Skip to main content

PingIdentity SAML

Learn how to set up single sign-on with PingIdentity app.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

PingIdentity is a hosted identity and access management service provided by PingOne company.

In this article you'll learn how to set up single sign-on with Lokalise and PingIdentity. You can also refer to the PingIdentity official document on SSO.

Part 1: Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Accessing team settings

Then, proceed to the Advanced security tab and tick the Enable SSO field:

Enabling SSO

  • Team's domain: Enter your full PingIdentity domain.

  • ACS URL Preview: https://app.lokalise.com/sso/yourdomain.com/acs — ensure you include the complete domain with TLD (e.g., .com, .co.uk).

  • SAML 2.0 Endpoint (HTTP): Copy the Single Sign-on Service URL from the PingIdentity SAML app’s Configuration tab. Example: https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso.

  • Identity Provider Issuer: Enter the Issuer ID from the same tab. Example: https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3.

  • Public Certificate: Click Download Signing Certificate in the PingIdentity app's Configuration tab.
    Paste the contents into Lokalise’s Public Certificate field. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  • Sign AuthnRequest: Typically not required. If needed, enable the option in Lokalise, copy the Service Provider Public Certificate, save it as a .crt file, and return to the PingIdentity Configuration tab. Click Edit, enable Enforce Signed Authn Request, and upload the .crt file under Verification Certificate.

Reconfiguring same SSO domain for another team

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.


Part 2: Configuration on PingIdentity

Step 1: Creating a new SAML app

In your PingIdentity dashboard, go to Connections > Applications, then click the plus (+) icon to create a new app.

Creating a new app

Step 2: Overview tab

View Overview tab

  1. Only the Application Name field is required.

  2. Enter any name of your choice and click Save.

Step 3: Configuration tab

View Configuration tab

Fill out the following fields:

  • ACS URLS: Enter the ACS URL Preview from Lokalise. Example: https://app.lokalise.com/sso/yourdomain.com/acs.

  • SIGNING KEY: Select Sign Assertion & Response

    • Signing Algorithm: Choose RSA_SHA256

  • ENTITY ID: https://lokalise.com

  • SLO BINDING: Choose HTTP POST

  • SUBJECT NAME ID FORMAT: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Click Save when done.

Step 4: Attribute Mappings tab

View Attribute mappings

Define the following attributes:

App attribute

PingIdentity value

saml_subject

(required, but ignored by Lokalise)

NameID

Unique, persistent ID (e.g., User ID or Account ID)

User.Email

Email Address

first_name (optional)

Given Name

last_name (optional)

Family Name

Attribute names and values are case-sensitive. Do not add additional attributes—Lokalise will ignore them.

You'll be presented with a summary of the added SAML attributes:

Step 5: Access tab

View Access tab

Enable the Display this application in the Application Portal option in the Application Portal Display section.

Step 6: Users tab

View Users tab

  1. Go to IdentitiesUsers, then click the plus (+) icon to add users.

  2. When adding a user, make sure:

    • The user is enabled (toggle is blue).

    • Their profile contains values for all required SAML attributes defined in the Attribute Mappings tab.


Logging in with SSO

Once configuration is complete, go to https://app.lokalise.com/sso and enter the user email associated with your PingIdentity domain. On the first login, Lokalise will prompt the user to confirm their email address.

View confirmation email

Did this answer your question?