Administration

Phrase Identity Management

Content is machine translated from English by Phrase Language AI.

Suite Single Login

The Phrase Localization Suite supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data centers) or https://us.phrase.com (for US data center) to sign up or login via the Suite.

Note

Single login through the Suite is not currently available for users signing up or logging in via social networks. Such authentication is still supported through the legacy login page of the specific product.

New users signing up to the Suite as well as existing Phrase users can navigate among all available products within the Suite Dashboard, without individual authentication to each of them.

Once logged in to the Suite, select the Dashboard dropdown menu in the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Suite user profile.

Product access requirements

  • Access to products is defined by purchased plan

  • Phrase TMS and Phrase Strings

  • Phrase Orchestrator

    • Access to TMS or Strings

  • Phrase Custom AI, Phrase Language AI and Phrase Analytics

Note

For more information about pricing of Phrase TMS, Phrase Strings, various add-ons and success plans, visit Phrase pricing page.

Existing TMS or Strings users can log in through the Suite login page by entering username and password or via Suite SSO.

Suite SSO

Single Sign-on (SSO) allows Suite users to log in via third-party applications. The Phrase Suite enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol.

Users have access as long as they are logged into the organization IdP system.

By default, users can log in to the Phrase Suite via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.

Enable SSO using SAML 2.0

SSO setup should be performed by IT administrators with admin access to the chosen IdP.

To set up SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab and click Enable SSO.

    SSO configuration page is displayed.

  3. Fill in the Authorize SSO section:

    • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifier field.

      Organization users will be required to use the unique identifier when logging into the Phrase Suite.

    • Select the required option from the Identifier type dropdown:

      Username:

      Suite users are matched to IdP user identities by username. NameID format attribute is used to match users:

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      Email address:

      Suite users are matched to IdP user identities by email. NameID format attribute is used to match users:

      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

    Fields in the Add Phrase to your identity provider section are automatically populated.

  5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.

Note

Signing the SAML response is required to successfully set up Suite SSO.

More information can be found in the documentation specific to the IdP (e.g. Certificate signing options through Microsoft Azure AD).

Enforce SSO

Selecting Require users to sign in with SSO forces users to use SSO to sign in.

Requiring users to sign in with SSO will prevent users who didn't log in via SSO previously from accessing the organization. Users will also be removed from organizations and will no longer be associated with earlier projects and jobs.

User Provisioning

Phrase Suite supports two types of user provisioning using SAML/SSO features to automate access to the Suite applications:

  • Just-in-Time (JIT)

  • SCIM

New users are created automatically in the Suite organization once they are provisioned access to Phrase in the chosen identity provider (IdP).

All new users are created as members of the relevant Suite organization and do not have access to any of the products by default. The Suite organization's owner or administrator will have to invite them to the required product separately.

Created users are required to confirm their binding to the organization. To do this, an email with a verification link is sent to the provisioned user. Prior to verification, the user is not allowed to log in with SSO.

Note

To skip binding confirmation, contact the dedicated Customer Success Manager.

Provisioned users are not allowed to change their Phrase credentials, as these are managed in the IdP.

Just-in-Time (JIT) Provisioning

Just-in-Time (JIT) provisioning is a SAML protocol based method that is used to create users the first time they log in to an application through SAML SSO. This eliminates the need to provision users or create user accounts manually.

JIT provisioning configuration should be performed by IT administrators with admin access to the chosen IdP.

To configure JIT provisioning through SAML SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab.

    SSO configuration page is displayed.

  3. Scroll down to Configure SAML in Phrase and select Enable auto-provisioning SAML.

    Note

    SAML auto-provisioning and SCIM cannot be enabled at the same time.

  4. Use the attributes in the Attribute statements table to map attributes from IdP to data in Phrase.

    This is needed to ensure the users data is aligned between the two systems.

  5. Click Save.

    Configuration is saved.

SCIM Provisioning

The SCIM protocol is an application-level standard that enables secure management and exchange of identity data across domains.

Supported SCIM functionality:

  • Create user

    • The user is provisioned to all applications that are active in their Suite organization.

    • The user has Linguist role in Phrase TMS and Translator role in Phrase Strings.

    • A SCIM-created user identity cannot be merged with an existing one. Only fresh identities are supported.

  • Edit user attributes

    Editing attributes in the IdP is reflected in the Phrase Suite.

Note

Due to continuous improvements, the user interface may not be exactly the same as presented in the video.

