This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.
PingFederate is a self-hosted identity and access management service provided by PingOne company.
In this article you'll learn how to set up single sign-on with Lokalise and PingFederate.
Part 1: Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain: Enter your full PingFederate domain.
ACS URL Preview:
https://app.lokalise.com/sso/yourdomain.com/acs
— be sure to include the full domain with TLD (e.g.,.com
,.co.uk
).SAML 2.0 Endpoint (HTTP): Enter the Single Signon Service URL from PingFederate. Example:
https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso
.Identity Provider Issuer: Enter the Issuer ID from PingFederate.
Example:https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3
Public Certificate: Paste the certificate obtained from the PingFederate SAML app’s settings. It must begin with
-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
.Sign AuthnRequest: Usually not required. If needed, enable the option, copy the Service Provider Public Certificate from Lokalise into a
.crt
file, and import it into PingFederate.
Reconfiguring same SSO domain for another team
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Part 2: Configuration on PingFederate
Step 1: Creating a new SAML app
In PingFederate, go to Applications > SP Connections > Create connection.
Select DO NOT USE A TEMPLATE, then click Next.
Only modify fields explicitly mentioned in this guide. Leave all others at their default values.
Step 2: SP Connection section
Protocol — SAML 2.0
Browser SSO —
true
Partner’s Entity ID (Connection ID) —
https://lokalise.com
Step 3: Browser SSO section
IdP-Initiated SSO —
true
SP-Initiated SSO —
true
Step 4: Assertion Creation section
SAML_SUBJECT: Cannot be removed. Lokalise ignores it, so leave it as is.
NameID: Must be unique, pseudo-random, and stable (e.g., User ID or Account ID).
User.Email:
Email Address
first_name (optional):
Given Name
last_name (optional):
Family Name
Attribute names and values are case-sensitive. Do not add any other parameters—Lokalise will disregard them.
Step 5: Protocol Settings section
Endpoint — enter the ACS URL Preview value from Lokalise.
POST —
true
Always SIgn Assertion —
true
Sign Response as Required —
true
Step 6: Credentials section
Include Certificate in KeyInfo —
true
Selected Signing Algorithm —
RSA SHA256
Step 7: Signature Verification section
Adding users to SAML app in PingFederate
PingFederate pulls users from PingOne/PingIdentity. Refer to the PingIdentity documentation for details on user assignment.
Logging in with SSO
After setup, go to https://app.lokalise.com/sso
and enter the user email associated with your PingFederate domain. On first login, Lokalise will prompt for email confirmation.