Administration
    1. Phrase
    2. Global
    3. Administration

    Phrase Identity Management

    Content is machine translated from English by Phrase Language AI.

    Platform Single Login

    The Phrase Localization Platform supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data centers) or https://us.phrase.com (for US data center) to sign up or login via the Platform.

    New users signing up to the Platform as well as existing Phrase users can navigate among all available products within the Platform Dashboard, without individual authentication to each of them.

    Once logged in to the Platform, select the Dashboard dropdown menu in the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Platform user profile.

    Product access requirements

    • Access to products is defined by purchased plan

    • Phrase TMS and Phrase Strings

    • Phrase Orchestrator

      • Access to TMS or Strings

    • Phrase Custom AI, Phrase Language AI and Phrase Analytics

    Note

    For more information about pricing of Phrase TMS, Phrase Strings, various add-ons and success plans, visit Phrase pricing page.

    Existing TMS or Strings users can log in through the Platform login page by entering username and password or via Platform SSO.

    Important

    When SSO is enabled, changing a user’s email in the UI is not supported. For SCIM-managed users, email changes are made through the identity provider.

    Identity membership status

    Users can be members of different and multiple Phrase organizations and switch among them as required. To comply with data retention policies, users (except Owners) who are members of an organization but have no access to any products will have their personal data (e.g. name and email) automatically anonymized after 12 months of inactivity.

    Each user in the Phrase Platform has an identity membership status of either Internal or External, based on how their account was created and which organization manages it.

    • Internal user

      A user created directly in an organization or provisioned through SSO/SCIM. The Internal organization (home organization) fully manages the user’s identity, including profile information and login settings.

    • External user

      A user that belongs to another organization as Internal and has been invited to collaborate in an additional organization. The External organization can assign tasks but cannot edit the user’s profile or login credentials.

    Users can be Internal in one organization at a time (or more if in the same organization group) and may appear as External in others.

    Membership status is displayed in the Users page of the Platform dashboard.

    Troubleshooting Login Issues

    In case of login issues, try these troubleshooting steps:

    1. Try incognito mode

      As a first step, open an incognito window (anonymous mode of the browser) and attempt to log in. If successful, clear the browser cache, cookies, and browsing history related to Phrase sites.

    2. Verify credentials

      If clearing the cookies and cache does not work, ensure correct login credentials are used.

      • If multiple accounts exist in Phrase, enter the username instead of the email address.

      • Ensure login to the correct data center.

    3. Reset the password

      If the password is forgotten, click Forgot password? on the login page and follow the reset password flow.

      After resetting the password, ensure the browser does not autofill login fields with outdated credentials. Confirm that the keyboard is set to the correct language to avoid incorrect input of credentials.

    4. Switch organizations (if applicable)

      An account may be associated with multiple organizations. If logged into the incorrect one, switch organizations.

    Platform Social Login

    The Phrase Platform supports social login via the following social providers:

    • Google

    • Microsoft

    • GitHub

    Go to https://eu.phrase.com or https://us.phrase.com to sign up or log in by connecting the desired social account. Legacy TMS or Strings social accounts are also supported to log in to the Phrase Platform.

    Logged-in users can connect or disconnect their Phrase profile to one of the available social providers in the user profile settings.

    Social signup or login is not available for users that have been invited to join a Phrase organization:

    • New users can sign up by providing their username and password or via SSO in the Phrase Platform signup page.

      Once logged in, go to the Platform's user profile settings to enable social login via the desired social provider.

    • Existing users that have been invited to join another Phrase organization must restore their password in order to accept the invitation.

      Once the password is restored, log in using the existing social account connection.

    Platform SSO

    Single Sign-on (SSO) allows Platform users to log in via third-party applications. The Phrase Platform enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol (Microsoft Entra ID, Okta, Google Workspace, etc.).

    Note

    When using SAML SSO, the authentication state parameter supports a maximum length of 8192 bytes.

    Users have access as long as they are logged into the organization IdP system.

    By default, users can log in to the Phrase Platform via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.

    uniqueID parameter

    The SSO login page supports the uniqueId URL parameter that pre-fills the Unique Global Identifier for users. Placing a string into this parameter causes the Unique Identifier field to be pre-filled for the user.

    Example:

    https://eu.phrase.com/idm-ui/signin/sso?uniqueId=YOUR_ID

    Customers can bookmark the URL with this parameter in their browser so they don't have to remember this ID value to start the SSO login.

    Enable SSO using SAML 2.0

    SSO setup should be performed by IT administrators with admin access to the chosen IdP.

    Upon SAML login, users' first_name and last_name are always updated in the Phrase organization user profile to match the value present in the customer's IdP when the respective attributes are present in the SAML login request. To avoid this, it is recommended to remove these attributes from the SAML login request.

    To set up SSO, follow these steps:

    1. Select Organization settings from the left-hand navigation menu in the Platform dashboard.

      The Organization settings page opens and the SSO tab is presented.

    2. Select the SSO tab and click Enable SSO.

      SSO configuration page is displayed.

