Single sign-on (SSO) allows Memsource users to log in to Memsource Cloud directly via a third-party application. Memsource enables integrations with identity providers (IdPs) compliant with SAML 2.0 protocol, including OneLogin. SSO is only available for Memsource users with Ultimate or Enterprise editions and can only be configured if you are logged in as an administrator.
Configure Single Sign-On
Single Sign-On can be configured in the Setup of your Account.
To enable SSO, first select the checkbox marked Enable SSO for your organization.
Once SSO is enabled, a series of fields will appear which need to be filled in.
These fields are:
- Certificate Fingerprint: This is used to validate the authenticity of the IdP.
- Certificate Fingerprint Algorithm: Select from SHA-1, SHA-256, SHA-384 or SHA-512.
- Issuer URL: This value is provided by the IdP to uniquely identify your domain.
- SAML 2.0 Endpoint (HTTP): The URL that Memsource Cloud will call to request a user login from the IdP. The IdP authenticates and logs in users.
- SLO Endpoint (HTTP): When users log out of Memsource Cloud, this URL is called to log them out of the IdP too.
- Landing URL (Optional): Choose the URL of the web page that users will see when they log out of Memsource.
- Key User Identifier: Select whether users will identify themselves using a USERNAME or an EMAIL address. Note: Memsource requires a unique username by default, but users can opt to use the same email address multiple times. Choosing the EMAIL option will require users to use a unique email address.
Fields 1-5 should be completed using information from the IdP provider. (For Onelogin, you can find out more information about configuring SSO in the OneLogin documentation.)
To configure SCIM properties in your identity provider, select the checkbox and then click Generate New Token. A unique token will appear in the SCIM Bearer Token field. Insert the SCIM Bearer Token and the SCIM Base URL into the relevant section of your identity provider settings. (For OneLogin, you can find SCIM configuration in the Configuration tab. See the OneLogin documentation for more details.)
Finally, click Save to save all the configuration information.
In this section, you can prohibit users from changing their login credentials, such as username, email, password. You can also select the user role for new users created via SSO. Linguist role is selected by default.
- An option: "Allow users to change their login credentials" will prevent users from editing their username, password and email and can be used to force them to access Memsource only through SSO (as SSO is using a different authentication method).
- An option: "New users mapped to" will allow you to select the user role for new users created via SSO: Linguists or Project managers or Submitter. The Linguist role is selected by default.
The following information can be used in your IdP to configure Memsource as the recipient application and therefore establish the connection.