This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.

In this article you'll learn how to set up single sign-on with Lokalise and OneLogin.

Here's a short video that can help you get started:

Configuration on Lokalise

To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:

Then, proceed to the Advanced security tab and tick the Enable SSO field:

Team's domain — enter your OneLogin domain.
SAML 2.0 Endpoint (HTTP) — enter the SAML 2.0 Endpoint (HTTP) value from the OneLogin SSO tab. For example: https://stvsk-dev.onelogin.com/trust/saml2/http-post/sso/cc9f5af6-4f2d-4fcf-b553-a337912de486. Please check the section below to learn more.
Identity Provider Issuer — enter the Issuer URL value from the OneLogin SSO tab, for example https://app.onelogin.com/saml/metadata/cc9f5af6-4f2d-4fcf-b553-a337912de486.
Public Certificate — enter the certificate value from the OneLogin SAML app’s SSO tab. Must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
Sign AuthnRequest — is not usually required. However, you can still enable this option, copy the value to the .crt file and import this file to the necessary service.

If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:

Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.

Configuration on OneLogin

Adding a OneLogin app

Proceed to OneLogin, navigate to the Applications page and click Add App. Next, search for the "SAML Custom Connector (Advanced)" app and click on it.

Info tab

Only the Display Name field is mandatory, other fields can be left as is.

Configuration tab

RelayState — set to https://app.lokalise.com.
Audience (EntityID) — set to https://lokalise.com.
ACS (Consumer) URL Validator — enter the ACS URL Preview value from Lokalise in regex format, for example:

You can use the Regex Generator to produce a regular expression. Note the presence of the essential anchors: ^ and $.
ACS (Consumer) URL — enter the ACS URL Preview value from Lokalise, for example
https://app.lokalise.com/sso/stvsk-dev.onelogin.com/acs.
SAML nameID format — set to Persistent.

Parameters tab

NameID value — must be unique, pseudo-random, and will not change for the user over time — like a OneLogin ID, for example.
User.Email — Email
first_name (optional) — First Name
last_name (optional) — Last Name

Please note that attribute names and values are case-sensitive. There's no need to add any other parameters as Lokalise will disregard those anyway.

Also note that for each added attribute you have to enable the Include in SAML assertion option:

Otherwise OneLogin will not pass those attributes to Lokalise.

SSO tab

On this tab you'll need to get the X.509 Certificate as well as the Issuer URL and SAML 2.0 Endpoint (HTTP). You don't need to change anything here. Specifically, the SAML Signature Algorithm can have any value.

To grab the certificate, click on the View Details and copy it from the next screen:

Users tab

Here you'll see the users that have your SAML app assigned to them.

Add users to SAML app in OneLogin

You can assign apps on the Users page (https://company.onelogin.com/users):

You can also create a Role at https://company.onelogin.com/roles with your SAML app added, and then assign users to that role:

Please refer to OneLogin article to learn more.

Logging in with SSO

Once everything is set up, proceed to https://app.lokalise.com/sso and enter user email associated with the OneLogin domain. Upon the first log in, you'll be asked to confirm your email: