PingIdentity SAML

Learn how to set up single sign-on with PingIdentity app.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan.

PingIdentity is a hosted identity and access management service provided by PingOne company.

In this article you'll learn how to set up single sign-on with Lokalise and PingIdentity. You can also refer to the PingIdentity official document on SSO.

Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

  • Team's domain — enter your PingIdentity domain.

  • ACS URL Previewhttps://app.lokalise.com/sso/yourdomain.com/acs. Make sure the domain is entered fully with TLD (.com, .co.uk, etc.).

  • SAML 2.0 Endpoint (HTTP) — enter Single Sign-on Service from the PingIdentity SAML app’s Configuration tab, for example https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso.

  • Identity Provider IssuerIssuer ID from the PingIdentity SAML app’s Configuration tab, for example https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3.

  • Public Certificate — obtained by clicking on the Download Signing Certificate button in the PingIdentity SAML app’s Configuration tab. Must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  • Sign AuthnRequest is not usually required. If you do need this feature, then tick the corresponding field and copy certificate from Service provider Public Certificate field on Lokalise, and then save it to an .crt file. Proceed to PingIdentity SAML app’s Configuration tab, click the Edit button in the top right corner, and enable the Enforce Signed Authn Request option. The Verification Certificate section will appear below, so import the .crt file saved from Lokalise:

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.

Configuration on PingIdentity

Proceed to your PingIdentity dashboard, click Connections > Applications, and then press on the "plus" icon:

Overview tab

Only the Application Name field is mandatory here, all other fields are optional. Enter any name and click Save.

Configuration tab

Next, you'll be presented with the Configuration tab:

  • ACS URLS — enter the ACS URL Preview here copied from Lokalise, for example
    https://app.lokalise.com/sso/yourdomain.com/acs (check the previous section to find this value).

  • SIGNING KEY — choose Sign Assertion & Response

    • Signing Algorithm — choose RSA_SHA256

  • ENTITY ID — enter https://lokalise.com.

  • SLO BINDING — choose HTTP POST.

  • SUBJECT NAME ID FORMAT — choose urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Once you're ready, hit Save.

Attribute Mappings tab

You'll be presented with the Attribute Mappings tab:

  1. saml_subject — can’t be removed but will be disregarded by Lokalise anyway.

  2. NameID — must be unique, pseudo-random, and will not change for the user over time — like a User ID or Account ID for example.

  3. User.Email — set to Email Address.

  4. first_name (optional) — set to Given Name.

  5. last_name (optional) — set to Family Name.

There's no need to add any other parameters as Lokalise will disregard those anyway. Please note that all names and values are case sensitive!

After editing, you'll be presented with a summary of the added SAML attributes:

Access tab

Next, the Access tab:

Enable the Display this application in the Application Portal option in the Application Portal Display section.

Users tab

To add users on PingIdentity, proceed to Identities > Users tab, and click the "plus" icon:

When adding a new user, make sure that:

  • The user is enabled (toggle a blue switch as shown in the screenshot above).

  • The user's profile contains values for the SAML attributes specified under the Attribute Mappings tab.

Logging in with SSO

Once everything is set up, proceed to https://app.lokalise.com/sso and enter user email associated with the PingIdentity domain. Upon the first log in, you'll be asked to confirm your email:

Did this answer your question?