This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.
PingIdentity is a hosted identity and access management service provided by PingOne company.
In this article you'll learn how to set up single sign-on with Lokalise and PingIdentity. You can also refer to the PingIdentity official document on SSO.
Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain — enter your PingIdentity domain.
ACS URL Preview —
https://app.lokalise.com/sso/yourdomain.com/acs
. Make sure the domain is entered fully with TLD (.com
,.co.uk
, etc.).SAML 2.0 Endpoint (HTTP) — enter Single Sign-on Service from the PingIdentity SAML app’s Configuration tab, for example
https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso
.Identity Provider Issuer — Issuer ID from the PingIdentity SAML app’s Configuration tab, for example
https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3
.Public Certificate — obtained by clicking on the Download Signing Certificate button in the PingIdentity SAML app’s Configuration tab. Must begin with
-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
.Sign AuthnRequest is not usually required. If you do need this feature, then tick the corresponding field and copy certificate from Service provider Public Certificate field on Lokalise, and then save it to an
.crt
file. Proceed to PingIdentity SAML app’s Configuration tab, click the Edit button in the top right corner, and enable the Enforce Signed Authn Request option. The Verification Certificate section will appear below, so import the.crt
file saved from Lokalise:
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Configuration on PingIdentity
Proceed to your PingIdentity dashboard, click Connections > Applications, and then press on the "plus" icon:
Overview tab
Only the Application Name field is mandatory here, all other fields are optional. Enter any name and click Save.
Configuration tab
Next, you'll be presented with the Configuration tab:
ACS URLS — enter the ACS URL Preview here copied from Lokalise, for example
https://app.lokalise.com/sso/yourdomain.com/acs
(check the previous section to find this value).SIGNING KEY — choose Sign Assertion & Response
Signing Algorithm — choose RSA_SHA256
ENTITY ID — enter
https://lokalise.com
.SLO BINDING — choose HTTP POST.
SUBJECT NAME ID FORMAT — choose
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
.
Once you're ready, hit Save.
Attribute Mappings tab
You'll be presented with the Attribute Mappings tab:
saml_subject — can’t be removed but will be disregarded by Lokalise anyway.
NameID — must be unique, pseudo-random, and will not change for the user over time — like a User ID or Account ID for example.
User.Email — set to
Email Address
.first_name (optional) — set to
Given Name
.last_name (optional) — set to
Family Name
.
There's no need to add any other parameters as Lokalise will disregard those anyway. Please note that all names and values are case sensitive!
After editing, you'll be presented with a summary of the added SAML attributes:
Access tab
Next, the Access tab:
Enable the Display this application in the Application Portal option in the Application Portal Display section.
Users tab
To add users on PingIdentity, proceed to Identities > Users tab, and click the "plus" icon:
When adding a new user, make sure that:
The user is enabled (toggle a blue switch as shown in the screenshot above).
The user's profile contains values for the SAML attributes specified under the Attribute Mappings tab.
Logging in with SSO
Once everything is set up, proceed to https://app.lokalise.com/sso
and enter user email associated with the PingIdentity domain. Upon the first log in, you'll be asked to confirm your email: