As the owner, SSO allows you to select who has access to your Phrase account by using your existing identity provider/SSO solution.
Your users will be able to access the Phrase account, as long as they’re logged in to your organisation’s identity provider system.
Within your identity provider solution, you will be able to take control of the following rights:
- Manage who is able to access Phrase
- Update user details (first/last name)
Once SSO is enabled, you will still be able to manage all user roles within your Phrase account.
SAML SSO is available to all customers on the Enterprise Plan.
How to set up SAML SSO
In order to activate SAML SSO, you must be be logged in as the owner of that account.
Choose SSO in your account navigation.
Enable SSO and follow the setup steps below.
You can find the information that you need, in order to setup Phrase with your identity provider in the first part of the SSO settings.
Fill in the information from your identity provider in the second part of the SSO settings.
Auto Provisioning and Enforced SSO
Note that Auto Provisioning has to be enabled, in order to automatically set up a new Phrase account for users that don't have access to Phrase yet.
Those user accounts will initially have a translator role with limited rights but can be changed by a Admin at any times.
When clicking the Enforce SSO box, a password based login won't be possible anymore.
Setting up SSO in okta, step by step
Please note: Administrative access in your okta instance is required to set up SSO in okta . This process is only accessible within the Classic UI in okta.
To configure Phrase SSO with okta, do the following:
Log in to okta. Make sure that you are in the administrative instance of your okta developer account.
Open the applications settings:
Create a new application :
Update the SAML settings with the information provided in your Phrase SSO settings.:
Finish the setup process and view the SAML 2.0 settings provided by okta:
Copy and paste those settings provided by okta into your Phrase SSO settings:
Setting up SSO in OneLogin, step by step
1. In OneLogin Admin:
- Go to Applications and click on “Add App”
- Search for “SAML Test Connector (IdP w/ attr w/ sign response)”
You can either request logos from our Customer Success team or use your own. Once you are done, click on “Save”.
Keep this page open and continue within Phrase in a separate window.
2. On Phrase:
- Go to SSO and click “Enable SSO”
- Use the shown Phrase settings to connect OneLogin with Phrase
You can choose if you want to enable auto provisioning and force login via SSO. This should only be enabled once the login has been tested and is working. In this step, you just need to transfer the data from Phrase to OneLogin.
3. In OneLogin Application Setup:
- Click on “Configuration” in the navigation on the lefthand side
- Use the Phrase settings to connect OneLogin with Phrase
Use ”Single Sign-On Callback URL” from Phrase for “Recipient” and “ACS (Consumer) URL” in OneLogin.
Use “Single Sign-On Entity” from Phrase for “Audience” in OneLogin.
Use a Regex Validation for the ACS Url.
You should use
If the Regex does not match your COMPANY-ID, please contact our Sales team or Customer Success team.
4. In OneLogin Application Setup:
- Once you saved the current setup go to “SSO” in the navigation on the left side
- Verify that “SAML Signature Algorithm” is set to SHA-256, if not change and save
- Verify that the parameters “FirstName” and "LastName" are set, if not, add them now
5. Copy SSO Setup from OneLogin to Phrase
- Copy “Issuer URL” and paste it into “Identity Provider Issuer” in Phrase
- Copy “SAML 2.0 Endpoint (HTTP)” and paste it into
“Identity Provider Single Sign-On URL” in Phrase
- Click on “View Details” within the “X.509 Certificate” to see the Fingerprint of the certificate
- Copy “Fingerprint” and paste it into “Identity Provider Certificate Fingerprint” in Phrase
- There is no need to copy over the whole certificate
- Save the settings on Phrase by clicking “Update settings”
Once you've completed all of the above steps, your Phrase SSO Setup should look similar to this:
Does multi-account login work between non-SSO accounts?
Yes. Switching between non-SSO accounts works.
Does multi-account login work between SSO and non-SSO accounts?
No. If you are a collaborator on multiple accounts, switching from or to accounts that are SSO-enabled will not be allowed for security reasons. To log into a non-SSO account, logout and login to your non-SSO account with your e-mail and password on phrase.com.
How to revoke a user’s access
Within Phrase you can remove the user so he/she will not be able to access any projects anymore. To revoke the access completely, you have to revoke the rights within your Identity Provider.