Lokalise

This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

In this article you'll learn how to set up single <a href="https://docs.lokalise.com/en/articles/3339495-saml-based-single-sign-on-sso">sign-on with Lokalise</a> and Okta.

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

Team's domain — enter your Okta domain.

SAML 2.0 Endpoint (HTTP) — enter the Audience URI (SP Entity ID) value from Okta's SAML settings. For example: <code>https://yourdomain.okta.com/app/yourdomain_lokalise_1/exk3w3tl0wTE8zQPl5d7/sso/saml</code>.

Identity Provider Issuer — enter Identity Provider Issuer value from Okta Configuration details page. For example: <code>http://www.okta.com/qer3w3tlOwET8zPQl4d9</code>.

Public Certificate — enter X.509 Certificate from the Okta Configuration details page. Must begin with <code>-----BEGIN CERTIFICATE-----</code> and end with <code>-----END CERTIFICATE-----</code>.

Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the <code>.crt</code> file and import this file to the necessary service.

- Team's domain — enter your Okta domain.
- SAML 2.0 Endpoint (HTTP) — enter the Audience URI (SP Entity ID) value from Okta's SAML settings. For example: <code>https://yourdomain.okta.com/app/yourdomain_lokalise_1/exk3w3tl0wTE8zQPl5d7/sso/saml</code>.
- Identity Provider Issuer — enter Identity Provider Issuer value from Okta Configuration details page. For example: <code>http://www.okta.com/qer3w3tlOwET8zPQl4d9</code>.
- Public Certificate — enter X.509 Certificate from the Okta Configuration details page. Must begin with <code>-----BEGIN CERTIFICATE-----</code> and end with <code>-----END CERTIFICATE-----</code>.
- Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the <code>.crt</code> file and import this file to the necessary service.

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

Proceed with configuring SSO for the other Lokalise team.

1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
2. Uncheck Enable SSO setting.
3. Click on Save.
4. Proceed with configuring SSO for the other Lokalise team.

Single Sign On URL, Recipient URL, Destination URL — enter the ACS URL Preview value from Lokalise settings.

Audience Restriction — set to <code>https://lokalise.com</code>.

Name ID format — set to Persistent

Assertion Signature — set to Signed

- Single Sign On URL, Recipient URL, Destination URL — enter the ACS URL Preview value from Lokalise settings.
- Audience Restriction — set to <code>https://lokalise.com</code>.
- Name ID format — set to Persistent
- Response — set to Signed
- Assertion Signature — set to Signed

Leave all other fields to their default values.

Please note that attribute names and values are case-sensitive.

Once everything is set up, proceed to <code>https://app.lokalise.com/sso</code> and enter user email associated with the Okta domain. Upon the first log in, you'll be asked to confirm your email:

Configuration on Lokalise

Configuration on Okta

SAML settings

Attribute statements

Logging in with SSO