Phrase Identity Management

Content is machine translated from English by Phrase Language AI.

Suite Single Login

The Phrase Localization Suite supports single login to the different Phrase products through a single login or signup page. Go to (for EU data center) or (for US data center) to sign up or login via the Suite.

New users signing up to the Suite as well as existing Phrase users can navigate among all available products within the Suite Dashboard, without individual authentication to each of them. Existing TMS or Strings users can login through the Suite login page by entering username and password or via Suite SSO.

Once logged in to the Suite, select the Dashboard dropdown menu at the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Suite user profile.


Single login through the Suite is not currently available for users signing up or logging in via social networks. Such authentication is still supported through the legacy login page of the specific product.

Suite SSO

Single Sign-on (SSO) allows Suite users to log in via third-party applications. The Phrase Suite enables integrations with identity providers (IdPs) compliant with the SAML 2.0 protocol.

Users have access as long as they are logged into the organization IdP system.

By default, users can log in to the Phrase Suite via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.


Auto-provisioning and SCIM user management is not currently available.

Enable SSO using SAML 2.0

SSO setup should be performed by IT administrators with admin access to the chosen IdP.

To set up SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

  2. Select the SSO tab and click Enable SSO.

    SSO configuration page is displayed.

  3. Fill in the Authorize SSO section:

    • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifier field.

      Organization users will be required to use the unique identifier when logging into the Phrase Suite.

    • Select the required option from the Identifier type dropdown:


      Suite users are matched to IdP user identities by username.

      Email address:

      Suite users are matched to IdP user identities by email.

  4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

    Fields in the Add Phrase to your identity provider section are automatically populated.

  5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.


Signing the SAML response is required to successfully set up Suite SSO.

More information can be found in the documentation specific to the IdP (e.g. Certificate signing options through Microsoft Azure AD).

Enforce SSO

Selecting Require users to sign in with SSO forces users to use SSO to sign in.

Requiring users to sign in with SSO will prevent users who didn't log in via SSO previously from accessing the organization. Users will also be removed from organizations and will no longer be associated with earlier projects and jobs.

Strings SSO

Available for

  • Enterprise plan

Get in touch with Sales for licensing questions.


Migration to Suite-level SSO has started and will be completed by the end of 2023. See relevant announcement in Strings release notes.

New SSO integrations should be done using Suite-level SSO.

SSO allows the selection of who has access to an organisation by using existing identity provider/SSO solution.

Users will have access, as long as they’re logged in to the organisation identity provider system. Removing a user removes access to projects and rights should also be revoked from the identify provider.

Within the identity provider solution, control of the following rights is given:

  • Manage who is able to access Strings

  • Update user details (first/last name)

Once enabled, all user roles are still managed from within the organisation.

It is possible to switch between non-SSO organizations.

Switching from or to organisations that are SSO-enabled is not be allowed for security reasons. To log into a non-SSO organisation, logout and login to the non-SSO organisation with e-mail and password on

Setup single sign-on (SSO)

Single sign-on (SSO) can only be activated by the owner of an organisation.

To setup SSO, follow these steps:

  1. From the account dropdown menu, select Account & billing.

    The Account page opens and the Account & billing tab is presented.

  2. Select the SSO tab.

    SSO Settings are presented.

  3. Click Enable SSO.

    SSO options are presented.

  4. Use information provided in the Phrase settings section for the identify provider.

  5. Use information provided by the identify provider for the Identity Provider Settings.

  6. Click Update settings.

    Settings are applied.

Setup SSO in Okta

Administrative access in your Okta instance is required to set up SSO in Okta . This process is only accessible within the Classic UI in Okta.

To setup SSO in Okta, follow these steps:

  1. Log in to Okta. Ensure that the profile is in the administrative instance of the Okta developer account.

  2. From the Applications menu, select Applications.

  3. Create a new application, select Web as the platform and SAML 2.0 as the sign on method and click Create.

  4. Update the single sign-on setting with the information found in the Phrase settings on the SSL tab.

  5. Finish the setup process and view the single sign-on 2.0 settings provided by Okta.

  6. Copy the single sign-on 2.0 settings provided by Okta into the Identity Provider Settings section of the SSO tab.

  7. Click Update settings.

    Okta is setup as an identity provider.

Setup SSO in OneLogin

To setup SSO in OneLogin, follow these steps:

  1. From the OneLogin administration page, click Add App.

  2. Search for SAML Test Connector (IdP w/ attr w/ sign response).

    Add logo if desired.

  3. Click Save and leave the page open.

  4. Apply the settings displayed in the OneLogin application to fill in the SSO Settings section of the SSO tab.

    Do not enable Auto Provisioning until the login has been tested and is working.

  5. In the OneLogin application, fill in the Application details with information displayed in the Phrase settings section of the SSO tab.

