Table of Contents
This feature is available only on the Enterprise plan.
Security Assertion Markup Language (SAML) is an XML-based framework for enabling authentication through a third-party identity provider.
SAML offers the ability to:
Manage a password policy across multiple applications
Access multiple applications securely
Reduce the risk of lost or forgotten passwords
Transifex supports SAML 2.0.
How to configure SAML in Transifex
Okta is the only officially supported Identity Provider (IdP) at the moment, but any SAML2 Identity Provider should work. If you are using a different IdP and you're uncertain, please contact our support team.
Only one Identity Provider can be configured per organization.
SSO info that you might need from Transifex first:
In order to configure the SSO in Transifex, you must provide our support team with the following:
OKTA login URL.
X.509 Certificate, issued by OKTA.
Issuer: A unique ID assigned by OKTA that identifies the account of the customer that uses SSO.
Session time-out: The session time-out period configured in OKTA that applies to all integrated applications.
Each SSO-enabled organization can define a custom session timeout setting for its organization in the SSO settings. The custom session timeout value will be used only if the user logs in from the IDP. If the user logs in from the login form (hybrid login), the default session timeout (the default session expiration is one month) is used.
Apart from the above-required parameters, you may inform us of the following:
If a one-time migration of the active user sessions is desired upon activation of the Single Sign-On login.
A date threshold, after which the one-time migration will not be executed, even if it is enabled and there are still active user sessions.
In the case of different Identity Providers, the same information should be available. Please contact our support team and share the Login URL, X.509 Certificate, Issuer ID, session time-out, and any of the optional information as described above.
The user's email address must be present and the same in both Transifex and Okta. If the email is changed in Okta, then you need to make sure that:
the Okta username is also updated
the Transifex email is also updated
Enabling SAML for an organization will NOT mandate all users to sign in only via SAML: the user can select their type of login from the main login page. The access type is logged in Transifex (in case the old Transifex username coincides with the SSO username, for example).
You can log in to Transifex using one of the two ways listed below.
Sign in via Okta
Log into Okta using the URL supplied by your IT department.
Select Transifex from the list of applications
You will be taken to your organization’s dashboard in Transifex
Sign in via Transifex
The login process is described here
To mandate all users to sign in only via SAML, enable the enforce SSO option:
Go to your organization settings from the main navigation
On the left menu, click on the Single Sign-On Settings and enable "Enforce SSO"
We suggest that you inform your collaborators through organization announcements prior to enforcing SSO.
Turn off notifications for unsuccessful SSO login attempts
To stop getting email notifications about unsuccessful login attempts by your users to your organization, you can use the following steps:
Open your notification settings, go to the "Team and Collaborators Activity" section, and click the button that displays all the options.
Once all available options are displayed, disable the one that says "When your collaborators have a failed SSO login attempt"
Save the changes using the "Save changes" button, and that's all; now, you will not receive any notifications when your users fail to log in using the SSO option.