Set up OIDC-based single sign-on (SSO) for customer portal

To allow users to log in to customer portal with an OIDC identity provider's (IDP's) account, for example, with a Google account, you must set it up separately from what memoQ TMS is using.

What you need

Before you start configuring, gather the information below. You will need these at different points during the process.

  • settings.json file for your identity provider (IDP) (find them in the C:\inetpub\wwwroot\CustomerPortalWeb\bin\oidc\examples folder)

    OIDC examples

  • name for the IDP - this needs to be unique for each IDP you configure.

    If you run the configuration tool and configure another IDP with the same name, it will overwrite your previous settings without warning.

  • A display name - the text on the Log in with (IDP) button on the login page.

Configure the memoQ TMS environment for customer portal SSO

  1. Download the latest version of memoQ TMS.

    customer portal SSO is available in version 11.3 and newer.

  2. In the memoQ TMS deployment tool, install memoQ TMS and customer portal.

    You don't need to install memoQweb for this purpose.

  3. After installing or updating memoQ TMS, in the deployment tool's memoQ TMS section, click Advanced -> Configure server, and go to the Network connection tab:

    Network connetion tab

  4. Select the Use API key checkbox at the bottom of the window, under Customer portal API key.

  5. Click Generate new API key, and in the confirmation message, click OK.

  6. A new customer portal API key appears in the text field. Copy the value and click Save.

  7. In the deployment tool's customer portal section, click the Configure link. The Configure customer portal window opens:

  8. In the Login options dropdown, choose the SSO or the memoQ or SSO option. If you choose SSO, users can only log in with OIDC users.

  9. Paste the API key from the previous step into the API key field. Click Save.

  10. In the IIS manager Windows app, restart customer portal's application pool.

customer portal and memoQ TMS are now configured for SSO to customer portal.

Set up an OIDC provider

Set parameters for your IDP

As of November 2025, customer portal supports Azure AD (Microsoft Entra), Google, Microsoft, Okta (both standard and custom), and OneLogin instances. If your company uses another OIDC-based ID provider service, contact memoQ Business Services, who can provide the resources you need.

The customer portal app is installed in the c:\inetpub\wwwroot folder. The bin subfolder contains CustomerPortal.SsoConfig.Tool.exe. You can use this tool to generate a JSON file for your IDP.

From the bin folder, double-click oidc, then examples. Choose the settings file for your company’s IDP type (aad.settings.json, google.settings.json, microsoft.settings.json, oktaCustom.settings.json, oktaOrg.settings.json, or oneLogin.settings.json), and copy it to a temporary folder. Open it in a text editor, and add your values:

sso-idp-settings

Generic keys (in all settings files)
Parameter Description

Template

The template file that you are filling in with the parameter values.

DO NOT CHANGE!

Parameters

See each sub-key's description below.
Name A unique name for the IDP. Change as needed.

DisplayName

The text on the IDP's button you’ll see on the login page. Change as needed.

ClientId

The Client ID that the IDP generated for your memoQ TMS.

You need to change the default value.
ClientSecret

The client secret or secret key you received when registering your memoQ TMS at this IDP.

You shouldn't keep your client secret in this unencrypted JSON file for long. Delete the file right after you finished configuring SSO with this IDP.

CallbackPath

The last part of the callback URL that you registered at the IDP. You need to change the default value.
IDP-specific keys
Parameter Description

Tenant

Your Microsoft Azure tenant. You need to change the default value.

TenantId Your OneLogin tenant. You need to change the default value.

OktaDomain

Your Okta domain. You need to change the default value.

AuthServerId

Your Okta authorization server's ID. You need to change the default value.

OktaOrg

Your Okta organization's base URL (without http://). You need to change the default value.

Example: Configure the Google IDP

  1. Go to the C:\inetpub\wwwroot\CustomerPortalWeb\bin\oidc\examples\ folder. Copy google.settings.json to another folder, and open it in a text editor:

    OIDC google example

  2. Change the values as needed. If you need help, see the tables above.

    Don't change Template.

    Usually, you don't need to change CallbackPath either.

  3. When you're ready, save the file.

  4. Open a Command Prompt or Windows Powershell window, and go to the c:\inetpub\wwwroot\CustomerPortalWeb\bin folder.

  5. Run the configuration tool:

    .\CustomerPortal.SsoConfig.Tool.exe path_of_the_newly_edited_settings_file

    The screenshot below assumes that the settings file is on your desktop, in a folder called CP_SSO.

    exe with parameter

    Result should be as follows:

    exe with parameter result

  6. The tool created a JSON file in the C:\ProgramData\CustomerPortalWeb\oidc\providers directory for the new OIDC provider, with the name you set in the Name field.

    This JSON file contains your client secret in an encrypted form. Because it can be decrypted only on the same PC, you can't reuse it to set up customer portal SSO on another machine: you need to complete this procedure again.

  7. Go back to the folder where you copied the settings file in step 1, and delete it: Don't leave the client secret stay unencrypted on your computer.

If everything is set up correctly, a new login button (in our case, GoogleExample) appears on customer portal's login screen:

Customer Portal login screen

You successfully configured SSO for customer portal. Good job!