SAML-based Single Sign On (SSO)
Ronalds Breikss avatar
Written by Ronalds Breikss
Updated over a week ago

This feature is available only on the Enterprise plan.

To find provider-specific tutorials, please refer to the corresponding section.

In this article you'll learn how to set up single sign-on with Lokalise.

Getting started

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field.


Use these parameters to configure your custom SAML connection.


  • Lokalise supports Identity Provider (IDP) Initiated Flow and Service Provider (SP) Initiated flow.

  • For SP-Initiated single sign-on, go to

SSO post-back up URL

  • (Also known as the Assertion Consumer Service URL)

Entity ID


Please keep in mind that Lokalise does not support Single Logout or session duration configured in your IDP.


  • Lokalise supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.

  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to a HTTP 403 page or something similar.

To prevent misconfiguration and authentication errors please keep in mind the following:

  • Fill out values exactly as provided by Lokalise and your Identity Provider (IdP).

  • SAML attribute names and values are case-sensitive.

  • At least NameID and Email attributes must be added to your SAML app configuration.

  • Extra slashes, whitespaces, wrong character case, etc. may lead to errors.

Settings to include

NameID (Required)

To meet SAML specifications, the NameID must be unique, pseudo-random, and should not change for the user over time — like an employee ID number.

  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>

Email Attribute (Required)

<saml:Attribute Name="User.Email"
  <saml:AttributeValue xsi:type="xs:anyType">

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
  <saml:AttributeValue xsi:type="xs:anyType">FirstName

Last Name Attribute (Optional)

<saml:Attribute Name="last_name"
  <saml:AttributeValue xsi:type="xs:anyType">LastName


Public Certificate

Lokalise requires that the SAML response is signed and you will need to paste a valid X.509 .pem certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by checking the Sign AuthnRequest box located in your team's SSO settings.

Setup guidelines for specific providers

Did this answer your question?