Skip to main content

PingFederate SAML

Learn how to set up single sign-on with PingFederate app.

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

PingFederate is a self-hosted identity and access management service provided by PingOne company.

In this article you'll learn how to set up single sign-on with Lokalise and PingFederate.

Part 1: Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Accessing team settings

Then, proceed to the Advanced security tab and tick the Enable SSO field:

Enabling SSO

  1. Team's domain: Enter your full PingFederate domain.

  2. ACS URL Preview: https://app.lokalise.com/sso/yourdomain.com/acs — be sure to include the full domain with TLD (e.g., .com, .co.uk).

  3. SAML 2.0 Endpoint (HTTP): Enter the Single Signon Service URL from PingFederate. Example: https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3/saml20/idp/sso.

  4. Identity Provider Issuer: Enter the Issuer ID from PingFederate.
    Example: https://auth.pingone.eu/ca6a602d-c58d-488d-9d21-77e82366caf3

  5. Public Certificate: Paste the certificate obtained from the PingFederate SAML app’s settings. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  6. Sign AuthnRequest: Usually not required. If needed, enable the option, copy the Service Provider Public Certificate from Lokalise into a .crt file, and import it into PingFederate.

Reconfiguring same SSO domain for another team

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.


Part 2: Configuration on PingFederate

Step 1: Creating a new SAML app

  • In PingFederate, go to Applications > SP Connections > Create connection.

  • Select DO NOT USE A TEMPLATE, then click Next.

Only modify fields explicitly mentioned in this guide. Leave all others at their default values.

Step 2: SP Connection section

View SP connection

  • Protocol — SAML 2.0

  • Browser SSOtrue

  • Partner’s Entity ID (Connection ID)https://lokalise.com

Step 3: Browser SSO section

View Browser SSO

  • IdP-Initiated SSOtrue

  • SP-Initiated SSOtrue

Step 4: Assertion Creation section

Assertion creation

  1. SAML_SUBJECT: Cannot be removed. Lokalise ignores it, so leave it as is.

  2. NameID: Must be unique, pseudo-random, and stable (e.g., User ID or Account ID).

  3. User.Email: Email Address

  4. first_name (optional): Given Name

  5. last_name (optional): Family Name

Attribute names and values are case-sensitive. Do not add any other parameters—Lokalise will disregard them.

Step 5: Protocol Settings section

View Protocol settings

  • Endpoint — enter the ACS URL Preview value from Lokalise.

  • POSTtrue

  • Always SIgn Assertiontrue

  • Sign Response as Requiredtrue

Step 6: Credentials section

View Credentials

  • Include Certificate in KeyInfotrue

  • Selected Signing AlgorithmRSA SHA256

Step 7: Signature Verification section

Adding users to SAML app in PingFederate

PingFederate pulls users from PingOne/PingIdentity. Refer to the PingIdentity documentation for details on user assignment.


Logging in with SSO

After setup, go to https://app.lokalise.com/sso and enter the user email associated with your PingFederate domain. On first login, Lokalise will prompt for email confirmation.

View confirmation email

Did this answer your question?