Microsoft Entra ID SAML

Learn how to set up single sign-on with Microsoft Entra ID (previously known as Microsoft Azure AD).

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan.

In this article you'll learn how to set up single sign-on with Lokalise and Microsoft Entra ID (previously known as Microsoft Azure AD).

Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

  • Team's domain — enter your Entra ID domain. Make sure the domain is entered fully with TLD (.com, .co.uk, etc.).

  • SAML 2.0 Endpoint (HTTP) — should end with /saml2, for example https://login.microsoftonline.com/2d2e4745-1603-48d7-87c4-00b61b4d248f/saml2. Learn more at the section below.

  • Identity Provider Issuer — should look similar to this https://sts.windows.net/2d2e4745-1603-48d7-87c4-00b61b4d248f/. Learn more at the section below.

  • Public Certificate — enter the value from the Entra ID SAML app configuration (please check the section below to learn more). Must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  • Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the .crt file and import this file to the necessary service.

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.

Configuration on Entra ID

Open Entra ID admin center dashboard and proceed to the Single sign-on tab. Here's the sample configuration:

Basic SAML Configuration

  • Identifier (Entity ID)https://lokalise.com

  • Reply URL (Assertion Consumer Service URL) — enter the ACS URL Preview value from Lokalise settings

  • Sign on URLhttps://app.lokalise.com/

Attributes & Claims

  • Unique User Identifier (Name ID) — must be unique, pseudo-random, and should not change for the user over time — like an employee ID number, for example. Name identifier format must be Persistent.

  • User.Emailuser.mail

  • first_name (optional) — user.givenname

  • last_name (optional) — user.surname

Please note that attribute names and values are case-sensitive. All other claims can be left as is, Lokalise will disregard those anyway.

SAML Signing Certificate

  • Signing Option — choose Sign SAML response and assertion

  • Signing Algorithm — choose SHA-256

Also, you'll need to download the Certificate (Base64) from this section, open the downloaded file with any text editor, copy and paste the text into the Public Certificate field in Lokalise:

Set up Lokalise SAML App

  • Login URL — copy-paste this value into the SAML 2.0 Endpoint (HTTP) field on Lokalise.

  • Azure AD Identifier — copy-paste this value into the Identity Provider Issuer field on Lokalise.

  • Logout URL — currently unsupported.

Add users to SAML app in Azure AD

Proceed to Users and groups, click Add user/group:

Email field in the Contact info section of a user must be populated:

Logging in with SSO

Once everything is set up, proceed to https://app.lokalise.com/sso and enter user email associated with the Azure domain. Upon the first log in, you'll be asked to confirm your email:

Did this answer your question?