Administration
    1. Phrase
    2. Global
    3. Administration

    Phrase Identity Management

    Content is machine translated from English by Phrase Language AI.

    Platform Single Login

    The Phrase Localization Platform supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data centers) or https://us.phrase.com (for US data center) to sign up or login via the Platform.

    New users signing up to the Platform as well as existing Phrase users can navigate among all available products within the Platform Dashboard, without individual authentication to each of them.

    Once logged in to the Platform, select the Dashboard dropdown menu in the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Platform user profile.

    Users can be members of different and multiple Phrase organizations and switch among them as required.

    Important

    The Platform does not support changing email address for identities that are using SSO Login.

    Product access requirements

    • Access to products is defined by purchased plan

    • Phrase TMS and Phrase Strings

    • Phrase Orchestrator

      • Access to TMS or Strings

    • Phrase Custom AI, Phrase Language AI and Phrase Analytics

    Note

    For more information about pricing of Phrase TMS, Phrase Strings, various add-ons and success plans, visit Phrase pricing page.

    Existing TMS or Strings users can log in through the Platform login page by entering username and password or via Platform SSO.

    Troubleshooting Login Issues

    In case of login issues, try these troubleshooting steps:

    1. Try incognito mode

      As a first step, open an incognito window (anonymous mode of the browser) and attempt to log in. If successful, clear the browser cache, cookies, and browsing history related to Phrase sites.

    2. Verify credentials

      If clearing the cookies and cache does not work, ensure correct login credentials are used.

      • If multiple accounts exist in Phrase, enter the username instead of the email address.

      • Ensure login to the correct data center.

    3. Reset the password

      If the password is forgotten, click Forgot password? on the login page and follow the reset password flow.

      After resetting the password, ensure the browser does not autofill login fields with outdated credentials. Confirm that the keyboard is set to the correct language to avoid incorrect input of credentials.

    4. Switch organizations (if applicable)

      An account may be associated with multiple organizations. If logged into the incorrect one, switch organizations.

     
     

    Platform Social Login

    The Phrase Platform supports social login via the following social providers:

    • Google

    • Microsoft

    • GitHub

    Go to https://eu.phrase.com or https://us.phrase.com to sign up or log in by connecting the desired social account. Legacy TMS or Strings social accounts are also supported to log in to the Phrase Platform.

    Logged-in users can connect or disconnect their Phrase profile to one of the available social providers in the user profile settings.

    Social signup or login is not available for users that have been invited to join a Phrase organization:

    • New users can sign up by providing their username and password or via SSO in the Phrase Platform signup page.

      Once logged in, go to the Platform's user profile settings to enable social login via the desired social provider.

    • Existing users that have been invited to join another Phrase organization must restore their password in order to accept the invitation.

      Once the password is restored, log in using the existing social account connection.

     

    Platform SSO

    Single Sign-on (SSO) allows Platform users to log in via third-party applications. The Phrase Platform enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol.

    Users have access as long as they are logged into the organization IdP system.

    By default, users can log in to the Phrase Platform via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.

    uniqueID parameter

    The SSO login page supports the uniqueId URL parameter that pre-fills the Unique Global Identifier for users. Placing a string into this parameter causes the Unique Identifier field to be pre-filled for the user.

    Example:

    https://eu.phrase.com/idm-ui/signin/sso?uniqueId=YOUR_ID

    Customers can bookmark the URL with this parameter in their browser so the don't have to remember this ID value to start the SSO login.

    Enable SSO using SAML 2.0

    SSO setup should be performed by IT administrators with admin access to the chosen IdP.

    To set up SSO, follow these steps:

    1. Select Settings/Organization from the profile icon at the top right of the page.

      The Organization settings page opens and the SSO tab is presented.

      suite_sso.gif

    2. Select the SSO tab and click Enable SSO.

      SSO configuration page is displayed.

    3. Fill in the Authorize SSO section:

      • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifier field.

        Organization users will be required to use the unique identifier when logging into the Phrase Platform.

      • Select the required option from the Identifier type dropdown:

        Username:

        Platform users are matched to IdP user identities by username. NameID format attribute is used to match users:

        urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

        Email address:

        Platform users are matched to IdP user identities by email. NameID format attribute is used to match users:

        urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

      Fields in the Add Phrase to your identity provider section are automatically populated.

    5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.

    Note

    Signing the SAML response is required to successfully set up Platform SSO.

    More information can be found in the documentation specific to the IdP (e.g. Certificate signing options through Microsoft Azure AD).

     

    Enforce SSO

    Selecting Require users to sign in with SSO forces users to use SSO to sign in.

    Requiring users to sign in with SSO prevents users who did not log in via SSO previously from accessing the organization.

    If an external collaborator requires access outside of SSO, select the Require SSO login for specified domains option.

    Options:

    • Allow all login methods

    • Require all users to log in via SSO

    • Require SSO login for specified domains

      Provide identifiers and identifier type and click Save.

     

    User Auto-Provisioning

    User auto-provisioning handles only company-managed users in Phrase, not self-registered users.

    Phrase Platform supports two types of user provisioning using SAML/SSO features to automate access to the Platform applications:

    • Just-in-Time (JIT)

    • SCIM

    New users are created automatically in the Platform organization once they are provisioned access to Phrase in the chosen identity provider (IdP).

    All new users are created as members of the relevant Platform organization and do not have access to any of the products by default. The Platform organization's owner or administrator will have to invite them to the required product separately.

    Created users are required to confirm their binding to the organization. To do this, an email with a verification link is sent to the provisioned user. Prior to verification, the user is not allowed to log in with SSO.

    Note

    To skip binding confirmation, contact the dedicated Customer Success Manager.

