Set up OIDC-based single sign-on on a memoQ server - Part 2 - for a memoQ administrator

After the company system administrator has set up the Authentication Manager on the memoQ server (see Part 1 of this document), a memoQ admin user can start creating or updating the server users.

Set up SSO users on a new memoQ server

There are two users in the user database of a newly installed memoQ server: the built-in admin user and the disabled guest user. These are local users on the server, and they can log in with their memoQ usernames and passwords. The admin password was set up during server activation, and can be changed anytime in the memoQ server Deployment Tool.

SSO is not a must for all users: After setting up single sign-on, you can still create "traditional" users on the memoQ server. They will not log in with their company credentials: they will use a memoQ server username and password.

To set up SSO users on the new server:

Switch to SSO on a server already in use

After upgrading memoQ server to 9.5 or newer, and configuring the Authentication Manager as described in Part 1 of this guide, users can change their login mode to SSO.

Notify the users who will need to log in with their IDP credentials – this might mean only some users (for example, the internal localization team), or all server users.

Ask users to:

  1. Melden Sie sich zuerst mit memoQWeb oder der memoQ Desktop-App am memoQ-Server an.

    • Öffnen Sie in memoQWeb einfach die Anmeldeseite.
    • Klicken Sie in der memoQ Desktop-App auf den Link Anmeldedaten löschen am Dashboard und klicken Sie dann auf das Häkchen icon_choose-server neben dem Servernamen. Wählen Sie dann im Fenster Am Server anmelden die Option Einen externen Identitätsprovider verwenden.
  2. Wenn es auf der Anmeldeseite zwei oder mehr ID-Anbietersysteme gibt, wählen Sie Ihr System aus der Liste aus.
  3. Die Anmeldeseite Ihres ID-Anbieters wird geöffnet. Melden Sie sich mit dem Benutzernamen und Passwort Ihres Unternehmens an (und führen Sie bei Bedarf eine Multi-Faktor-Authentifizierung durch).
  4. Wählen Sie die Option Nein, ich bin zum ersten Mal hier. und schließen Sie memoQ oder den Browser.
  5. Wählen Sie auf dem nächsten Bildschirm in memoQ oder memoQWeb die Option Ich habe bereits auf diesem Server gearbeitet.
  6. Geben Sie Ihren memoQ-Benutzernamen und das Passwort ein, das Sie zuvor verwendet haben.

    Wenn Sie sich bisher mit Ihrem Windows-Benutzer in memoQ server angemeldet haben, geben Sie diesen Benutzernamen und das Passwort ein.

  7. memoQ wird Ihren Anmeldemodus auf Single Sign-On ändern. Von nun an können Sie sich nur noch mit dem Benutzernamen und Passwort Ihres Unternehmens auf dem memoQ-Server anmelden.

Step 5 above means that users can migrate their accounts from Windows-based SSO to the OIDC-based one. If you have Windows-based SSO set up at the company, read more details here.

Group membership and permissions of the users will not change. The list in Server Administrator's User management window will show a green shield icon icon-oidc-sso in the account origin. The icon's tooltip shows the ID provider and the account status. In memoQWeb, the Users list will show SSO as account type.

If somebody chooses "This is my first time" by accident, they should ask help from a memoQ administrator, who can delete the freshly created user on the memoQ server, and let the person try again.

You cannot enforce the switch to SSO: Currently, you cannot prevent a user from signing in with their memoQ server username and password.

Version compatibility

OpenID Connect-based SSO works only in versions 9.5 and up. Earlier versions of memoQ server cannot recognize and manage users of OIDC origin. Earlier versions of the memoQ desktop app lead to problems like this:

  • You cannot log in with your SSO users – there is no such option in the Log in to server window.
  • You cannot manage SSO users and groups with SSO users.

When working on projects on a server that uses OIDC-based SSO, you need to use a 9.5 (or higher) version of the memoQ desktop app.

Users who only have a license for earlier versions of the memoQ desktop app will need:

  • a valid SMA, so that they can upgrade their licenses to the newest version, or
  • a license from your server so that they can use a compatible version which they install into a different folder on their computers. Then they can use the new version to connect to your server, and the earlier version with their own license for other jobs.

    Users who work on your server with a CAL license will need to enter their IDP username and password every time they connect to your server. The memoQ desktop app does not store IDP sign-in credentials.