Set up OIDC-based single sign-on on a memoQ server - Part 2 - for a memoQ administrator

After the company system administrator has set up the Authentication Manager on the memoQ TMS (see Part 1 of this document), a memoQ admin user can start creating or updating the server users.

Set up SSO users on a new memoQ server

There are two users in the user database of a newly installed memoQ server: the built-in admin user and the disabled guest user. These are local users on the server, and they can log in with their memoQ usernames and passwords. The admin password was set up during server activation, and can be changed anytime in the memoQ server Deployment Tool.

SSO is not a must for all users: After setting up single sign-on, you can still create "traditional" users on the memoQ TMS. They will not log in with their company credentials: they will use a memoQ TMS username and password.

To set up SSO users on the new server:

Switch to SSO on a server already in use

After upgrading memoQ TMS to 9.5 or newer, and configuring the Authentication Manager as described in Part 1 of this guide, users can change their login mode to SSO.

Notify the users who will need to log in with their IDP credentials – this might mean only some users (for example, the internal localization team), or all server users.

Ask users to:

  1. Start logging in to the memoQ server using memoQWeb or the memoQ desktop app.

    • In memoQWeb, just open the sign-in page.
    • In the memoQ desktop app, click the Forget login link on the Dashboard), then click the check mark button icon_choose-server next to the server name. Then, in the Log in to server window, choose the Log in with external identity provider option.
  2. If there are two or more ID provider systems on the sign-in page, choose yours from the list.
  3. Your ID provider’s login page opens. Log in with your company username and password (and do multi-factor authentication if needed).
  4. On the next screen in memoQ or memoQWeb, choose the option I worked on this server before.
  5. Enter your memoQ username and password that you were using before.

    If until now, you used your Windows user to sign in to memoQ TMS, enter that username and password.

  6. memoQ will change your login mode to single sign-on. From now on, you will only be able to log in to the memoQ server with your company username and password.

Step 5 above means that users can migrate their accounts from Windows-based SSO to the OIDC-based one. If you have Windows-based SSO set up at the company, read more details here.

Group membership and permissions of the users will not change. The list in Server Administrator's User management window will show a green shield icon icon-oidc-sso in the account origin. The icon's tooltip shows the ID provider and the account status. In memoQWeb, the Users list will show SSO as account type.

If somebody chooses "This is my first time" by accident, they should ask help from a memoQ administrator, who can delete the freshly created user on the memoQ TMS, and let the person try again.

You cannot enforce the switch to SSO: Currently, you cannot prevent a user from signing in with their memoQ TMS username and password.

Version compatibility

OpenID Connect-based SSO works only in versions 9.5 and up. Earlier versions of memoQ TMS cannot recognize and manage users of OIDC origin. Earlier versions of the memoQ desktop app lead to problems like this:

  • You cannot log in with your SSO users – there is no such option in the Log in to server window.
  • You cannot manage SSO users and groups with SSO users.

When working on projects on a server that uses OIDC-based SSO, you need to use a 9.5 (or higher) version of the memoQ desktop app.

Users who only have a license for earlier versions of the memoQ desktop app will need:

  • a valid SMA, so that they can upgrade their licenses to the newest version, or
  • a license from your server so that they can use a compatible version which they install into a different folder on their computers. Then they can use the new version to connect to your server, and the earlier version with their own license for other jobs.

    Users who work on your server with a CAL license will need to enter their IDP username and password every time they connect to your server. The memoQ desktop app does not store IDP sign-in credentials.