SCIM configuration should be performed by IT administrators with admin access to the chosen IdP. To configure SCIM properties, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab.

    SSO configuration page is displayed.

  3. Scroll down to SCIM Configurations and select Enable SCIM.

    SCIM configuration details are presented.

    Note

    SAML auto-provisioning and SCIM cannot be enabled at the same time.

  4. Enter the desired SCIM secret to use in the encoding.

    Note

    The SCIM secret is required due to the Phrase Suite architecture where multiple organizations can use SCIM. The organization ID is encoded in the security token to prevent the use of UID in the URL.

    The SCIM bearer token field is populated with a unique token.

  5. Copy the token and the SCIM base URL.

    These will be used in the identity provider settings.

  6. Click Save.

    Configuration is saved.

Strings SSO

Available for

  • Enterprise plan (Legacy)

Get in touch with Sales for licensing questions.

Important

Migration to Suite-level SSO has started and will be completed by the end of 2023. See relevant announcement in Strings release notes.

New SSO integrations should be done using Suite-level SSO.

SSO allows the selection of who has access to an organisation by using existing identity provider/SSO solution.

Users will have access, as long as they’re logged in to the organisation identity provider system. Removing a user removes access to projects and rights should also be revoked from the identify provider.

Within the identity provider solution, control of the following rights is given:

  • Manage who is able to access Strings

  • Update user details (first/last name)

Once enabled, all user roles are still managed from within the organisation.

It is possible to switch between non-SSO organizations.

Switching from or to organisations that are SSO-enabled is not be allowed for security reasons. To log into a non-SSO organisation, logout and login to the non-SSO organisation with e-mail and password on phrase.com.

Setup single sign-on (SSO)

Single sign-on (SSO) can only be activated by the owner of an organisation.

To setup SSO, follow these steps:

  1. From the account dropdown menu, select Account & billing.

    The Account page opens and the Account & billing tab is presented.

  2. Select the SSO tab.

    SSO Settings are presented.

  3. Click Enable SSO.

    SSO options are presented.

  4. Use information provided in the Phrase settings section for the identify provider.

  5. Use information provided by the identify provider for the Identity Provider Settings.

  6. Click Update settings.

    Settings are applied.

Setup SSO in Okta

Administrative access in your Okta instance is required to set up SSO in Okta . This process is only accessible within the Classic UI in Okta.

To setup SSO in Okta, follow these steps:

  1. Log in to Okta. Ensure that the profile is in the administrative instance of the Okta developer account.

  2. From the Applications menu, select Applications.

  3. Create a new application, select Web as the platform and SAML 2.0 as the sign on method and click Create.

  4. Update the single sign-on setting with the information found in the Phrase settings on the SSL tab.

  5. Finish the setup process and view the single sign-on 2.0 settings provided by Okta.

  6. Copy the single sign-on 2.0 settings provided by Okta into the Identity Provider Settings section of the SSO tab.

  7. Click Update settings.

    Okta is setup as an identity provider.

Setup SSO in OneLogin

To setup SSO in OneLogin, follow these steps:

  1. From the OneLogin administration page, click Add App.

  2. Search for SAML Test Connector (IdP w/ attr w/ sign response).

    Add logo if desired.

  3. Click Save and leave the page open.

  4. Apply the settings displayed in the OneLogin application to fill in the SSO Settings section of the SSO tab.

    Do not enable Auto Provisioning until the login has been tested and is working.

  5. In the OneLogin application, fill in the Application details with information displayed in the Phrase settings section of the SSO tab.

    • Use Phrase Single Sign-On Callback URL for OneLogin Recipient.

    • Use Phrase Single Sign-On Entity for OneLogin Audience.

    • Use https://sso.phrase.com/account/auth/saml/callback?id=[a-z0-9-_]+ for OneLogin ACS (Consumer) URL Validator. If the Regex does not match company ID, contact support.

  6. In the OneLogin application, select the SSO tab.

  7. Ensure SAML Signature Algorithm is set to SHA-256.

  8. Ensure FirstName and LastName parameters are set and save settings.

  9. In the Identify Provider Settings on the SSO tab:

    • Use OneLogin Issuer URL for Phrase Issuer.

    • Use OneLogin SAML 2.0 Endpoint (HTTP) for Phrase Single sign-on URL.

    • Click on View details within the X.509 Certificate in OneLogin to view Fingerprint and copy the Fingerprint into Phrase X.509 Certificate.

  10. Click Update settings.

    OneLogin is setup as an identify provider.

