Set up OIDC-based single sign-on for customer portal

This topic is still work in progress.

To allow users to log in to customer portal with an OIDC identity provider's account (for example, with a Google account), you need a different solution than what memoQ TMS is using.

What you need

Before you start configuring, gather the information below. You will need these at different points during the process.

  • settings.json file for your identity provider (or IDP) (find them in the C:\inetpub\wwwroot\CustomerPortalWeb\bin\oidc\examples folder:

    OIDC examples

  • The Subject value from the certificate the Authentication Manager will use. It should be a commercial (not self-signed) certificate. It can be the one your memoQ TMS uses. On the server machine, open the Manage Computer Certificates application (or run the certlm.msc command). Find the certificate in the Certificates - Local Computer/Personal/Certificate folder. Double-click the certificate, click the Details tab and write down the hostname in the Subject field (for example, *.mycompany.com).

  • A display name - the text on the "Sign in with IDP" button on the login page.

Configure the memoQ TMS environment for customer portal SSO

  1. In the memoQ TMS deployment tool, install the latest versions of memoQ and customer portal.

    Single sign-on is available for customer portal 11.3 and later.

    You don't need to install memoQweb for this purpose.

  2. After installing or updating memoQ TMS, in the deployment tool's memoQ TMS section, click Advanced -> Configure server, and go to the Network connection tab:

    Network connetion tab

  3. Check the Use API key checkbox at the bottom of the window, under Customer portal API key.

  4. Click the Generate new API key link, and in the confirmation message, click OK.

  5. A new customer portal API key appears in the text field. Copy the value and click Save.

  6. In the customer portal section, click the Configure link. The Configure customer portal window opens:

    To allow single sign-on to customer portal, choose SSO or memoQ or SSO in the Login options dropdown. Paste the API key from the previous step into the API key field. Click Save.

customer portal and memoQ TMS are now configured for single sign-on to customer portal.

Set up an OIDC provider

Set parameters for your ID provider

Note: As of May 2025, customer portal supports Azure AD, Google, Microsoft, Okta (both standard and custom), and OneLogin instances. If your company uses another OIDC-based ID provider service, contact our Business Services department, who can provide the resources you need.

The Customer Portal app is installed in the c:\inetpub\wwwroot folder. The bin subfolder contains CustomerPortal.SsoConfig.Tool.exe. You can use this tool to generate a json file for your IDP.

From the bin folder, double-click oidc, then examples. Choose the settings file for your company’s ID provider type (aad.settings.json, google.settings.json, microsoft.settings.json, oktaCustom.settings.json, oktaOrg.settings.json, or oneLogin.settings.json), and copy it to a temporary folder. Open it in a text editor, and add your values:

 

sso-idp-settings

Generic keys (in all settings files)
Parameter Description
Template The template file that you are filling in with the parameter values.
DO NOT CHANGE!
Parameters See each sub-key's description below.
Name The ID provider’s name in the memoQ TMS database, the key value in the oidc.IDProviderSettings table.
Change as needed.
DisplayName The text on the ID provider's button you’ll see on the login page.
Change as needed.
ButtonIconUrl URL for the ID provider’s icon that appears on the login page. There is a default icon URL, but you can set another one.
ButtonBackgroundColor Color for the ID provider’s button that appears on the login page. There is a default color, but you can set another one.
ButtonTextColor Text color for the ID provider’s button that appears on the login page. There is a default color, but you can set another one.
ClientId The Client ID that the ID provider generated for your memoQ TMS.
You need to change the default value.
ClientSecret

The client secret or secret key you received when registering your memoQ TMS at this ID provider.

You should not save the client secret into this unencrypted json file - unless it is absolutely necessary. Leave this value blank, and enter the client secret only when you set up the ID provider with the configuration tool.
CallbackPath

The last part of the callback URL that you registered at the ID provider.
You need to change the default value.

Scope The OIDC scope that the Authentication Manager will send to the ID provider. By default, it includes all standard scope values. You can remove values as needed, but the scope must contain the openid value. Else, single sign-on will not work.

 

IDP-specific keys
Parameter Description
Tenant Your Microsoft Azure tenant. You need to change the default value.
TenantId Your Microsoft AzureB2C tenant. You need to change the default value.
Domain Your Microsoft Azure B2C domain. You need to change the default value.
UserFlow Your Microsoft Azure B2C user flow. You need to change the default value.
OktaDomain Your Okta domain. You need to change the default value.
AuthServerId Your Okta authorization server's ID. You need to change the default value.
OktaOrg Your Okta organization's base URL (without http://). You need to change the default value.

Restart software components

At this point, you need to restart:

  • the memoQ TMS service

  • the IIS application pool that runs customer portal.

  • the Authentication Manager service in Windows's Services console

    Make sure this service is set to Automatic, so that you do not need to start it manually after server machine restarts.

Example: Configure the Google identity provider

  1. Take the file google.settings.json, copy it somewhere and open it up for modifications:

    OIDC google example

    We can look up some explanatory text for the values needed in the c:\inetpub\wwwroot\{customer_portal_installation_name}\bin\oidc\templates directory. For our case we can check in the google.parameters.json file:

    OIDC google parameters

    Based on these descriptions the settings file can be filled easily.

    Once we are finished with it, open up a command window in the bin folder and run the CustomerPortal.SsoConfig.Tool.exe with a parameter: the path of the newly edited settings file:

    exe with parameter

    Result should be as follows:

    exe with parameter result

    Now, under the c:\ProgramData\\oidc\providers directory we should find our new OIDC provider file with the name set in the google.settings.json for NAME field.

If all the input information is correct, we should see the GoogleExample option appear on the login screen of the Customer Portal:

Customer Portal login screen

A file generated on one PC cannot be used on another, because the client secret is encoded in the json file and can only be decoded on the same PC.