Administration

Phrase Identity Management

Suite Single Login

The Phrase Localization Suite supports single login to the different Phrase products through a single login or signup page. Go to https://eu.phrase.com (for EU data center) or https://us.phrase.com (for US data center) to sign up or login via the Suite.

New users signing up to the Suite as well as existing Phrase users can navigate among all available products within the Suite Dashboard, without individual authentication to each of them. Existing TMS or Strings users can login through the Suite login page by entering username and password or via Suite SSO.

Once logged in to the Suite, select the Dashboard dropdown menu at the top left corner to switch among all subscribed products as required. The product switcher is also available within each product interface for all users with a Suite user profile.

Note

Single login through the Suite is not currently available for users signing up or logging in via social networks. Such authentication is still supported through the legacy login page of the specific product.

Suite SSO

Single Sign-on (SSO) allows Suite users to log in via third-party applications. The Phrase Suite enables integrations with identity providers (IdPs) compliant with the SAML 2.0 protocol.

Users have access as long as they are logged into the organization IdP system.

By default, users can log in to the Phrase Suite via both SSO and through existing username and password credentials. If required, SSO usage can be enforced to restrict the ability to log in using username and password.

Note

Auto-provisioning and SCIM user management is not currently available.

Enable SSO using SAML 2.0

SSO setup should be performed by IT administrators with admin access to the chosen IdP.

To set up SSO, follow these steps:

  1. Select Settings/Organization from the profile icon at the top right of the page.

    The Organization settings page opens and the SSO tab is presented.

  2. Select the SSO tab and click Enable SSO.

    SSO configuration page is displayed.

  3. Fill in the Authorize SSO section:

    • Provide a unique identifier (e.g. the organization name or a random string) in the Globally unique identifer field.

      Organization users will be required to use the unique identifier when logging into the Phrase Suite.

    • Select the required option from the Identifier type dropdown:

      Username:

      Suite users are matched to IdP user identities by username.

      Email address:

      Suite users are matched to IdP user identities by email.

  4. Use information provided by the IdP to fill in required fields in the Configure SAML in Phrase section, then click Save.

    Fields in the Add Phrase to your identity provider section are automatically populated.

  5. Copy the links provided in the Add Phrase to your identity provider section and enter them in your IdP's SAML setup.

Enforce SSO

Selecting Require users to sign in with SSO forces users to use SSO to sign in.

Requiring users to sign in with SSO will prevent users who didn't log in via SSO previously from accessing the organization. Users will also be removed from organizations and will no longer be associated with earlier projects and jobs.

Strings SSO

Available for

  • Enterprise plan

Get in touch with Sales for licensing questions.

SSO allows the selection of who has access to an organisation by using existing identity provider/SSO solution.

Users will have access, as long as they’re logged in to the organisation identity provider system. Removing a user removes access to projects and rights should also be revoked from the identify provider.

Within the identity provider solution, control of the following rights is given:

  • Manage who is able to access Strings

  • Update user details (first/last name)

Once enabled, all user roles are still managed from within the organisation.

It is possible to switch between non-SSO organizations.

Switching from or to organisations that are SSO-enabled is not be allowed for security reasons. To log into a non-SSO organisation, logout and login to the non-SSO organisation with e-mail and password on phrase.com.

Setup single sign-on (SSO)

Single sign-on (SSO) can only be activated by the owner of an organisation.

To setup SSO, follow these steps:

  1. From the account dropdown menu, select Account & billing.

    The Account page opens and the Account & billing tab is presented.

  2. Select the SSO tab.

    SSO Settings are presented.

  3. Click Enable SSO.

    SSO options are presented.

  4. Use information provided in the Phrase settings section for the identify provider.

  5. Use information provided by the identify provider for the Identity Provider Settings.

  6. Click Update settings.

    Settings are applied.

Setup SSO in Okta

Administrative access in your Okta instance is required to set up SSO in Okta . This process is only accessible within the Classic UI in Okta.

To setup SSO in Okta, follow these steps:

  1. Log in to Okta. Ensure that the profile is in the administrative instance of the Okta developer account.

  2. From the Applications menu, select Applications.

  3. Create a new application, select Web as the platform and SAML 2.0 as the sign on method and click Create.

  4. Update the single sign-on setting with the information found in the Phrase settings on the SSL tab.

  5. Finish the setup process and view the single sign-on 2.0 settings provided by Okta.

  6. Copy the single sign-on 2.0 settings provided by Okta into the Identity Provider Settings section of the SSO tab.

  7. Click Update settings.

    Okta is setup as an identity provider.

Setup SSO in OneLogin

To setup SSO in OneLogin, follow these steps:

  1. From the OneLogin administration page, click Add App.

  2. Search for SAML Test Connector (IdP w/ attr w/ sign response).

    Add logo if desired.

  3. Click Save and leave the page open.

  4. Apply the settings displayed in the OneLogin application to fill in the SSO Settings section of the SSO tab.

    Do not enable Auto Provisioning until the login has been tested and is working.

  5. In the OneLogin application, fill in the Application details with information displayed in the Phrase settings section of the SSO tab.

    • Use Phrase Single Sign-On Callback URL for OneLogin Recipient.

