This feature is available only on the Enterprise subscription plan.
In this article you'll learn how to set up single sign-on with Lokalise and OneLogin.
Here's a short video that can help you get started:
Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain — enter your OneLogin domain.
SAML 2.0 Endpoint (HTTP) — enter the SAML 2.0 Endpoint (HTTP) value from the OneLogin SSO tab. For example:
https://stvsk-dev.onelogin.com/trust/saml2/http-post/sso/cc9f5af6-4f2d-4fcf-b553-a337912de486. Please check the section below to learn more.
Identity Provider Issuer — enter the Issuer URL value from the OneLogin SSO tab, for example
Public Certificate — enter the certificate value from the OneLogin SAML app’s SSO tab. Must begin with
-----BEGIN CERTIFICATE-----and end with
Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the
.crtfile and import this file to the necessary service.
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Configuration on OneLogin
Adding a OneLogin app
Proceed to OneLogin, navigate to the Applications page and click Add App. Next, search for the "SAML Custom Connector (Advanced)" app and click on it.
Only the Display Name field is mandatory, other fields can be left as is.
RelayState — set to
Audience (EntityID) — set to
ACS (Consumer) URL Validator — enter the ACS URL Preview value from Lokalise in regex format, for example:
You can use the Regex Generator to produce a regular expression. Note the presence of the essential anchors:
ACS (Consumer) URL — enter the ACS URL Preview value from Lokalise, for example
SAML nameID format — set to Persistent.
NameID value — must be unique, pseudo-random, and will not change for the user over time — like a OneLogin ID, for example.
first_name (optional) —
last_name (optional) —
Please note that attribute names and values are case-sensitive. There's no need to add any other parameters as Lokalise will disregard those anyway.
Also note that for each added attribute you have to enable the Include in SAML assertion option:
Otherwise OneLogin will not pass those attributes to Lokalise.
On this tab you'll need to get the X.509 Certificate as well as the Issuer URL and SAML 2.0 Endpoint (HTTP). You don't need to change anything here. Specifically, the SAML Signature Algorithm can have any value.
To grab the certificate, click on the View Details and copy it from the next screen:
Here you'll see the users that have your SAML app assigned to them.
Add users to SAML app in OneLogin
You can assign apps on the Users page (
You can also create a Role at
https://company.onelogin.com/roles with your SAML app added, and then assign users to that role:
Logging in with SSO
Once everything is set up, proceed to
https://app.lokalise.com/sso and enter user email associated with the OneLogin domain. Upon the first log in, you'll be asked to confirm your email: