The Phrase Localization Suite supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data center) or https://us.phrase.com (for US data center) to sign up or login via the Suite.
New users signing up to the Suite as well as existing Phrase users can navigate among all available products within the Suite Dashboard, without individual authentication to each of them. Existing TMS or Strings users can login through the Suite login page by entering username and password or via Suite SSO.
Once logged in to the Suite, select the Suite user profile.
dropdown menu at the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with aNote
Single login through the Suite is not currently available for users signing up or logging in via social networks. Such authentication is still supported through the legacy login page of the specific product.
Single Sign-on (SSO) allows Suite users to log in via third-party applications. The Phrase Suite enables integrations with identity providers (IdPs) compliant with the SAML 2.0 protocol.
Users have access as long as they are logged into the organization IdP system.
By default, users can log in to the Phrase Suite via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.
Note
Auto-provisioning and SCIM user management is not currently available.
Enable SSO using SAML 2.0
SSO setup should be performed by IT administrators with admin access to the chosen IdP.
To set up SSO, follow these steps:
-
Select Settings/Organization from the profile icon at the top right of the page.
The
page opens and the tab is presented. -
Select the Enable SSO.
tab and clickSSO configuration page is displayed.
-
Fill in the
section:-
Provide a unique identifier (e.g. the organization name or a random string) in the
field.Organization users will be required to use the unique identifier when logging into the Phrase Suite.
-
Select the required option from the Identifier type dropdown:
:
Suite users are matched to IdP user identities by username.
:
Suite users are matched to IdP user identities by email.
-
-
Use information provided by the IdP to fill in required fields in the Save.
section, then clickFields in the
section are automatically populated. Copy the links provided in the
section and enter them in your IdP's SAML setup.
Enforce SSO
Selecting
forces users to use SSO to sign in.Requiring users to sign in with SSO will prevent users who didn't log in via SSO previously from accessing the organization. Users will also be removed from organizations and will no longer be associated with earlier projects and jobs.
SSO allows the selection of who has access to an organisation by using existing identity provider/SSO solution.
Users will have access, as long as they’re logged in to the organisation identity provider system. Removing a user removes access to projects and rights should also be revoked from the identify provider.
Within the identity provider solution, control of the following rights is given:
Manage who is able to access Strings
Update user details (first/last name)
Once enabled, all user roles are still managed from within the organisation.
It is possible to switch between non-SSO organizations.
Switching from or to organisations that are SSO-enabled is not be allowed for security reasons. To log into a non-SSO organisation, logout and login to the non-SSO organisation with e-mail and password on phrase.com.
Single sign-on (SSO) can only be activated by the owner of an organisation.
To setup SSO, follow these steps:
-
From the account dropdown menu, select Account & billing.
The
page opens and the tab is presented. -
Select the
tab.are presented.
-
Click Enable SSO.
SSO options are presented.
Use information provided in the
section for the identify provider.Use information provided by the identify provider for the
.-
Click Update settings.
Settings are applied.
Administrative access in your Okta instance is required to set up SSO in Okta . This process is only accessible within the Classic UI in Okta.
To setup SSO in Okta, follow these steps:
Log in to Okta. Ensure that the profile is in the administrative instance of the Okta developer account.
From the Applications.
menu, selectCreate a new application, select Web as the platform and SAML 2.0 as the sign on method and click .
Update the single sign-on setting with the information found in the
on the tab.Finish the setup process and view the single sign-on 2.0 settings provided by Okta.
Copy the single sign-on 2.0 settings provided by Okta into the
section of the tab.-
Click Update settings.
Okta is setup as an identity provider.
To setup SSO in OneLogin, follow these steps:
From the OneLogin administration page, click Add App.
-
Search for
.Add logo if desired.
Click Save and leave the page open.
-
Apply the settings displayed in the OneLogin application to fill in the
section of the tab.Do not enable
until the login has been tested and is working. -
In the OneLogin application, fill in the
with information displayed in the section of the tab.Use Phrase
for OneLogin .Use Phrase
for OneLogin .Use
https://sso.phrase.com/account/auth/saml/callback?id=[a-z0-9-_]+
for OneLogin . If the Regex does not match company ID, contact support.
In the OneLogin application, select the SSO tab.
Ensure
is set to SHA-256.Ensure
and parameters are set and save settings.-
In the
on the tab:Use OneLogin
for Phrase .Use OneLogin
for Phrase .Click on View details within the in OneLogin to view Fingerprint and copy the Fingerprint into Phrase .
-
Click Update settings.
OneLogin is setup as an identify provider.
Single Sign-on (SSO) allows Phrase TMS users to log in via third-party applications. Phrase enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol. Existing usernames and passwords remain valid if SSO is deactivated.
Prerequisite: Administrator Login
If forcing users to use SSO and there are existing users before SSO is enabled, administrators must manually update their passwords to something randomly generated so that they can only use SSO to sign in.
To enable Single sign-on, follow these steps:
-
From the Settings
page, scroll down to the section and click on Details.
The
page opens. -
Select
.Configuration details are presented.
-
Complete the following fields:
The first five fields should be completed using information from an IdP. (Configuring SSO for OneLogin.)
-
This is used to validate the authenticity of the IdP. Depending on fingerprint generation, it is delimited by either colons or spaces. If authentication is not successful, switch the colons and spaces in the fingerprint to ensure it is correctly applied.
-
This value is provided by the IdP to uniquely identify your domain.
-
This is the URL that is called to request a user login from the IdP. The IdP authenticates and logs in users.
-
When users log out of, this URL is called to log them out of the IdP.
-
Choose the URL of the web page that users will see when they log out, e.g. a list of applications available to them in the IdP.
-
Select whether users will identify themselves using a
or an address. A unique username is required by default, but users can opt to use the same email address multiple times. Choosing the option will require users to use a unique email address. -
This field redirects users to the appropriate IdP configured for an SP-initiated SSO flow. It corresponds to the field Log in with SSO.
accessible via
-
-
Click Save.
Settings are applied for the organization.
To configure SCIM properties, follow these steps:
Note: If SSO is enabled in your organization, emails sent to any newly created users will not include a password generation link as the main means of access to Phrase TMS is via SSO.
Options:
-
Allow users to change their login credentials
Uncheck this box to prevent users from editing their usernames, passwords, and emails. Can be used to force users to access only through SSO (as SSO uses a different authentication method).
-
New users mapped to
Sets default user role for new users created via SSO. The Linguist role is selected by default.
and the can be used by an IdP to configure Phrase as the recipient application and to establish the connection.
The Organization ID is found in the
field on the bottom of the page.Some SSO providers require Entity ID / Metadata URL, ACS URL or SLS URL.
If required, use the below URLs for your appropriate datacenter:
EU Data Center
-
Entity ID/Metadata URL:
https://cloud.memsource.com/web/saml2Login/metadata/{orgId}
-
ACS URL:
https://cloud.memsource.com/web/saml2Login/sacs/{orgId}
-
(Optional) SLS (Single Logout Service) URL:
https://cloud.memsource.com/web/saml2Login/ssls/{orgId}
US Data Center
-
Entity ID/Metadata URL:
https://us.cloud.memsource.com/web/saml2Login/metadata/{orgId}
-
ACS URL:
https://us.cloud.memsource.com/web/saml2Login/sacs/{orgId}
-
(Optional) SLS (Single Logout Service) URL:
https://us.cloud.memsource.com/web/saml2Login/ssls/{orgId}