    • Use Phrase Single Sign-On Entity for OneLogin Audience.

    • Use https://sso.phrase.com/account/auth/saml/callback?id=[a-z0-9-_]+ for OneLogin ACS (Consumer) URL Validator. If the Regex does not match company ID, contact support.

  6. In the OneLogin application, select the SSO tab.

  7. Ensure SAML Signature Algorithm is set to SHA-256.

  8. Ensure FirstName and LastName parameters are set and save settings.

  9. In the Identify Provider Settings on the SSO tab:

    • Use OneLogin Issuer URL for Phrase Issuer.

    • Use OneLogin SAML 2.0 Endpoint (HTTP) for Phrase Single sign-on URL.

    • Click on View details within the X.509 Certificate in OneLogin to view Fingerprint and copy the Fingerprint into Phrase X.509 Certificate.

  10. Click Update settings.

    OneLogin is setup as an identify provider.

Single Sign-On (TMS)

Available for

  • Ultimate and Enterprise plans

Get in touch with Sales for licensing questions.

Single Sign-on (SSO) allows Phrase TMS users to log in via third-party applications. Phrase enables integrations with identity providers (IdPs) compliant with SCIM 2.0 and the SAML 2.0 protocol. Existing usernames and passwords remain valid if SSO is deactivated.

Enable Single Sign-On

Prerequisite: Administrator Login

If forcing users to use SSO and there are existing users before SSO is enabled, administrators must manually update their passwords to something randomly generated so that they can only use SSO to sign in.

To enable Single sign-on, follow these steps:

  1. From the Settings Setup_gear.png page, scroll down to the Single sign-on section and click on Details.

    The Single sign-on page opens.

  2. Select Enable SSO for your organization.

    Configuration details are presented.

  3. Complete the following fields:

    The first five fields should be completed using information from an IdP. (Configuring SSO for OneLogin.)

    • Certificate fingerprint

      This is used to validate the authenticity of the IdP. Depending on fingerprint generation, it is delimited by either colons or spaces. If authentication is not successful, switch the colons and spaces in the fingerprint to ensure it is correctly applied.

    • Certificate fingerprint algorithm

    • Issuer URL

      This value is provided by the IdP to uniquely identify your domain.

    • SAML 2.0 endpoint (HTTP)

      This is the URL that is called to request a user login from the IdP. The IdP authenticates and logs in users.

    • SLO endpoint (HTTP)

      When users log out of, this URL is called to log them out of the IdP.

    • Landing URL (Optional)

      Choose the URL of the web page that users will see when they log out, e.g. a list of applications available to them in the IdP.

    • Key user identifier

      Select whether users will identify themselves using a USERNAME or an EMAIL address. A unique username is required by default, but users can opt to use the same email address multiple times. Choosing the EMAIL option will require users to use a unique email address.

    • Domain name

      This field redirects users to the appropriate IdP configured for an SP-initiated SSO flow. It corresponds to the field Company domain accessible via Log in with SSO.

  4. Click Save.

    Settings are applied for the organization.

SCIM Configuration

To configure SCIM properties, follow these steps:

  1. Select Enable SCIM.

    SCIM configuration details are presented.

  2. Click Generate new token.

    The SCIM bearer token field is populated with a unique token.

  3. Copy the token and the SCIM base URL.

    These will be used in identity provider settings.

  4. Click Save.

    Configuration is saved.

User Management

Note: If SSO is enabled in your organization, emails sent to any newly created users will not include a password generation link as the main means of access to Phrase TMS is via SSO.

Options:

  • Allow users to change their login credentials

    Uncheck this box to prevent users from editing their usernames, passwords, and emails. Can be used to force users to access only through SSO (as SSO uses a different authentication method).

  • New users mapped to

    Sets default user role for new users created via SSO. The Linguist role is selected by default.

Application Details

Organization ID and the Domain URL can be used by an IdP to configure Phrase as the recipient application and to establish the connection.

The Organization ID is found in the Organization ID field on the bottom of the single sign-on page.

Some SSO providers require Entity ID / Metadata URL, ACS URL or SLS URL.

If required, use the below URLs for your appropriate datacenter:

EU Data Center

  • Entity ID/Metadata URL:

    https://cloud.memsource.com/web/saml2Login/metadata/{orgId}

  • ACS URL:

    https://cloud.memsource.com/web/saml2Login/sacs/{orgId}

  • (Optional) SLS (Single Logout Service) URL:

    https://cloud.memsource.com/web/saml2Login/ssls/{orgId}

US Data Center

  • Entity ID/Metadata URL:

    https://us.cloud.memsource.com/web/saml2Login/metadata/{orgId}

  • ACS URL:

    https://us.cloud.memsource.com/web/saml2Login/sacs/{orgId}

  • (Optional) SLS (Single Logout Service) URL:

    https://us.cloud.memsource.com/web/saml2Login/ssls/{orgId}

Was this article helpful?

Sorry about that! In what way was it not helpful?

The article didn’t address my problem.
I couldn’t understand the article.
The feature doesn’t do what I need.
Other reason.

Note that feedback is provided anonymously so we aren't able to reply to questions.
If you'd like to ask a question, submit a request to our Support team.
Thank you for your feedback.