Administration

Phrase Identity Management

Content is machine translated from English by Phrase Language AI.

Platform Single Login

The Phrase Localization Platform supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data centers) or https://us.phrase.com (for US data center) to sign up or login via the Platform.

Note

Single login through the Platform is not currently available for users signing up or logging in via social networks. Such authentication is still supported through the legacy login page of the specific product.

New users signing up to the Platform as well as existing Phrase users can navigate among all available products within the Platform Dashboard, without individual authentication to each of them.

Once logged in to the Platform, select the Dashboard dropdown menu in the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Platform user profile.

Users can be members of different and multiple Phrase organizations and switch among them as required.

Product access requirements

  • Access to products is defined by purchased plan

  • Phrase TMS and Phrase Strings

  • Phrase Orchestrator

    • Access to TMS or Strings

  • Phrase Custom AI, Phrase Language AI and Phrase Analytics

Note

For more information about pricing of Phrase TMS, Phrase Strings, various add-ons and success plans, visit Phrase pricing page.

Existing TMS or Strings users can log in through the Platform login page by entering username and password or via Platform SSO.

Platform SSO

Single Sign-on (SSO) allows Platform users to log in via third-party applications. The Phrase Platform enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol.

Users have access as long as they are logged into the organization IdP system.

By default, users can log in to the Phrase Platform via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.

uniqueID parameter

The SSO login page supports the uniqueId URL parameter that pre-fills the Unique Global Identifier for users. Placing a string into this parameter causes the Unique Identifier field to be pre-filled for the user.

Example:

https://eu.phrase.com/idm-ui/signin/sso?uniqueId=YOUR_ID

Customers can bookmark the URL with this parameter in their browser so the don't have to remember this ID value to start the SSO login.

Enable SSO using SAML 2.0

SSO setup should be performed by IT administrators with admin access to the chosen IdP.

To set up SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab and click Enable SSO.

    SSO configuration page is displayed.

  3. Fill in the Authorize SSO section:

    • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifier field.

      Organization users will be required to use the unique identifier when logging into the Phrase Platform.

    • Select the required option from the Identifier type dropdown:

      Username:

      Platform users are matched to IdP user identities by username. NameID format attribute is used to match users:

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      Email address:

      Platform users are matched to IdP user identities by email. NameID format attribute is used to match users:

      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

    Fields in the Add Phrase to your identity provider section are automatically populated.

  5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.

Note

Signing the SAML response is required to successfully set up Platform SSO.

More information can be found in the documentation specific to the IdP (e.g. Certificate signing options through Microsoft Azure AD).

Enforce SSO

Selecting Require users to sign in with SSO forces users to use SSO to sign in.

Requiring users to sign in with SSO will prevent users who didn't log in via SSO previously from accessing the organization. Users will also be removed from organizations and will no longer be associated with earlier projects and jobs.

User Provisioning

Phrase Platform supports two types of user provisioning using SAML/SSO features to automate access to the Platform applications:

  • Just-in-Time (JIT)

  • SCIM

New users are created automatically in the Platform organization once they are provisioned access to Phrase in the chosen identity provider (IdP).

All new users are created as members of the relevant Platform organization and do not have access to any of the products by default. The Platform organization's owner or administrator will have to invite them to the required product separately.

Created users are required to confirm their binding to the organization. To do this, an email with a verification link is sent to the provisioned user. Prior to verification, the user is not allowed to log in with SSO.

Note

To skip binding confirmation, contact the dedicated Customer Success Manager.

Provisioned users are not allowed to change their Phrase credentials, as these are managed in the IdP.

Just-in-Time (JIT) Provisioning

Just-in-Time (JIT) provisioning is a SAML protocol based method that is used to create users the first time they log in to an application through SAML SSO. This eliminates the need to provision users or create user accounts manually.

JIT provisioning configuration should be performed by IT administrators with admin access to the chosen IdP.

To configure JIT provisioning through SAML SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab.

    SSO configuration page is displayed.

  3. Scroll down to Configure SAML in Phrase and select Enable auto-provisioning SAML.

    Note

    SAML auto-provisioning and SCIM cannot be enabled at the same time.

  4. Use the attributes in the Attribute statements table to map attributes from IdP to data in Phrase.

    This is needed to ensure the users data is aligned between the two systems.

  5. Click Save.

    Configuration is saved.

SCIM Provisioning

The SCIM protocol is an application-level standard that enables secure management and exchange of identity data across domains.

Supported SCIM functionality:

  • Create user

    • The user is provisioned to all applications that are active in their Platform organization.

    • The user has Linguist role in Phrase TMS and Translator role in Phrase Strings.

    • A SCIM-created user identity cannot be merged with an existing one. Only fresh identities are supported.

  • Edit user attributes

    Editing attributes in the IdP is reflected in the Phrase Platform.

  • Delete user

    • When IdP sends a user deletion request, that user will be deleted from the Phrase platform.

    • If an SCIM-managed user is a member of multiple organizations, the deletion request from one organization will remove their membership from that organization. Only after receiving a deletion request from the last organization they are a member of will that user be completely removed from the platform.

Note

Due to continuous improvements, the user interface may not be exactly the same as presented in the video.

SCIM configuration should be performed by IT administrators with admin access to the chosen IdP. To configure SCIM properties, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

    suite_sso.gif
  2. Select the SSO tab.

    SSO configuration page is displayed.

  3. Scroll down to SCIM Configurations and select Enable SCIM.

    SCIM configuration details are presented.

    Note

    SAML auto-provisioning and SCIM cannot be enabled at the same time.

  4. Enter the desired SCIM secret to use in the encoding.

    Note

    The SCIM secret is required due to the Phrase Platform architecture where multiple organizations can use SCIM. The organization ID is encoded in the security token to prevent the use of UID in the URL.

    The SCIM bearer token field is populated with a unique token.

  5. Copy the token and the SCIM base URL.

    These will be used in the identity provider settings.

  6. Click Save.

    Configuration is saved.

Was this article helpful?

Sorry about that! In what way was it not helpful?

The article didn’t address my problem.
I couldn’t understand the article.
The feature doesn’t do what I need.
Other reason.

Note that feedback is provided anonymously so we aren't able to reply to questions.
If you'd like to ask a question, submit a request to our Support team.
Thank you for your feedback.