Single Sign-On (TMS)

Available for

  • Business and Enterprise plans

Get in touch with Sales for licensing questions.

Available for

  • Ultimate and Enterprise plans (Legacy)

Get in touch with Sales for licensing questions.

Important

Migration to Suite-level SSO has started and will be completed by the end of 2023. See relevant announcement in TMS release notes.

New SSO integrations should be done using Suite-level SSO.

Single Sign-on (SSO) allows Phrase TMS users to log in via third-party applications. Phrase enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol. Existing usernames and passwords remain valid if SSO is deactivated.

Enable Single Sign-On

Prerequisite: Administrator Login

If forcing users to use SSO and there are existing users before SSO is enabled, administrators must manually update their passwords to something randomly generated so that they can only use SSO to sign in.

To enable Single sign-on, follow these steps:

  1. From the Settings Setup_gear.png page, scroll down to the Single sign-on section and click on Details.

    The Single sign-on page opens.

  2. Select Enable SSO for your organization.

    Configuration details are presented.

  3. Complete the following fields:

    The first five fields should be completed using information from an IdP. (Configuring SSO for OneLogin.)

    • Certificate fingerprint

      This is used to validate the authenticity of the IdP. Depending on fingerprint generation, it is delimited by either colons or spaces. If authentication is not successful, switch the colons and spaces in the fingerprint to ensure it is correctly applied.

    • Certificate fingerprint algorithm

    • Issuer URL

      This value is provided by the IdP to uniquely identify your domain.

    • SAML 2.0 endpoint (HTTP)

      This is the URL that is called to request a user login from the IdP. The IdP authenticates and logs in users.

    • SLO endpoint (HTTP)

      When users log out of, this URL is called to log them out of the IdP.

    • Landing URL (Optional)

      Choose the URL of the web page that users will see when they log out, e.g. a list of applications available to them in the IdP.

    • Key user identifier

      Select whether users will identify themselves using a USERNAME or an EMAIL address. A unique username is required by default, but users can opt to use the same email address multiple times. Choosing the EMAIL option will require users to use a unique email address.

    • Domain name

      This field redirects users to the appropriate IdP configured for an SP-initiated SSO flow. It corresponds to the field Company domain accessible via Log in with SSO.

  4. Click Save.

    Settings are applied for the organization.

SCIM Configuration

To configure SCIM properties, follow these steps:

  1. Select Enable SCIM.

    SCIM configuration details are presented.

  2. Click Generate new token.

    The SCIM bearer token field is populated with a unique token.

  3. Copy the token and the SCIM base URL.

    These will be used in identity provider settings.

  4. Click Save.

    Configuration is saved.

User Management

Options:

  • Allow users to change their login credentials

    Uncheck this box to prevent users from editing their usernames, passwords, and emails. Can be used to force users to access only through SSO (as SSO uses a different authentication method).

    Note

    If the option is unchecked, clicking the Forget your password link does not send an email to reset the password.

  • New users mapped to

    Sets default user role for new users created via SSO. The Linguist role is selected by default.

Application Details

Organization ID and the Domain URL can be used by an IdP to configure Phrase as the recipient application and to establish the connection.

The Organization ID is found in the Organization ID field on the bottom of the single sign-on page.

Some SSO providers require Entity ID / Metadata URL, ACS URL or SLS URL.

If required, use the below URLs for your appropriate datacenter:

EU Data Center

  • Entity ID/Metadata URL:

    https://cloud.memsource.com/web/saml2Login/metadata/{orgId}

  • ACS URL:

    https://cloud.memsource.com/web/saml2Login/sacs/{orgId}

  • (Optional) SLS (Single Logout Service) URL:

    https://cloud.memsource.com/web/saml2Login/ssls/{orgId}

US Data Center

  • Entity ID/Metadata URL:

    https://us.cloud.memsource.com/web/saml2Login/metadata/{orgId}

  • ACS URL:

    https://us.cloud.memsource.com/web/saml2Login/sacs/{orgId}

  • (Optional) SLS (Single Logout Service) URL:

    https://us.cloud.memsource.com/web/saml2Login/ssls/{orgId}

Was this article helpful?

Sorry about that! In what way was it not helpful?

The article didn’t address my problem.
I couldn’t understand the article.
The feature doesn’t do what I need.
Other reason.

Note that feedback is provided anonymously so we aren't able to reply to questions.
If you'd like to ask a question, submit a request to our Support team.
Thank you for your feedback.