All Collections
Security
SAML Single Sign-On (SSO)
SAML Single Sign-On (SSO)

SAML Single Sign-On (SSO) for one sign in account

T
Written by Transifex
Updated over a week ago

šŸ“Note: This feature is available only on our Enterprise Plus plan.

Security Assertion Markup Language (SAML) is an XML-based framework for enabling authentication through a third-party identity provider.

SAML offers the ability to:

  • Manage a password policy across multiple applications.

  • Access multiple applications securely.

  • Reduce the risk of lost or forgotten passwords.

Transifex supports SAML 2.0.


How to configure SAML in Transifex

Okta is the only officially supported Identity Provider (IdP) at the moment, but any SAML2 Identity Provider should work. If you are using a different IdP and you're uncertain, please contact our support team.

Only one Identity Provider can be configured per organization.

šŸ“Note: SSO info that you might need from Transifex first:


If the IdP doesn't offer HTTP-POST binding, you can use the following:

In order to configure the SSO in Transifex, you must provide our support team with the following:

  1. OKTA login URL (It should look something like this: https://example.okta.com/app/********/exk7hbhohiaRPuFSW417/sso/saml)

  2. X.509 Certificate, issued by OKTA.

  3. Issuer: A unique ID assigned by OKTA that identifies the account that uses SSO. (It should look something like this: http://www.okta.com/**********************)

  4. Session time-out: The session time-out period configured in OKTA that applies to all integrated applications.

    Each SSO-enabled organization can define a custom session timeout setting for its organization in the SSO settings. The custom session timeout value will be used only if the user logs in from the IDP. If the user logs in from the login form (hybrid login), the default session timeout (the default session expiration is one month) is used.

Apart from the above-required parameters, you may inform us of the following:

  • If a one-time migration of the active user sessions is desired upon activation of the Single Sign-On login.

  • A date threshold, after which the one-time migration will not be executed, even if it is enabled and there are still active user sessions.

In the case of different Identity Providers, the same information should be available. Please contact our support team and share the Login URL, X.509 Certificate, Issuer ID, session time-out, and any of the optional information as described above.

šŸ“Note:

  • When SSO and 2FA are both enabled for a Transifex user, only one method can be utilized during the login process.

  • Okta supports 2FA. Please contact your IT department to enable it for your organization.


Login Options

The user's email address must be present and the same in both Transifex and Okta. If the email is changed in Okta, then you need to make sure that:

  1. The Okta username is also updated.

  2. The Transifex email is also updated.

Enabling SAML for an organization will NOT mandate all users to sign in only via SAML: the user can select their type of login from the main login page. The access type is logged in Transifex (in case the old Transifex username coincides with the SSO username, for example).

You can log in to Transifex using one of the two ways listed below.

Sign in via Okta

  1. Log into Okta using the URL supplied by your IT department.

  2. Select Transifex from the list of applications.

  3. You will be taken to your organizationā€™s dashboard in Transifex.

Sign in via Transifex

The login process is described here.


Enforcing SSO

To mandate all users to sign in only via SAML, enable the enforce SSO option:

  1. Go to your organization settings from the main navigation.

  2. On the left menu, click on the Single Sign-On Settings and enable "Enforce SSO"

We suggest that you inform your collaborators through organization announcements prior to enforcing SSO.


Turn off notifications for unsuccessful SSO login attempts

To stop getting email notifications about unsuccessful login attempts by your users to your organization, you can use the following steps:

  • Open your notification settings, go to the "Team and Collaborators Activity" section, and click the button that displays all the options.

  • Once all available options are displayed, disable the one that says "When your collaborators have a failed SSO login attempt"

  • Save the changes using the "Save changes" button, and that's all; now, you will not receive any notifications when your users fail to log in using the SSO option.


šŸ’”Tip

Looking for more help? Get support from our Transifex Community Forum!

Find answers or post to get help from Transifex Support and our Community.

Did this answer your question?