Set up OIDC-based single sign-on on a memoQ TMS - Part 1 - for the company system administrator

memoQ TMS has different kinds of single sign-on: This document is mainly about OIDC-based SSO. The phrases "single sign-on" and "SSO" refer to the OIDC-based solution. The phrases "Windows SSO" and "Windows AD SSO" refer to memoQ TMS's older, Windows Active Directory-based SSO solution. From version 9.7, Windows SSO users can switch to OIDC SSO just like regular memoQ TMS users.

What you need

Before you start configuring, gather the information below. You will need these at different points during the process.

  • settings.json file for your identity provider (or IDP) (find them in the %PROGRAMFILES%\Kilgray\MemoQ Server\Oidc\examples folder)
  • The Subject value from the certificate the Authentication Manager will use. It should be a commercial (not self-signed) certificate. It can be the one your memoQ TMS uses. On the server machine, open the Manage Computer Certificates application (or run the certlm.msc command). Find the certificate in the Certificates - Local Computer/Personal/Certificate folder. Double-click the certificate, click the Details tab and write down the hostname in the Subject field (for example, *
  • The connection string for your memoQ TMS database: Open the folder %PROGRAMDATA%\MemoQ Server, and open Configuration.xml in a text editor. Copy the value between the <SQLConnectionString> tags.
  • The port that memoQ's Authentication Manager will use. You need to open this port on the firewall. By default, it is 5001.
  • name for the IDP - this will be the IDP's name in the memoQ TMS database, and a part of the Account origin info in memoQ's User management window.
  • A display name - the text on the "Sign in with IDP" button on the login page.

If you run into a problem during the setup, contact memoQ support.

Setup and configuration

The Authentication Manager is a separate service next to the memoQ Server service. It is installed together with memoQ TMS, but to make it work, you need to configure it (after registering your memoQ TMS at an ID provider).

Using multiple ID providers with a memoQ TMS

A memoQ TMS can accept user authentication from more than one ID provider system. For example, two departments of a company might use different Azure AD tenants, or in-house employees might use Okta, while external vendors (freelance translators) can sign in with their personal Google or Microsoft accounts.

In addition, you can have the “traditional” users who can log in with memoQ TMS credentials.

No multiple IDP systems per user: One memoQ user can only be connected to a single IDP system - or none, if they use the “traditional” memoQ login.

Version compatibility

OpenID Connect-based SSO works only in versions 9.5 and up. Earlier versions of memoQ TMS cannot recognize and manage users of OIDC origin.

No rollback to earlier versions: When installing OIDC-based SSO on your memoQ TMS, the Configuration Tool adds new tables to the memoQ TMS database. This means you cannot use rollback to get back to your previous version.

Further information

See Part 2 of this document (for memoQ admins) here.

See troubleshooting tips, general user authentication schemas and a few tips for test environments here.