Skip to main content
Keycloak SAML

Learn how to set up single sign-on with Keycloak.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated yesterday

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

Keycloak is an open-source, self-hosted identity and access management service backed by The Linux Foundation.

In this article you'll learn how to set up single sign-on with Lokalise and Keycloak.

Getting started

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field.


Creating a new SAML client on Keycloak

Providing general settings

Create a new SAML client on Keycloak:

  • Make sure you’re located in the correct Realm. Click the Clients > Create client button:

  • Provide general settings:

    • Client type: SAML

    • Client ID: https://lokalise.com

    • Name: Lokalise (or another name of your choice)

Login settings

Provide login settings:

  • Root URL: https://app.lokalise.com

  • Home URL: https://app.lokalise.com

  • Valid redirect URIs: https://app.lokalise.com/sso/yourdomain.com, https://app.lokalise.com/sso/yourdomain.com/acs, *

  • IDP-Initiated SSO URL name: lokalise

  • NameID format: persistent

  • Force name ID format: ON

  • Force POST binding: ON

  • Include AuthnStatement: ON

  • Sign documents: ON

  • Sign assertions: ON

  • Signature algorithm: RSA_SHA256

Keys settings

Then, proceed to the Keys tab for the created client and set the Client signature required option to OFF.

Assigning roles

In the Roles tab, assign roles to Keycloak users who need access to Lokalise.

Setting up client scopes

Switch to the Client scopes tab.

Click Add client scope and add the following attributes:

  1. User.Email: email

  2. first_name (optional): firstName

  3. last_name (optional): lastName

No additional parameters are needed.

Attribute names and values are case-sensitive!


Configuring SSO on Lokalise

Return to Lokalise and provide SSO configuration as follows:

View sample configuration

  1. Team's domain: Your Keycloak domain.

  2. ACS URL Preview: https://app.lokalise.com/sso/yourdomain.com/acs (use your full domain, including TLD).

  3. SAML 2.0 Endpoint (HTTP): Copy the HTTP Post URL from Keycloak’s XML metadata file.

  4. Identity Provider Issuer: Copy the entityID from Keycloak’s XML metadata file.

  5. Public Certificate: Obtain it from Keycloak’s Keys tab by selecting RS256 > Certificate. Ensure it begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

  6. Sign AuthnRequest: Usually not required.


Finalizing setup and logging in

Advanced tab

Return to Keycloak, switch to the Advanced tab for your SAML client

Set the Assertion Consumer Service POST Binding URL to match the ACS URL Preview found on Lokalise.

View the Advanced tab

Add users to SAML client on Keycloak

Go to the Users tab in Keycloak for the SAML client and add users who need access.

Ensure each user:

  • Is enabled.

  • Has a role assigned as configured above.

Login with SSO

Go to https://app.lokalise.com/sso and enter user email associated with the Keycloak domain. Upon first login Lokalise will ask to confirm your email.

Did this answer your question?