Single Sign-on (SSO) allows Memsource users to log in to Memsource directly via a third-party application. Memsource enables integrations with identity providers (IdPs) compliant with SAML 2.0 protocol, including OneLogin. SSO is only available for Memsource users with Ultimate or Enterprise editions and can only be configured if you are logged in as an Administrator.
Configure Single Sign-On
Single Sign-On can be configured in the Setup of your Account.
To enable SSO, first select the checkbox marked Enable SSO for your organization.
Once SSO is enabled, a series of fields will appear which need to be filled in.
The following fields will need to be filled in:
- Certificate Fingerprint: This is used to validate the authenticity of the IdP.
Important: Depending on the way your fingerprint was generated, it can be delimited by either colons or spaces. If the authentication is not successful, please try switching the colons and spaces in the fingerprint to make sure that it is correctly created.
- Certificate Fingerprint Algorithm: Select from SHA-1, SHA-256, SHA-384 or SHA-512.
- Issuer URL: This value is provided by the IdP to uniquely identify your domain.
- SAML 2.0 Endpoint (HTTP): This is the URL that Memsource will call to request a user login from the IdP. The IdP authenticates and logs in users.
- SLO Endpoint (HTTP): When users log out of Memsource, this URL is called to log them out of the IdP too.
- Landing URL (Optional): Choose the URL of the web page that users will see when they log out of Memsource.
- Key User Identifier: Select whether users will identify themselves using a USERNAME or an EMAIL address. Note: Memsource requires a unique username by default, but users can opt to use the same email address multiple times. Choosing the EMAIL option will require users to use a unique email address.
Fields 1-5 should be completed using information from the IdP provider. (For Onelogin, you can find out more information about configuring SSO in the OneLogin documentation.)
To configure SCIM properties in your identity provider, select the checkbox and then click Generate New Token. A unique token will appear in the SCIM Bearer Token field. Insert the SCIM Bearer Token and the SCIM Base URL into the relevant section of your identity provider settings. (For OneLogin, you can find SCIM configuration in the Configuration tab. See the OneLogin documentation for more details.)
Finally, click Save to save all the configuration information.
In this section, you can prohibit users from changing their login credentials, such as their username, email, or password. You can also select the user role for new users created via SSO (Note that the Linguist role is selected by default). There are two ways to do this:
- Allow users to change their login credentials: Uncheck this box to prevent users from editing their usernames, passwords, and emails and can be used to force them to access Memsource only through SSO (as SSO uses a different authentication method).
- New users mapped to: This will allow you to select the user role for new users created via SSO: Linguists, Project Managers, or Submitter. The Linguist role is selected by default.
The following information can be used in your IdP to configure Memsource as the recipient application and therefore establish the connection: the Organization ID and the Domain URL.