Set up OIDC-based single sign-on on a memoQ server - Part 2 - for a memoQ administrator
After the company system administrator has set up the Authentication Manager on the memoQ TMS (see Part 1 of this document), a memoQ admin user can start creating or updating the server users.
Set up SSO users on a new memoQ server
There are two users in the user database of a newly installed memoQ server: the built-in admin user and the disabled guest user. These are local users on the server, and they can log in with their memoQ usernames and passwords. The admin password was set up during server activation, and can be changed anytime in the memoQ server Deployment Tool.
SSO is not a must for all users: After setting up single sign-on, you can still create "traditional" users on the memoQ TMS. They will not log in with their company credentials: they will use a memoQ TMS username and password.
To set up SSO users on the new server:
-
Start logging in to the memoQ server using memoQWeb or the memoQ desktop app.
- In memoQWeb, just open the sign-in page.
- In the memoQ desktop app, click the Forget login link on the Dashboard), then click the check mark button next to the server name. Then, in the Log in to server window, choose the Log in with external identity provider option.
- If there are two or more ID provider systems on the sign-in page, choose yours from the list.
- Your ID provider’s login page opens. Log in with your company username and password (and do multi-factor authentication if needed).
- Choose the No, this is my first time here option, and close memoQ or the browser.
- Now, sign in to memoQWeb with the admin user using their memoQ credentials.
- On the left sidebar, click the Admin icon.
- On the Admin screen, click the Users button. The Users screen opens.
- Click the newly created user, and at the bottom of the page, set its Account status to Active.
- Click the Update user button.
- In the Group membership section, add the user to the Administrators group.
- Sign out of memoQWeb, and log in to memoQ or memoQWeb with your company username and password.
From now on, you can log in with your company credentials and enjoy the same privileges as the original admin user. Administrators have full power to create, modify, manage and delete server users, resources, and projects.
We recommend not to use the built-in admin user in your daily work. (Just change its password and store it at a safe location.) Also, it cannot be used with SSO. This is a safeguard for emergency situations when the memoQ server cannot connect to the ID provider service – you will still be able to access the server with the built-in admin user.
Notify the users who will need to log in to the memoQ server using SSO. They should:
-
Start logging in to the memoQ server using memoQWeb or the memoQ desktop app.
- In memoQWeb, just open the sign-in page.
- In the memoQ desktop app, click the Forget login link on the Dashboard), then click the check mark button next to the server name. Then, in the Log in to server window, choose the Log in with external identity provider option.
- If there are two or more ID provider systems on the sign-in page, choose yours from the list.
- Your ID provider’s login page opens. Log in with your company username and password (and do multi-factor authentication if needed).
- Ask the memoQ administrator to approve your registration in memoQWeb.
When a user connects to a memoQ server with their ID provider credentials for the first time, the Authentication Manager creates a new, pending user who is not a member of any group. Before they can log in and do anything on the server, an administrator needs to approve their registration, and add them to a user group (or – in special cases – set up their user permissions individually).
The Authentication Manager fills user details that are in the ID provider system (for example, full name or email address). But the OIDC protocol does not send group membership information, so the memoQ TMS cannot add newly created users to the corresponding groups. This is why an administrator needs to arrange users and groups on the memoQ server.
Sign in to memoQWeb as an administrator, add the users to groups as needed, set up their access rights, and change their Account status to Active.
If you have users who will not be in your company ID provider system, you – as a memoQ administrator – can create memoQ users for them in the memoQ desktop app or in memoQWeb.
Tell the newly created users to log in to the memoQ server. Send them the server address, their username, and their password.
When adding users from memoQWeb’s user management page, you can set a temporary password that they need to change when they log in for the first time.
Switch to SSO on a server already in use
After upgrading memoQ TMS to 9.5 or newer, and configuring the Authentication Manager as described in Part 1 of this guide, users can change their login mode to SSO.
Notify the users who will need to log in with their IDP credentials – this might mean only some users (for example, the internal localization team), or all server users.
Ask users to:
-
Start logging in to the memoQ server using memoQWeb or the memoQ desktop app.
- In memoQWeb, just open the sign-in page.
- In the memoQ desktop app, click the Forget login link on the Dashboard), then click the check mark button next to the server name. Then, in the Log in to server window, choose the Log in with external identity provider option.
- If there are two or more ID provider systems on the sign-in page, choose yours from the list.
- Your ID provider’s login page opens. Log in with your company username and password (and do multi-factor authentication if needed).
- On the next screen in memoQ or memoQWeb, choose the option I worked on this server before.
-
Enter your memoQ username and password that you were using before.
If until now, you used your Windows user to sign in to memoQ TMS, enter that username and password.
- memoQ will change your login mode to single sign-on. From now on, you will only be able to log in to the memoQ server with your company username and password.
Step 5 above means that users can migrate their accounts from Windows-based SSO to the OIDC-based one. If you have Windows-based SSO set up at the company, read more details here.
Group membership and permissions of the users will not change. The list in Server Administrator's User management window will show a green shield icon in the account origin. The icon's tooltip shows the ID provider and the account status. In memoQWeb, the Users list will show SSO as account type.
If somebody chooses "This is my first time" by accident, they should ask help from a memoQ administrator, who can delete the freshly created user on the memoQ TMS, and let the person try again.
You cannot enforce the switch to SSO: Currently, you cannot prevent a user from signing in with their memoQ TMS username and password.
Version compatibility
OpenID Connect-based SSO works only in versions 9.5 and up. Earlier versions of memoQ TMS cannot recognize and manage users of OIDC origin. Earlier versions of the memoQ desktop app lead to problems like this:
- You cannot log in with your SSO users – there is no such option in the Log in to server window.
- You cannot manage SSO users and groups with SSO users.
When working on projects on a server that uses OIDC-based SSO, you need to use a 9.5 (or higher) version of the memoQ desktop app.
Users who only have a license for earlier versions of the memoQ desktop app will need:
- a valid SMA, so that they can upgrade their licenses to the newest version, or
-
a license from your server so that they can use a compatible version which they install into a different folder on their computers. Then they can use the new version to connect to your server, and the earlier version with their own license for other jobs.
Users who work on your server with a CAL license will need to enter their IDP username and password every time they connect to your server. The memoQ desktop app does not store IDP sign-in credentials.