This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

Keycloak is an open-source, self-hosted identity and access management service backed by The Linux Foundation.

In this article you'll learn how to set up single sign-on with Lokalise and Keycloak.

Getting started

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Accessing team settings

Then, proceed to the Advanced security tab and tick the Enable SSO field.

Enabling SSO

Part 1: Creating a new SAML client on Keycloak

Step 1: General settings

Create a new SAML client on Keycloak:

Navigate to the correct Realm in your Keycloak admin panel.
Click the Clients > Create client button:

Provide general settings:
- Client type: SAML
- Client ID: https://lokalise.com
- Name: Lokalise (or any name you prefer)

Step 2: Login settings

Fill out the login settings as follows:

Root URL: https://app.lokalise.com
Home URL: https://app.lokalise.com
Valid redirect URIs: https://app.lokalise.com/sso/yourdomain.com, https://app.lokalise.com/sso/yourdomain.com/acs, *
IDP-Initiated SSO URL name: lokalise
NameID format: persistent
Force name ID format: ON
Force POST binding: ON
Include AuthnStatement: ON
Sign documents: ON
Sign assertions: ON
Signature algorithm: RSA_SHA256

Step 3: Keys settings

Go to the Keys tab for your newly created client.
Set Client signature required to OFF.

Step 4: Assign roles

Open the Roles tab.
Assign the appropriate roles to the Keycloak users who should have access to Lokalise.

Step 5: Set up client scopes

Switch to the Client scopes tab.

Click Add client scope and add the following attributes:

App attribute	Keycloak attribute
`User.Email`	`email`
`first_name` (optional)	`firstName`
`last_name` (optional)	`lastName`

Attribute names and values are case-sensitive!

Part 2: Configuring SSO on Lokalise

Return to Lokalise and complete the SSO setup using the details from your Keycloak instance:

View sample configuration

Team's domain: Enter your full Keycloak domain (e.g., auth.example.com).
ACS URL Preview: https://app.lokalise.com/sso/yourdomain.com/acs
Replace yourdomain.com with your actual domain, including the TLD.
SAML 2.0 Endpoint (HTTP): Copy the HTTP-POST URL from Keycloak’s XML metadata file.
Identity Provider Issuer: Copy the entityID from the same XML metadata file.
Public Certificate: Go to the Keys tab in Keycloak, select the RS256 key, and copy the Certificate. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
Sign AuthnRequest: Not typically required. You can leave this option disabled unless your setup explicitly calls for it.

Part 3: Finalizing setup and logging in

Step 1: Configure advanced settings in Keycloak

In Keycloak, open the Advanced tab for your SAML client.
Set the Assertion Consumer Service POST Binding URL to match the ACS URL Preview shown in your Lokalise SSO settings.

This ensures that authentication responses are correctly routed back to Lokalise.

View the Advanced tab

Step 2: Add users to the SAML client on Keycloak

Go to the Users section within your Keycloak Realm.
Add users who should have access to Lokalise.

Make sure each user:

Is enabled.
Has the appropriate role assigned (as configured in the Roles tab earlier).

Step 3: Login with SSO

Once everything is configured, head to https://app.lokalise.com/sso and enter the email address associated with your Keycloak domain. On the first login, Lokalise will prompt the user to confirm their email before completing authentication.