Single Sign-On (SSO) configuration – SAML
Introduction
XTM Cloud offers a Single sign-on (SSO) integration, which is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.
While requesting their SSO configuration via the XTM Support portal, you should use the following form: Request SSO.
There are two major SSO authentication methods: SAML and OAuth2.
This article describes the SAML method. |
|---|
During setup, you can choose whether you would like your users to authenticate via email address or username. On the XTM Cloud side, XTM Support can easily check the method of choice in the client’s database.
Use case
XTM Cloud supports all SSO platforms that use the SAML protocol.
Example:
If your team logs in using Microsoft accounts, you are most likely using Microsoft Entry ID, which can be integrated with XTM Cloud. That being said:
We can configure the SSO to allow your Microsoft accounts to automatically create users in XTM Cloud. In your Microsoft environment, you can define which users should have specific roles within XTM Cloud, or we can set a default role that every new user will receive. Once a user is created via SSO, their account can be further managed directly in XTM Cloud.
Alternatively, if you prefer not to allow automatic account creation via SSO, we can set it up in such a way so that users can only log in to pre-existing XTM Cloud accounts that match their Microsoft email or username. This way, you would continue to manually create and manage user accounts directly within XTM Cloud, as you do now.
Guidelines
To proceed with your SSO configuration request, we will require from you the following data:
Identity Provider Single Sign-On URL.
Identity Provider Entity ID.
Identity Provider x509 certificate.
Please also specify if you would like to use email address or username to authenticate the users.
Once the above is provided, we will prepare a metadata file for you that will include all the needed details for SSO configuration on your side.
User provisioning
General information
XTM Cloud also offers so-called user provisioning. XTM Support can create new users based on the data sent from the SSO, but it requires additional configuration.
Let us know if you would like us to configure this. If so, we will need to prepare a special configuration on the your XTM Cloud instance back-end.
Requirements
Parameters/attributes that need to be passed for user-provisioning:
{
"firstName"
"lastName"
"username"
"nickname"
"email"
"roles"
"workflowSteps"
"defaultCurrency"
}NOTE!
Roles → if not provided, XTM Cloud will assume Linguist, but this can be overridden in the configuration.
Workflow steps → for the Linguist role. If the steps are not provided and the Linguist role is selected, XTM Cloud will assume Translate, Correct and Review.
Default currency → not mandatory for User provisioning. If not provided, EUR is set by default.
Sample view in the your SSO application:
IMPORTANT!
Your might ask about a feature called System for Cross-domain Identity Management (SCIM). Currently, this is not supported in XTM Cloud, and when it comes to SSO, we only offer auto-provisioning. For more information about the feature, see SCIM.
A few important facts
Once SSO is enabled (Users → (select a user) → Access rights → Authentication, in the XTM Cloud UI), an additional field labeled User authentication provider will be displayed.
By default, when SSO is enabled, all of the existing users will be switched to the SSO only option. Therefore, you will not be able to access XTM Cloud through the XTM Cloud site. Bear that in mind when activating SSO.
Sometimes, the you would like to set all of the existing users in XTM Cloud to be able to freely choose how to log in. This can be done by batch user change on the back-end side. For this purpose, contact XTM Support.
Once SSO is enabled, every new user that is created in XTM Cloud has SSO only set as the User authentication provider by default. It is however possible to have the authentication method for all the newly created users in XTM Cloud changed automatically to SSO or XTM. For this purpose, contact XTM Support.