is the URL of the page we send the user to in order for him to login onto his IDP. Should be in your metadata.
'Logout URL' is optional, defines the page to send the user to when the user decides to log out.
'Binding' is used to choose between redirect or post as your binding method.
'Domains' are authorized email domains pre-approved during the implementation process. To add a domain that is not displayed in the drop-down, please contact the Support team.
'Encryption' is the method for assertion. Contentsquares should be able to decode 4x different encryption algorithms (using the Samilify lib):
'Certificates' are keys, found in your metadata, that sign and certify an authentication request.
You can add multiple certificates, for instance, to prepare seamlessly any change of configuration. For multiple certificates, we have a fallback mechanism that will run until we find the certificate that works. To test a new certificate, update the configuration on your IDP and add the new certificate in the list of certificates in the Console.
'IT Administrators' gives you the possibility to designate, among your administrator users, "IT Admin".
Your IT Admin(s) will always login to Contentsquare through the manual process (not via SSO). Therefore, in case of any issue with the SSO configuration running on your production domain, your IT Admin(s) will always be able to login and update the configuration.
'New Users Provisioning'
Use the toggle to enable/disable the automatic new user creation on a user's first login.
If this toggle is disabled, you will have to create users manually in the Console or use a batch update before users can automatically log in using the SSO.
'New user validation' allows you to choose between two methods:
Automatic validation (recommended)
This allows admins to configure a default set of accesses and rights for any new users. All new Contentsquare users will be by default attributed this set of access and rights without any manual intervention needed.
Read this article to learn how to configure your SSO you can automatically assign new users to default teams and roles by creating rules.
The default Team will provide users with pre-defined access to that Team's Projects' and all those projects' default role configurations. Read this article to learn more about Team management and configuring default roles for projects.
⚠️ This is not activated by default when setting the SSO up.
⚠️ Partner accounts cannot use Automatic Validation and will be assigned Manual Validation by default.
This will require Admins to manually approve any new user trying to access Contentsquare.
⚠️ Admins are not notified when new users are created. They have to go to the Console and check pending users in the user list. Once identified, they can activate and attribute rights to new users from there.
⚠️ Partner accounts can only use this form of validation by default.
How to remove SSO
1. Open a Support ticket and include the reason why you would like to remove your SSO in your request.
2. Once the SSO is removed, go to Contentsquare's login page and click 'Forgotten password?' to create a new password.
What if my domain name changes? Will I lose my workspaces, favorited items etc.
First, update any users’ email addresses impacted by the domain change used for their Contentsquare profile.
Then, you’ll need to edit the domain in the SSO configuration to match the new domain name, so that users with that domain name in their email address will be redirected to the SSO flow.
How do I remove SSO?
You can talk to your CSM or file a support ticket independently to remove SSO.
How will users log in if I remove the SSO?
Users who were created before the SSO was set up will be able to log in again using the credentials they had at first (email+password).
Users who arrived after the SSO was set up will need to click the “forgotten password” button on the login page to have a brand new password sent to their emails.
If I have two different accounts for the same domain can I configure SSO for just one of the accounts?
Yes, if user provisioning is disabled.
What happens to users' existing Mappings, Workspaces etc. if we switch to SSO?
Nothing, they are not impacted. Users are not duplicated either.
Will new users created via SSO receive a Contentsquare account creation email?
Does SSO support logging out users automatically?
Yes, though it is not mandatory.
Is there a staging environment where we can test the connection with Contentsquare?
No, we recommend using a testing environment on the client-side and/or a test domain. Try the SSO setup using the test domain and once validated switch it to the real domain.
Can I manage user permissions through Active Directory groups?
Contentsquare does not currently support this method only passing identification information from your IDP to us, not via authorizations.
What are the supported SSO protocols by the target application? E.g. SAML, OAuth, OpenID, etc.?
Our SSO is compatible with SAML 2.0 technology only.
What user authentication tool can be used to enable SSO integration? E.g. OneLogin, Okta, Ping Federate, etc.?
Any provider supporting SAML v2.0
Is SSO free?