Note: this feature is available only for the Enterprise subscription plan. 


Parameters

Follow these parameters to configure your custom SAML connection.

Provisioning

SSO post-back up URL

Entity ID

Keep in mind: Lokalise does not support Single Logout or session duration configured in your IDP.

Considerations

  • Lokalise supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.
  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to an HTTP 403 page or something similar.

Settings to include

NameID (Required)

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number.

Email Attribute (Required)

<saml:Attribute Name="User.Email"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
  </saml:AttributeValue>
</saml:Attribute>

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">FirstName
  </saml:AttributeValue>
</saml:Attribute>

Last Name Attribute (Optional)

<saml:Attribute Name="last_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">LastName
  </saml:AttributeValue>
</saml:Attribute>


Certificates

Public Certificate

Lokalise requires that the SAML response is signed, and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by checking Sign AuthnRequest box located in your team's SSO settings.

Did this answer your question?