PingFederate SAML

Learn how to set up single sign-on with PingFederate app.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan.

PingFederate is a self-hosted identity and access management service provided by PingOne company.

In this article you'll learn how to set up single sign-on with Lokalise and PingFederate.

Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

  • Team's domain — your PingFederate domain.

  • ACS URL Preview Make sure the domain is entered fully with TLD (.com,, etc.).

  • SAML 2.0 Endpoint (HTTP) — enter Single Signon Service obtained from PingFederate, for example

  • Identity Provider Issuer — enter Issuer ID obtained from PingFederate, for example

  • Public Certificate — enter a certificate obtaned from the PingFederate SAML app’s settings. Must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  • Sign AuthnRequest is not usually required. If you do need this feature, then tick the corresponding field and copy certificate from Service provider Public Certificate field on Lokalise, and then save it to an .crt file. Then proceed to PingFederate and import the certificate.

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.

Configuration on PingFederate

Creating a new SAML app

Proceed to PingFederate and click Applications > SP Connections > Create connection.

Make sure to choose DO NOT USE A TEMPLATE:

Click Next. Please note that if specific options are not mentioned in this document then you're not expected to modify their values.

SP Connection section

  • Protocol — SAML 2.0

  • Browser SSO — true

  • Partner’s Entity ID (Connection ID)

Browser SSO section

  • IdP-Initiated SSO — true

  • SP-Initiated SSO — true

Assertion Creation section

  • SAML_SUBJECT — can’t be removed but will be disregarded by Lokalise, so leave it as is.

  • NameID — must be unique, pseudo-random, and will not change for the user over time — like a User ID or Account ID for example.

  • User.EmailEmail Address.

  • first_name (optional) — Given Name.

  • last_name (optional) — Family Name.

Please note that attribute names and values are case-sensitive. There's no need to add any other parameters as Lokalise will disregard those anyway.

Protocol Settings section

  • Endpoint — enter the ACS URL Preview value copied from Lokalise.

  • POST — true

  • Always SIgn Assertion — true

  • Sign Response as Required — true

Credentials section

  • Include Certificate in KeyInfo — true

  • Selected Signing Algorithm — RSA SHA256

Signature Verification section

Adding users to SAML app in PingFederate

PingFederate fetches users from PingOne/PingIdentity so please refer to the corresponding section in the PingIdentity article to learn more.

Logging in with SSO

Once everything is set up, proceed to and enter user email associated with the PingFederate domain. Upon the first log in, you'll be asked to confirm your email:

Did this answer your question?