    Provisioned users are not allowed to change their Phrase credentials, as these are managed in the IdP.

    Set up Auto-Provisioning

    To enable or disable auto-provisioning, collaboration with Phrase Technical Support is required to ensure proper configuration and prevent potential issues, such as duplicate accounts or unassigned users.

    For a smooth setup and ongoing management of users, the following best practices are recommended:

    1. Start with a small test.

      Before rolling out auto-provisioning to the entire organization, it is recommended to provision a small group of users to verify that everything is functioning correctly.

    2. Assign all users via Identity Provider (IdP).

      After a successful test, assign all users to the Phrase application through the IdP. SCIM will then automate provisioning and user updates across the organization.

    3. Convert existing users to company-managed users.

      Contact Phrase Technical Support to convert current users to company-managed users. SCIM can only update and delete users marked as company-managed, making this step essential.

    4. Assign pre-SCIM users to the organization via IdP.

      Users added before enabling SCIM auto-provisioning must be assigned to the organization through the IdP. Failing to assign them may result in their deletion during SCIM synchronization.

     

    Just-in-Time (JIT) Provisioning

    Just-in-Time (JIT) provisioning is a SAML protocol based method that is used to create users the first time they log in to an application through SAML SSO. This eliminates the need to provision users or create user accounts manually and all created users have automatic access to that organization's products.

    JIT provisioning configuration should be performed by IT administrators with admin access to the chosen IdP.

    To configure JIT provisioning through SAML SSO, follow these steps:

    1. Select Settings/Organization from the profile icon at the top right of the page.

      The Organization settings page opens and the SSO tab is presented.

      suite_sso.gif

    2. Select the SSO tab.

      SSO configuration page is displayed.

    3. Scroll down to Auto-Provisioning Configuration and select Contact support to enable the configuration settings.

      Note

      SAML auto-provisioning and SCIM cannot be enabled at the same time.

    4. Once the settings are enabled, select SAML Auto-provisioning (Just in time) from the Auto-provisioning dropdown.

    5. Use the attributes in the Attribute statements table to map attributes from IdP to data in Phrase.

      This is needed to ensure the users data is aligned between the two systems.

    6. Click Save.

      Configuration is saved.

     

    SCIM Provisioning

    The SCIM protocol is an application-level standard that enables secure management and exchange of identity data across domains.

    Supported SCIM functionality:

    • Create company-managed user

      • The user is provisioned to all applications that are active in their Platform organization.

      • The user has Linguist role in Phrase TMS and Translator role in Phrase Strings.

      • A SCIM-created user identity cannot be merged with an existing one. Only fresh identities are supported.

    • Edit company-managed user attributes

      Editing attributes in the IdP is reflected in the Phrase Platform.

    • Delete company-managed user

      • When IdP sends a user deletion request, that user will be deleted from the Phrase platform.

      • If an SCIM-managed user is a member of multiple organizations, the deletion request from one organization will remove their membership from that organization. Only after receiving a deletion request from the last organization they are a member of will that user be completely removed from the platform.

    Note

    Due to continuous improvements, the user interface may not be exactly the same as presented in the video.

    SCIM configuration should be performed by IT administrators with admin access to the chosen IdP.

    To configure SCIM properties, follow these steps:

    1. Select Settings/Organization from the profile icon at the top right of the page.

      The Organization settings page opens and the SSO tab is presented.

      suite_sso.gif

    2. Select the SSO tab.

      SSO configuration page is displayed.

    3. Scroll down to Auto-Provisioning Configuration and select Contact support to enable the configuration settings.

      Note

      SAML auto-provisioning and SCIM cannot be enabled at the same time.

    4. Once the settings are enabled, select SCIM from the Auto-provisioning dropdown.

      SCIM configuration details are presented.

    5. Enter the desired SCIM secret to use in the encoding.

      Note

      The SCIM secret is required due to the Phrase Platform architecture where multiple organizations can use SCIM. The organization ID is encoded in the security token to prevent the use of UID in the URL.

      The SCIM bearer token field is populated with a unique token.

    6. Copy the token and the SCIM base URL.

      These will be used in the identity provider settings.

    7. Click Save.

      Configuration is saved.

     
     

    Migrate from legacy SSO

    Important

    As of March 4, 2025, the legacy SSO login pages for TMS and Strings will be deprecated. To ensure uninterrupted access to Phrase products, all organizations using legacy SSO must migrate to Platform SSO.

    Migrating to Platform SSO requires administrative access to the identity provider (IdP). Collaboration with the IT team is essential to configure a new Platform SSO integration in the IdP.

    Each Phrase organization can integrate with only one IdP. If multiple IdPs are used, select one for the Platform SSO setup before migration.

    Migration steps

    1. Set up Platform SSO in the IdP (Okta, Azure, TrustBuilder, or other IdPs).

      • To avoid confusion for users, set the globally unique identifier in Platform SSO to match the one used in the legacy SSO.

    2. Invite existing users and groups from the legacy SSO integration to the new Platform SSO integration within the IdP.

    3. Communicate the login flow changes:

      • Users must use the Platform login page:

      • If logging in via an IdP dashboard icon, users must select the updated Platform SSO icon.

      • User credentials (email/username) remain unchanged.

    Once the migration is complete, all existing content and user roles in Phrase TMS and Phrase Strings remain unchanged.

     
     
     
    Was this article helpful?

    Sorry about that! In what way was it not helpful?

    The article didn’t address my problem.
    I couldn’t understand the article.
    The feature doesn’t do what I need.
    Other reason.

    Note that feedback is provided anonymously so we aren't able to reply to questions.
    If you'd like to ask a question, submit a request to our Support team.
    Thank you for your feedback.

    Articles related to Administration