This feature is available only on the Enterprise plan.
To find provider-specific tutorials, please refer to the corresponding section.
In this article you'll learn how to set up single sign-on with Lokalise.
Getting started
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Accessing Team settings
Accessing Team settings
Then, proceed to the Advanced security tab and tick the Enable SSO field.
Parameters
Use these parameters to configure your custom SAML connection.
Provisioning
Lokalise supports Identity Provider (IDP) Initiated Flow and Service Provider (SP) Initiated flow.
For SP-Initiated single sign-on, go to
https://app.lokalise.com/sso/yourdomain.com
SSO post-back up URL
https://app.lokalise.com/sso/yourdomain.com/acs(Also known as the Assertion Consumer Service URL)
Entity ID
https://lokalise.com
Please keep in mind that Lokalise does not support Single Logout or session duration configured in your IDP.
Considerations
Lokalise supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to a HTTP 403 page or something similar.
To prevent misconfiguration and authentication errors please keep in mind the following:
Fill out values exactly as provided by Lokalise and your Identity Provider (IdP).
SAML attribute names and values are case-sensitive.
At least NameID and Email attributes must be added to your SAML app configuration.
Extra slashes, whitespaces, wrong character case, etc. may lead to errors.
Settings to include
NameID (Required)
To meet SAML specifications, the NameID must be unique, pseudo-random, and should not change for the user over time — like an employee ID number.
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>
Email Attribute (Required)
<saml:Attribute Name="User.Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
</saml:AttributeValue>
</saml:Attribute>
First Name Attribute (Optional)
<saml:Attribute Name="first_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">FirstName
</saml:AttributeValue>
</saml:Attribute>
Last Name Attribute (Optional)
<saml:Attribute Name="last_name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xsi:type="xs:anyType">LastName
</saml:AttributeValue>
</saml:Attribute>
Certificates
Public Certificate
Lokalise requires that the SAML response is signed and you will need to paste a valid X.509 .pem certificate to verify your identity. This is different from your SSL certificate.
End-to-end encryption key
If you require an end-to-end encryption key for your IDP, you can find a certificate by checking the Sign AuthnRequest box located in your team's SSO settings.