    • Use Phrase Single Sign-On Callback URL for OneLogin Recipient.

    • Use Phrase Single Sign-On Entity for OneLogin Audience.

    • Use[a-z0-9-_]+ for OneLogin ACS (Consumer) URL Validator. If the Regex does not match company ID, contact support.

  6. In the OneLogin application, select the SSO tab.

  7. Ensure SAML Signature Algorithm is set to SHA-256.

  8. Ensure FirstName and LastName parameters are set and save settings.

  9. In the Identify Provider Settings on the SSO tab:

    • Use OneLogin Issuer URL for Phrase Issuer.

    • Use OneLogin SAML 2.0 Endpoint (HTTP) for Phrase Single sign-on URL.

    • Click on View details within the X.509 Certificate in OneLogin to view Fingerprint and copy the Fingerprint into Phrase X.509 Certificate.

  10. Click Update settings.

    OneLogin is setup as an identify provider.

Single Sign-On (TMS)

Available for

  • Ultimate and Enterprise plans

Get in touch with Sales for licensing questions.


Migration to Suite-level SSO has started and will be completed by the end of 2023. See relevant announcement in TMS release notes.

New SSO integrations should be done using Suite-level SSO.

Single Sign-on (SSO) allows Phrase TMS users to log in via third-party applications. Phrase enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol. Existing usernames and passwords remain valid if SSO is deactivated.

Enable Single Sign-On

Prerequisite: Administrator Login

If forcing users to use SSO and there are existing users before SSO is enabled, administrators must manually update their passwords to something randomly generated so that they can only use SSO to sign in.

To enable Single sign-on, follow these steps:

  1. From the Settings Setup_gear.png page, scroll down to the Single sign-on section and click on Details.

    The Single sign-on page opens.

  2. Select Enable SSO for your organization.

    Configuration details are presented.

  3. Complete the following fields:

    The first five fields should be completed using information from an IdP. (Configuring SSO for OneLogin.)

    • Certificate fingerprint

      This is used to validate the authenticity of the IdP. Depending on fingerprint generation, it is delimited by either colons or spaces. If authentication is not successful, switch the colons and spaces in the fingerprint to ensure it is correctly applied.

    • Certificate fingerprint algorithm

    • Issuer URL

      This value is provided by the IdP to uniquely identify your domain.

    • SAML 2.0 endpoint (HTTP)

      This is the URL that is called to request a user login from the IdP. The IdP authenticates and logs in users.

    • SLO endpoint (HTTP)

      When users log out of, this URL is called to log them out of the IdP.

    • Landing URL (Optional)

      Choose the URL of the web page that users will see when they log out, e.g. a list of applications available to them in the IdP.

    • Key user identifier

      Select whether users will identify themselves using a USERNAME or an EMAIL address. A unique username is required by default, but users can opt to use the same email address multiple times. Choosing the EMAIL option will require users to use a unique email address.

    • Domain name

      This field redirects users to the appropriate IdP configured for an SP-initiated SSO flow. It corresponds to the field Company domain accessible via Log in with SSO.

  4. Click Save.

    Settings are applied for the organization.

SCIM Configuration

To configure SCIM properties, follow these steps:

  1. Select Enable SCIM.

    SCIM configuration details are presented.

  2. Click Generate new token.

    The SCIM bearer token field is populated with a unique token.

  3. Copy the token and the SCIM base URL.

    These will be used in identity provider settings.

  4. Click Save.

    Configuration is saved.

User Management


  • Allow users to change their login credentials

    Uncheck this box to prevent users from editing their usernames, passwords, and emails. Can be used to force users to access only through SSO (as SSO uses a different authentication method).


    If the option is unchecked, clicking the Forget your password link does not send an email to reset the password.

  • New users mapped to

    Sets default user role for new users created via SSO. The Linguist role is selected by default.

Application Details

Organization ID and the Domain URL can be used by an IdP to configure Phrase as the recipient application and to establish the connection.

The Organization ID is found in the Organization ID field on the bottom of the single sign-on page.

Some SSO providers require Entity ID / Metadata URL, ACS URL or SLS URL.

If required, use the below URLs for your appropriate datacenter:

EU Data Center

  • Entity ID/Metadata URL:{orgId}

  • ACS URL:{orgId}

  • (Optional) SLS (Single Logout Service) URL:{orgId}

US Data Center

  • Entity ID/Metadata URL:{orgId}

  • ACS URL:{orgId}

  • (Optional) SLS (Single Logout Service) URL:{orgId}

Was this article helpful?

Sorry about that! In what way was it not helpful?

The article didn’t address my problem.
I couldn’t understand the article.
The feature doesn’t do what I need.
Other reason.

Note that feedback is provided anonymously so we aren't able to reply to questions.
If you'd like to ask a question, submit a request to our Support team.
Thank you for your feedback.