    3. Fill in the Authorize SSO section:

      • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifier field.

        Organization users will be required to use the unique identifier when logging into the Phrase Platform.

      • Select the required option from the Identifier type dropdown:

        Username:

        Platform users are matched to IdP user identities by username. NameID format attribute is used to match users:

        urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

        Email address:

        Platform users are matched to IdP user identities by email. NameID format attribute is used to match users:

        urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

      Fields in the Add Phrase to your identity provider section are automatically populated.

    5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.

    Note

    Signing the SAML response is required to successfully set up Platform SSO.

    More information can be found in the documentation specific to the IdP (e.g. Certificate signing options through Microsoft Azure AD).

    Enforce SSO

    Selecting Require users to sign in with SSO forces users to use SSO to sign in.

    Requiring users to sign in with SSO prevents users who did not log in via SSO previously from accessing the organization.

    If an external collaborator requires access outside of SSO, select the Require SSO login for specified domains option.

    Options:

    • Allow all login methods

    • Require all users to log in via SSO

    • Require SSO login for specified domains

      Provide identifiers and identifier type and click Save.

    All users required to sign in with SSO are displayed in the Users page of the Platform dashboard.

    User Auto-Provisioning

    User auto-provisioning handles only company-managed users in Phrase, not self-registered users.

    Phrase Platform supports two types of user provisioning using SAML/SSO features to automate access to the Platform applications:

    • Just-in-Time (JIT)

    • SCIM

    New users are created automatically in the Platform organization once they are provisioned access to Phrase in the chosen identity provider (IdP).

    All new users are created as members of the relevant Platform organization and do not have access to any of the products by default. The Platform organization's owner or administrator will have to invite them to the required product separately.

    If required, default product and role assignment can be modified when setting up auto-provisioning in the Platform organization settings.

    Created users are required to confirm their binding to the organization. To do this, an email with a verification link is sent to the provisioned user. Prior to verification, the user is not allowed to log in with SSO.

    Note

    To skip binding confirmation, contact the dedicated Customer Success Manager.

    Provisioned users are not allowed to change their Phrase credentials, as these are managed in the IdP.

    When a user is de-provisioned through the IdP and consequently removed from their last organization in Phrase, the account enters an automated 30-day retention countdown. During this grace period, the identity is not deleted immediately, allowing for restoration if the removal was accidental.

    Set up Auto-Provisioning

    To enable or disable auto-provisioning, collaboration with Phrase Technical Support is required to ensure proper configuration and prevent potential issues, such as duplicate accounts or unassigned users.

    For a smooth setup and ongoing management of users, the following best practices are recommended:

    1. Start with a small test.

      Before rolling out auto-provisioning to the entire organization, it is recommended to provision a small group of users to verify that everything is functioning correctly.

    2. Assign all users via Identity Provider (IdP).

      After a successful test, assign all users to the Phrase application through the IdP. SCIM will then automate provisioning and user updates across the organization.

    3. Convert existing users to company-managed users.

      Contact Phrase Technical Support to convert current users to company-managed users. SCIM can only update and delete users marked as company-managed, making this step essential.

    4. Assign pre-SCIM users to the organization via IdP.

      Users added before enabling SCIM auto-provisioning must be assigned to the organization through the IdP. Failing to assign them may result in their deletion during SCIM synchronization.

    Just-in-Time (JIT) Provisioning

    Just-in-Time (JIT) provisioning is a SAML protocol based method that is used to create users the first time they log in to an application through SAML SSO. This eliminates the need to provision users or create user accounts manually and all created users have automatic access to that organization's products.

    JIT provisioning configuration should be performed by IT administrators with admin access to the chosen IdP.

    To configure JIT provisioning through SAML SSO, follow these steps:

    1. Select Organization settings from the left-hand navigation menu in the Platform dashboard.

      The Organization settings page opens and the SSO tab is presented.

    2. Select the SSO tab.

      SSO configuration page is displayed.

    3. Scroll down to Auto-Provisioning Configuration and select Contact support to enable the configuration settings.

      Note

      SAML auto-provisioning and SCIM cannot be enabled at the same time.

    4. Once the settings are enabled, select SAML Auto-provisioning (Just in time) from the Auto-provisioning dropdown.

    5. Select type of Role management.

      • Default assigns access to all Phrase products with default roles upon the provisioning.

      • Custom allows selecting a role for specific Phrase products that will be applied to all new users upon the provisioning.

        If the user role is empty, users will not be provisioned to the product.

    6. Use the attributes in the Attribute statements table to map attributes from IdP to data in Phrase.

      This is needed to ensure the users data is aligned between the two systems.

    7. Click Save.

      Configuration is saved.

    SCIM Provisioning

    The SCIM protocol is an application-level standard that enables secure management and exchange of identity data across domains.

    Supported SCIM functionality:

    • Create company-managed user

      • The user is provisioned to all applications that are active in their Platform organization.

      • The user has Linguist role in Phrase TMS and Translator role in Phrase Strings.

        If required, default product and role assignment can be modified when setting up auto-provisioning in the Platform organization settings.

