Before you start configuring, gather the information below. You will need these at different points during the process.
If you run into a problem during the setup, contact memoQ support.
The Authentication Manager is a separate service next to the memoQ Server service. It is installed together with memoQ server, but to make it work, you need to configure it (after registering your
When registering your memoQ server as the client of an identity provider service, you need to set a callback URL. This is where the IDP can reach the Authentication Manager. The callback URL looks like this:
The Authentication Manager needs a port (3) for communication with the IDPs. By default, this is port 5001. This port should be open for inbound and outbound communication. If needed, you can configure a different port in the application settings file.
You can choose the callback URL’s last part (4) as needed, but:
When you register the memoQ server as a client at the ID provider, the
Make sure your firewall is set up correctly: The ID provider might require opening some ports on the company firewall. To learn more, search your ID provider's documentation.
Use a certificate issued by a trusted certification authority. This can be the same certificate that
The Authentication Manager needs to learn about these system configuration data:
Set these up in the file %PROGRAMDATA%\MemoQ Server\Oidc Backend\appsettings.User.json.
Logging details are now stored in a separate file, %PROGRAMFILES%\Kilgray\MemoQ Server\Oidc\appsettings.json.
In a production environment, the certificate should be in a certificate store. The default settings under appsettings.User.json's Kestrel key are set up this way. Change only the Subject key's value: replace localhost with the certificate subject you wrote down before. Do not change other values.
Later in the setup process, you need to grant read access on this certificate to the Authentication Manager's service account.
In this example, “*” stands for any host name. If you want to limit access, edit the value of the AllowedHosts key: Enter one or more domains (for example, “*.company.com”) or specific host names (for example, "machine1.company.com"), separated by semicolons (;). Else, leave the AllowedHosts value unchanged.
If you changed the port number from the default, change the part after the colon (:) in the urls key:
Else, leave the urls value unchanged.
The Authentication Manager communicates with the memoQ server database. Enter the memoQ server database’s connection string as a value for the ConnectionStrings.OidcLoginData key:
Do not simply copy and paste: In the JSON file, you need to escape the backslash character - that is, change "\" to "\\".
The %PROGRAMFILES%\Kilgray\MemoQ Server\Oidc\appsettings.json file defines the logging details.
Find the key "Name": "File" under Serilog.WriteTo. The keys under Args here define important parameters:
path: By default, the log is stored in the file %PROGRAMDATA%\MemoQ Server\Oidc Backend\LogFiles\log-.txt.
rollingInterval, rollOnFileSizeLimit, fileSizeLimitBytes: Logs are written to daily files (do not change this), but if the file size reaches the limit (100 MB by default), a second file will be created for that day.
retainedFileCountLimit: By default, the last 31 log files are kept on the server.
By default, logging level is Information. If you need more info, change the Serilog.MinimumLevel.Default key's value to Debug or Verbose.
Verbose lists everything, even names and secrets – use it only when it is really needed, and only if it complies to your organization's data protection policies.
These settings are not permanent: When you update
Because of a known issue with the .NET Framework, the program files for the Authentication Manager and the OIDC Configuration Tool might be deleted by 3rd-party software, for example, an anti-virus app. To avoid this: Create an environment variable called DOTNET_BUNDLE_EXTRACT_BASE_DIR, with Machine or System scope. Set its value to %PROGRAMDATA%\Temp\.net.
This may affect other .NET-based software on the
This step will not be necessary later: When memoQ is updated to .NET 5, this issue will be solved automatically.
Note: As of December 2020, memoQ supports Azure AD, Google, Microsoft, and Okta (both standard and custom) instances. If your company uses another OIDC-based ID provider service, contact our Business Services department, who can provide the resources you need.
Choose the settings file for your company’s ID provider type (AzureAD.settings.json, Google.settings.json, Microsoft.settings.json, OktaCustom.settings.json, or OktaOrg.settings.json), and put it into the %PROGRAMFILES%\Kilgray\MemoQ Server\Oidc folder. Open it in a text editor, and add your values:
Parameter | Description |
---|---|
Template | The template file that you are filling in with the parameter values. DO NOT CHANGE! |
Parameters | See each sub-key's description below. |
Name | The ID provider’s name in the Change as needed. |
DisplayName | The text on the ID provider's button you’ll see on the login page. Change as needed. |
ButtonIconUrl | URL for the ID provider’s icon that appears on the login page. There is a default icon URL, but you can set another one. |
ButtonBackgroundColor | Color for the ID provider’s button that appears on the login page. There is a default color, but you can set another one. |
ButtonTextColor | Text color for the ID provider’s button that appears on the login page. There is a default color, but you can set another one. |
ClientId | The Client ID that the ID provider generated for your memoQ server. You need to change the default value. |
ClientSecret |
The client secret or secret key you received when registering your memoQ server at this ID provider. You should not save the client secret into this unencrypted json file - unless it is absolutely necessary. Leave this value blank, and enter the client secret only when you set up the ID provider with the configuration tool. |
CallbackPath |
The last part of the callback URL that you registered at the ID provider. |
Scope | The OIDC scope that the Authentication Manager will send to the ID provider. By default, it includes all standard scope values. You can remove values as needed, but the scope must contain the openid value. Else, single sign-on will not work. |
Parameter | Description |
---|---|
Tenant | Your Microsoft Azure tenant. You need to change the default value. |
OktaDomain | Your Okta domain. You need to change the default value. |
AuthServerId | Your Okta authorization server's ID. You need to change the default value. |
OktaOrg | Your Okta organization's base URL (without http://). You need to change the default value. |
The OIDC Configuration Tool is a command-line application that is designed to:
It is in the %PROGRAMFILES%\Kilgray\MemoQ Server\Oidc folder. Open a Command prompt or PowerShell window with admin rights in this folder.
