This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.
PingIdentity is a hosted identity and access management service provided by PingOne company.
In this article you'll learn how to set up single sign-on with Lokalise and PingIdentity. You can also refer to the PingIdentity official document on SSO.
Part 1: Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain: Enter your full PingIdentity domain.
ACS URL Preview:
https://app.lokalise.com/sso/yourdomain.com/acs
— ensure you include the complete domain with TLD (e.g.,.com
,.co.uk
).SAML 2.0 Endpoint (HTTP): Copy the Single Sign-on Service URL from the PingIdentity SAML app’s Configuration tab. Example:
https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso
.Identity Provider Issuer: Enter the Issuer ID from the same tab. Example:
https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3
.Public Certificate: Click Download Signing Certificate in the PingIdentity app's Configuration tab.
Paste the contents into Lokalise’s Public Certificate field. It must begin with-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
.Sign AuthnRequest: Typically not required. If needed, enable the option in Lokalise, copy the Service Provider Public Certificate, save it as a
.crt
file, and return to the PingIdentity Configuration tab. Click Edit, enable Enforce Signed Authn Request, and upload the.crt
file under Verification Certificate.
Reconfiguring same SSO domain for another team
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Part 2: Configuration on PingIdentity
Step 1: Creating a new SAML app
In your PingIdentity dashboard, go to Connections > Applications, then click the plus (+) icon to create a new app.
Step 2: Overview tab
Only the Application Name field is required.
Enter any name of your choice and click Save.
Step 3: Configuration tab
Fill out the following fields:
ACS URLS: Enter the ACS URL Preview from Lokalise. Example:
https://app.lokalise.com/sso/yourdomain.com/acs
.SIGNING KEY: Select Sign Assertion & Response
Signing Algorithm: Choose RSA_SHA256
ENTITY ID:
https://lokalise.com
SLO BINDING: Choose HTTP POST
SUBJECT NAME ID FORMAT:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Click Save when done.
Step 4: Attribute Mappings tab
Define the following attributes:
App attribute | PingIdentity value |
| (required, but ignored by Lokalise) |
| Unique, persistent ID (e.g., User ID or Account ID) |
|
|
|
|
|
|
Attribute names and values are case-sensitive. Do not add additional attributes—Lokalise will ignore them.
You'll be presented with a summary of the added SAML attributes:
Step 5: Access tab
Enable the Display this application in the Application Portal option in the Application Portal Display section.
Step 6: Users tab
Go to Identities → Users, then click the plus (+) icon to add users.
When adding a user, make sure:
The user is enabled (toggle is blue).
Their profile contains values for all required SAML attributes defined in the Attribute Mappings tab.
Logging in with SSO
Once configuration is complete, go to https://app.lokalise.com/sso
and enter the user email associated with your PingIdentity domain. On the first login, Lokalise will prompt the user to confirm their email address.