This feature is available only on the Enterprise subscription plan.


Use these parameters to configure your custom SAML connection.


  • Lokalise supports Identity Provider (IDP) Initiated Flow and Service Provider (SP) Initiated flow.

  • For SP-Initiated single sign-on, go to

SSO post-back up URL

  • (Also known as the Assertion Consumer Service URL)

Entity ID

Keep in mind: Lokalise does not support Single Logout or session duration configured in your IDP.


  • Lokalise supports HTTP POST binding, not HTTP REDIRECT. You must configure HTTP POST bindings in the IDP metadata.

  • Your IDP must ensure a user is both authenticated and authorized before sending an assertion. If a user isn't authorized, assertions should not be sent. We recommend your identity provider redirects people to a HTTP 403 page or something similar.

To prevent misconfiguration and authentication errors please keep in mind the following:

  • Fill out values exactly as provided by Lokalise and your Identity Provider (IdP).

  • SAML attribute names and values are case-sensitive.

  • At least NameID and Email attributes must be added to your SAML app configuration.

  • Extra slashes, whitespaces, wrong character case, etc. may lead to errors.

Settings to include

NameID (Required)

  <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">Your Unique Identifier</saml:NameID>

Note: To meet SAML specifications, the NameID must be unique, pseudo-random, and will not change for the user over time — like an employee ID number.

Email Attribute (Required)

<saml:Attribute Name="User.Email"
  <saml:AttributeValue xsi:type="xs:anyType">

First Name Attribute (Optional)

<saml:Attribute Name="first_name"
  <saml:AttributeValue xsi:type="xs:anyType">FirstName

Last Name Attribute (Optional)

<saml:Attribute Name="last_name"
  <saml:AttributeValue xsi:type="xs:anyType">LastName


Public Certificate

Lokalise requires that the SAML response is signed and you will need to paste a valid X.509 .pem Certificate to verify your identity. This is different from your SSL certificate.

End-to-end encryption key 

If you require an end-to-end encryption key for your IDP, you can find a certificate by checking the Sign AuthnRequest box located in your team's SSO settings.


If you are setting up SSO with Okta, you can use the following settings:

Did this answer your question?