This feature is available only on the Enterprise subscription plan.
PingFederate is a self-hosted identity and access management service provided by PingOne company.
In this article you'll learn how to set up single sign-on with Lokalise and PingFederate.
Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain — your PingFederate domain.
ACS URL Preview —
https://app.lokalise.com/sso/yourdomain.com/acs. Make sure the domain is entered fully with TLD (
SAML 2.0 Endpoint (HTTP) — enter Single Signon Service obtained from PingFederate, for example
Identity Provider Issuer — enter Issuer ID obtained from PingFederate, for example
Public Certificate — enter a certificate obtaned from the PingFederate SAML app’s settings. Must begin with
-----BEGIN CERTIFICATE-----and end with
Sign AuthnRequest is not usually required. If you do need this feature, then tick the corresponding field and copy certificate from Service provider Public Certificate field on Lokalise, and then save it to an
.crtfile. Then proceed to PingFederate and import the certificate.
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Configuration on PingFederate
Creating a new SAML app
Proceed to PingFederate and click Applications > SP Connections > Create connection.
Make sure to choose DO NOT USE A TEMPLATE:
Click Next. Please note that if specific options are not mentioned in this document then you're not expected to modify their values.
SP Connection section
Protocol — SAML 2.0
Browser SSO — true
Partner’s Entity ID (Connection ID) —
Browser SSO section
IdP-Initiated SSO — true
SP-Initiated SSO — true
Assertion Creation section
SAML_SUBJECT — can’t be removed but will be disregarded by Lokalise, so leave it as is.
NameID — must be unique, pseudo-random, and will not change for the user over time — like a User ID or Account ID for example.
first_name (optional) —
last_name (optional) —
Please note that attribute names and values are case-sensitive. There's no need to add any other parameters as Lokalise will disregard those anyway.
Protocol Settings section
Endpoint — enter the ACS URL Preview value copied from Lokalise.
POST — true
Always SIgn Assertion — true
Sign Response as Required — true
Include Certificate in KeyInfo — true
Selected Signing Algorithm — RSA SHA256
Signature Verification section
Adding users to SAML app in PingFederate
PingFederate fetches users from PingOne/PingIdentity so please refer to the corresponding section in the PingIdentity article to learn more.
Logging in with SSO
Once everything is set up, proceed to
https://app.lokalise.com/sso and enter user email associated with the PingFederate domain. Upon the first log in, you'll be asked to confirm your email: