Go to Lokalise
All Collections
Manage teams, users, and groups
Single sign-on
OneLogin SAML

OneLogin SAML

Learn how to set up single sign-on with OneLogin app.
Ilya avatar
Written by Ilya. Updated over a week ago

This feature is available only on the Enterprise subscription plan.

In this article you'll learn how to set up single sign-on with Lokalise and OneLogin.

Here's a short video that can help you get started:

Index

Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

  • Team's domain — enter your OneLogin domain.

  • SAML 2.0 Endpoint (HTTP) — enter the SAML 2.0 Endpoint (HTTP) value from the OneLogin SSO tab. For example: https://stvsk-dev.onelogin.com/trust/saml2/http-post/sso/cc9f5af6-4f2d-4fcf-b553-a337912de486. Please check the section below to learn more.

  • Identity Provider Issuer — enter the Issuer URL value from the OneLogin SSO tab, for example https://app.onelogin.com/saml/metadata/cc9f5af6-4f2d-4fcf-b553-a337912de486.

  • Public Certificate — enter the certificate value from the OneLogin SAML app’s SSO tab. Must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

  • Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the .crt file and import this file to the necessary service.

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

  1. Empty all fields within Single sign-on (SSO) section of the Advanced security tab.

  2. Uncheck Enable SSO setting.

  3. Click on Save.

  4. Proceed with configuring SSO for the other Lokalise team.

Configuration on OneLogin

Adding a OneLogin app

Proceed to OneLogin, navigate to the Applications page and click Add App. Next, search for the "SAML Custom Connector (Advanced)" app and click on it.

Info tab

Only the Display Name field is mandatory, other fields can be left as is.

Configuration tab

  • RelayState — set to https://app.lokalise.com.

  • Audience (EntityID) — set to https://lokalise.com.

  • ACS (Consumer) URL Validator — enter the ACS URL Preview value from Lokalise in regex format, for example:


    You can use the Regex Generator to produce a regular expression. Note the presence of the essential anchors: ^ and $.

  • ACS (Consumer) URL — enter the ACS URL Preview value from Lokalise, for example
    https://app.lokalise.com/sso/stvsk-dev.onelogin.com/acs.

  • SAML nameID format — set to Persistent.

Parameters tab

  • NameID value — must be unique, pseudo-random, and will not change for the user over time — like a OneLogin ID, for example.

  • User.EmailEmail

  • first_name (optional) — First Name

  • last_name (optional) — Last Name

Please note that attribute names and values are case-sensitive. There's no need to add any other parameters as Lokalise will disregard those anyway.

Also note that for each added attribute you have to enable the Include in SAML assertion option:

Otherwise OneLogin will not pass those attributes to Lokalise.

SSO tab

On this tab you'll need to get the X.509 Certificate as well as the Issuer URL and SAML 2.0 Endpoint (HTTP). You don't need to change anything here. Specifically, the SAML Signature Algorithm can have any value.

To grab the certificate, click on the View Details and copy it from the next screen:

Users tab

Here you'll see the users that have your SAML app assigned to them.

Add users to SAML app in OneLogin

You can assign apps on the Users page (https://company.onelogin.com/users):

You can also create a Role at https://company.onelogin.com/roles with your SAML app added, and then assign users to that role:

Please refer to OneLogin article to learn more.

Logging in with SSO

Once everything is set up, proceed to https://app.lokalise.com/sso and enter user email associated with the OneLogin domain. Upon the first log in, you'll be asked to confirm your email:

Did this answer your question?