      • A SCIM-created user identity cannot be merged with an existing one. Only fresh identities are supported.

    • Edit company-managed user attributes

      Editing attributes in the IdP is reflected in the Phrase Platform.

    • Delete company-managed user

      • When the IdP sends a user deletion request, that user’s membership is removed from the Phrase organization. If it is the last organization they belong to, the account enters a 30-day retention period before permanent deletion.

      • If an SCIM-managed user is a member of multiple organizations, the deletion request from one organization will remove their membership from that organization. Only after receiving a deletion request from the last organization they are a member of will the 30-day deletion countdown begin.

    Note

    Due to continuous improvements, the user interface may not be exactly the same as presented in the video.

    SCIM configuration should be performed by IT administrators with admin access to the chosen IdP.

    To configure SCIM properties, follow these steps:

    1. Select Organization settings from the left-hand navigation menu in the Platform dashboard.

      The Organization settings page opens and the SSO tab is presented.

    2. Select the SSO tab.

      SSO configuration page is displayed.

    3. Scroll down to Auto-Provisioning Configuration and select Contact support to enable the configuration settings.

      Note

      SAML auto-provisioning and SCIM cannot be enabled at the same time.

    4. Once the settings are enabled, select SCIM from the Auto-provisioning dropdown.

      SCIM configuration details are presented.

    5. Enter the desired SCIM secret to use in the encoding.

      Note

      The SCIM secret is required due to the Phrase Platform architecture where multiple organizations can use SCIM. The organization ID is encoded in the security token to prevent the use of UID in the URL.

      The SCIM bearer token field is populated with a unique token.

    6. Copy the token and the SCIM base URL.

      These will be used in the identity provider settings.

    7. Select type of Role management.

      • Default assigns access to all Phrase products with default roles upon the provisioning.

      • Custom allows selecting a role for specific Phrase products that will be applied to all new users upon the provisioning.

      • SCIM allows configuring product access and role per user based on information set in the IdP upon the provisioning.

    8. Click Save.

      Configuration is saved.

    Configure SCIM role management

    When SCIM is used, role assignment and product access can be defined directly in the IdP provisioning request using the roles attribute.

    Each entry in the roles array of the SCIM User Create request must contain:

    • A type, indicating the target product (must begin with phrase__)

    • A value, specifying the exact role name for that product

    Example SCIM request

    "roles": [
  { "type": "phrase__platform", "value": "MEMBER" },
  { "type": "phrase__tms", "value": "ADMIN" },
  { "type": "phrase__strings", "value": "none" }
]

    • The phrase__platform role is mandatory.

    • Use none to exclude access to a product.

    • All roles must match those configured and available in the relevant Phrase product. The Phrase Portal role is not configurable and is automatically inferred from the user’s TMS role.

    • Role names are case-sensitive. Upper case spelling is recommended.

    • Requests missing required fields or including invalid roles will fail.

    If assistance is required when setting up SCIM role-based provisioning or troubleshooting configuration errors, contact the assigned Solution Architect.

    Example configuration in Okta

    To configure SCIM role provisioning in Okta, follow these steps:

    1. Create custom attributes for each Phrase product:

      • phrase__platform

      • phrase__tms

      • phrase__strings

    2. Define valid role values for each attribute.

    3. Map these attributes to the SCIM app in Okta.

    4. Use conditional logic, if needed, to map roles dynamically based on user profile or group membership.

    5. Apply mappings only during user creation.

      Note

      Updates to existing user roles via SCIM are not supported.

    Migrate from legacy SSO

    Important

    As of March 4, 2025, the legacy SSO login pages for TMS and Strings will be deprecated. To ensure uninterrupted access to Phrase products, all organizations using legacy SSO must migrate to Platform SSO.

    Migrating to Platform SSO requires administrative access to the identity provider (IdP). Collaboration with the IT team is essential to configure a new Platform SSO integration in the IdP.

    Each Phrase organization can integrate with only one IdP. If multiple IdPs are used, select one for the Platform SSO setup before migration.

    Migration steps

    1. Set up Platform SSO in the IdP (Okta, Azure, TrustBuilder, or other IdPs).

      • To avoid confusion for users, set the globally unique identifier in Platform SSO to match the one used in the legacy SSO.

    2. Invite existing users and groups from the legacy SSO integration to the new Platform SSO integration within the IdP.

    3. Communicate the login flow changes:

      • Users must use the Platform login page:

      • If logging in via an IdP dashboard icon, users must select the updated Platform SSO icon.

      • User credentials (email/username) remain unchanged.

    Once the migration is complete, all existing content and user roles in Phrase TMS and Phrase Strings remain unchanged.

    Was this article helpful?

    Sorry about that! In what way was it not helpful?

    The article didn’t address my problem.
    I couldn’t understand the article.
    The feature doesn’t do what I need.
    Other reason.

    Note that feedback is provided anonymously so we aren't able to reply to questions.
    If you'd like to ask a question, submit a request to our Support team.
    Thank you for your feedback.

    Articles related to Administration