Add your ID provider configuration with the Configuration Tool's AddIdProvider command:
MemoQ.Security.Oidc.Backend.ConfigTool.exe AddIdProvider
-f [<absolute_or_relative_path>\]<your_settings_file>.json
If you are setting up a new icon for the ID provider, add its path (on your computer) with the -i parameter.
Examples:
MemoQ.Security.Oidc.Backend.ConfigTool.exe AddIdProvider -f AzureAD.settings.json
MemoQ.Security.Oidc.Backend.ConfigTool.exe AddIdProvider -f C:\SSO-Ingredients\OktaOrg.settings.json -i C:\SSO-Ingredients\OktaIcon.png
The client secret is a password, so it is not secure to save it to a config file. Set it manually with the Configuration Tool:
MemoQ.Security.Oidc.Backend.ConfigTool.exe SetClientSecret -s <client_secret> -n Okta
Parameter | Parameter’s name | Required or not | Description |
---|---|---|---|
-n |
Name |
required |
Use the same value as “Name” in the settings file. |
-s |
ClientSecret |
required |
The client secret value you received when registering the |
The client secret will be stored in hashed form in the database.
Do this with the Configuration Tool's SetBackendBaseUrl command. Required option: -u for the URL.
MemoQ.Security.Oidc.Backend.ConfigTool.exe SetBackendBaseUrl -u <auth_man_base_url>
The base URL is constructed:
Example:
MemoQ.Security.Oidc.Backend.ConfigTool.exe SetBackendBaseUrl -u https://memoqserver.mycompany.com:5001
This information is important as this tells the Authentication Manager from what URLs it should accept calls as from
Set the same URL you use for logging in to
Use the Configuration Tool's SetMemoQWebBaseUrls command. Required option: -u for the URL.
MemoQ.Security.Oidc.Backend.ConfigTool.exe SetMemoQWebBaseUrls -u <memoqweb_base_url>
Example:
MemoQ.Security.Oidc.Backend.ConfigTool.exe SetMemoQWebBaseUrls -u https://memoqserver.mycompany.com/memoqweb
Do this with the Configuration Tool's InstallService command.
Note: The account that you choose for running the service needs to have read and write access to the memoQ server database, and read access to the certificate you set up in the appsettings file. This is true for all account types (LocalSystem, NetworkService, VirtualService, or ServiceUser).
We recommend:
Parameter | Parameter’s name | Required or not | Description |
---|---|---|---|
-t | AccountType | required | The type of the account which will run the service. Possible values: LocalSystem, NetworkService, VirtualService, ServiceUser. In general, use a virtual service to run the Authentication Manager - |
-a | Account | optional | The account which will run the service. Required and used only if the AccountType option is ServiceUser. |
-p | Password | optional | The password for the account which will run the service. If not specified, and the AccountType option is ServiceUser, the application will ask for the password interactively. |
-s | Start | optional |
If true, starts the service after installation. Default value is false. Depending on other options, the service may not start automatically, After installation, run the services.msc command in Windows, and start the MemoQ OIDC Backend Service manually, if it is not running. |
Examples:
MemoQ.Security.Oidc.Backend.ConfigTool.exe InstallService -t VirtualService
MemoQ.Security.Oidc.Backend.ConfigTool.exe InstallService -t ServiceUser -a AuthMan -p L0ngEn0ughIsStr0ngEn0ugh -s true
At this point, you need to restart:
the Authentication Manager service (called MemoQ OIDC Backend Service in Windows's Services console
Make sure this service is set to Automatic, so that you do not need to start it manually after server machine restarts.
Authentication Manager is now configured on your memoQ server. The server accepts:
You can now tell a memoQ admin user to start creating or updating users on the
A memoQ server can accept user authentication from more than one ID provider system. For example, two departments of a company might use different Azure AD tenants, or in-house employees might use Okta, while external vendors (freelance translators) can sign in with their personal Google or Microsoft accounts.
In addition, you can have the “traditional” users who can log in with
No multiple IDP systems per user: One memoQ user can only be connected to a single IDP system - or none, if they use the “traditional” memoQ login.
OpenID Connect-based SSO works only in versions 9.5 and up. Earlier versions of memoQ server cannot recognize and manage users of OIDC origin.
No rollback to earlier versions: When installing OIDC-based SSO on your
See Part 2 of this document (for memoQ admins) here.
See troubleshooting tips, general user authentication schemas and a few tips for test environments here.