Skip to main content
All CollectionsManage teams, users, and groupsSingle sign-on
SAML-based Single Sign On (SSO)
SAML-based Single Sign On (SSO)
Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over 2 months ago

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

To find provider-specific tutorials, please refer to the corresponding section.

In this article you'll learn how to set up single sign-on with Lokalise.

Getting started

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field.

Parameters

Use these parameters to configure your custom SAML connection.

Provisioning

  • Lokalise supports Identity Provider (IDP) Initiated Flow and Service Provider (SP) Initiated flow.

  • For SP-Initiated single sign-on, go to https://app.lokalise.com/sso/yourdomain.com

SSO post-back up URL

  • https://app.lokalise.com/sso/yourdomain.com/acs (Also known as the Assertion Consumer Service URL)

Entity ID

  • https://lokalise.com

Please keep in mind that Lokalise does not support Single Logout or session duration configured in your IDP.

Considerations

  • Lokalise supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.

  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to a HTTP 403 page or something similar.

To prevent misconfiguration and authentication errors please keep in mind the following:

  • Fill out values exactly as provided by Lokalise and your Identity Provider (IdP).

  • SAML attribute names and values are case-sensitive.

  • At least NameID and Email attributes must be added to your SAML app configuration.

  • Extra slashes, whitespaces, wrong character case, etc. may lead to errors.

Settings to include

NameID (Required)

To meet SAML specifications, the NameID must be unique, pseudo-random, and should not change for the user over time — like an employee ID number.

<saml:Subject>
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>
</saml:Subject>

Email Attribute (Required)

<saml:Attribute Name="User.Email"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">testuser@youremail.com
  </saml:AttributeValue>
</saml:Attribute>

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">FirstName
  </saml:AttributeValue>
</saml:Attribute>

Last Name Attribute (Optional)

<saml:Attribute Name="last_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml:AttributeValue xsi:type="xs:anyType">LastName
  </saml:AttributeValue>
</saml:Attribute>

Certificates

Public Certificate

Lokalise requires that the SAML response is signed and you will need to paste a valid X.509 .pem certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by checking the Sign AuthnRequest box located in your team's SSO settings.

Setup guidelines for specific providers

Related Articles
PingIdentity SAML
PingFederate SAML
OneLogin SAML
Google SAML
Keycloak SAML
Did this answer your question?