Skip to main content

Microsoft Entra ID SAML

Learn how to set up single sign-on with Microsoft Entra ID (previously known as Microsoft Azure AD).

Ilya Krukowski avatar
Written by Ilya Krukowski
Updated over a week ago

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

This guide will walk you through setting up single sign-on (SSO) between Lokalise and Microsoft Entra ID (formerly Microsoft Azure Active Directory).

Part 1: Configuration on Lokalise

To begin, log in to your Lokalise account. In the bottom-left corner, click your avatar and select Team settings.

Opening team settings

Next, navigate to the Advanced security tab and enable the Single Sign-On (SSO) option by checking the corresponding box.

Enabling SSO

  • Team's domain: Enter your full Microsoft Entra ID domain, including the top-level domain (e.g., .com, .co.uk).

  • SAML 2.0 Endpoint (HTTP): This URL should end with /saml2. For example:
    https://login.microsoftonline.com/2d2e4745-1603-48d7-87c4-00b61b4d248f/saml2. (See the section below for details on how to obtain this.)

  • Identity Provider Issuer: Typically looks like this:
    https://sts.windows.net/2d2e4745-1603-48d7-87c4-00b61b4d248f/
    Make sure to include the trailing slash. Learn more in the section below.

  • Public Certificate: Paste the certificate from your Entra ID SAML app configuration. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----. (Instructions below explain how to retrieve this.)

  • Sign AuthnRequest: Usually not required. If your setup calls for it, enable the option, copy the provided certificate value to a .crt file, and import it into the target service.

Reconfiguring same SSO domain for another team

If you want to use the same SSO domain with a different Lokalise team, follow these steps:

  1. Go to the Advanced security tab of the current team and clear all fields under the Single Sign-On (SSO) section.

  2. Uncheck the Enable SSO option.

  3. Click Save to confirm the changes.

  4. You can now proceed to set up SSO for the other Lokalise team using the same domain.


Part 2: Configuration on Entra ID

Open Entra ID admin center dashboard and proceed to the Single sign-on tab.

View sample configuration

Step 1: Basic SAML Configuration

View basic SAML configuration

  1. Identifier (Entity ID): https://lokalise.com

  2. Reply URL (Assertion Consumer Service URL): Enter the ACS URL Preview value found in your Lokalise SSO settings.

  3. Sign-on URL: https://app.lokalise.com/

Step 2: Attributes & Claims

View attributes & claims configuration

  1. Unique User Identifier (Name ID): Use a value that is unique, stable, and pseudo-random—such as an employee ID. The Name ID format must be set to Persistent.

  2. user.email → set to user.mail

  3. first_name (optional) → set to user.givenname

  4. last_name (optional) → set to user.surname

Attribute names and values are case-sensitive.
You can ignore all other claims—Lokalise will disregard them.

Step 3: SAML Signing Certificate

View SAML signing certificate configuration

  1. Signing Option: Select Sign SAML response and assertion.

  2. Signing Algorithm: Choose SHA-256.

Next, download the Certificate (Base64) file from this section. Open the file using any text editor, then copy the entire content and paste it into the Public Certificate field in your Lokalise SSO settings.

Where to download certificate

Step 4: Set up Lokalise SAML App

Setting up Lokalise SAML

  • Login URL: Paste into the SAML 2.0 Endpoint (HTTP) field on Lokalise.

  • Azure AD Identifier → Paste into the Identity Provider Issuer field on Lokalise.
    Example: https://sts.windows.net/2d2e4745-1603-48d7-87c4-00b61b4d248f/ (note the trailing slash).

Logout URL is currently not supported and can be ignored.

Step 5: Add users to SAML app in Azure AD

In your Entra ID SAML app, go to Users and groups. Click Add user/group and select the users you want to assign.

Accessing users and groups

Make sure each user has a valid email address filled out in the Email field under the Contact info section.

SSO user email


Logging in with SSO

Once your setup is complete, go to https://app.lokalise.com/sso and enter the email address associated with your Microsoft Entra ID domain. On your first login, you’ll be prompted to confirm your email address before proceeding.

Confirmation email

Did this answer your question?