This feature is available only on the Enterprise plan and can be purchased as an add-on on the Pro plan.
In this article you'll learn how to set up single sign-on with Lokalise and OneLogin.
Here's a short video that can help you get started:
Part 1: Configuration on Lokalise
To get started, log into Lokalise, click on the avatar in the bottom left corner and choose Team settings:
Then, proceed to the Advanced security tab and tick the Enable SSO field:
Team's domain: Enter your full OneLogin domain (e.g.,
yourcompany.onelogin.com
).SAML 2.0 Endpoint (HTTP): Copy the SAML 2.0 Endpoint (HTTP) from the OneLogin SSO tab. Example:
https://stvsk-dev.onelogin.com/trust/saml2/http-post/sso/cc9f5af6-4f2d-4fcf-b553-a337912de486
.Identity Provider Issuer: Use the Issuer URL from the same SSO tab. Example:
https://app.onelogin.com/saml/metadata/cc9f5af6-4f2d-4fcf-b553-a337912de486
.Public Certificate: Copy the certificate from the OneLogin SAML app’s SSO tab.
It must begin with-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
.Sign AuthnRequest: Typically not required. If needed, enable the option, copy the certificate from Lokalise’s Service Provider Public Certificate field into a
.crt
file, and import it into the required service.
Reconfiguring same SSO domain for another team
If you need to reconfigure the same SSO domain for another Lokalise team, please follow these steps:
Empty all fields within Single sign-on (SSO) section of the Advanced security tab.
Uncheck Enable SSO setting.
Click on Save.
Proceed with configuring SSO for the other Lokalise team.
Part 2: Configuration on OneLogin
Step 1: Adding a OneLogin app
Log in to your OneLogin admin portal.
Navigate to Applications and click Add App.
Search for SAML Custom Connector (Advanced) and select it.
Step 2: Info tab
Only the Display Name field is required.
All other fields can be left at their default values.
Step 3: Configuration tab
RelayState — set to
https://app.lokalise.com
.Audience (EntityID) — set to
https://lokalise.com
.ACS (Consumer) URL Validator — enter the ACS URL Preview from Lokalise in regex format.
Tip: Use the Regex Generator to produce a proper expression. Be sure to include the^
and$
anchors.ACS (Consumer) URL — enter the ACS URL Preview value from Lokalise, for example
https://app.lokalise.com/sso/stvsk-dev.onelogin.com/acs
.SAML nameID format — set to Persistent.
Step 4: Parameters tab
Define the following attributes:
App Attribute | OneLogin Field |
| Unique ID (e.g., OneLogin ID) |
|
|
|
|
|
|
NameID value — must be unique, pseudo-random, and will not change for the user over time — like a OneLogin ID, for example.
User.Email —
Email
first_name (optional) —
First Name
last_name (optional) —
Last Name
Attributes are case-sensitive.
Any unmapped fields will be ignored by Lokalise.
Also note that for each added attribute you have to enable the Include in SAML assertion option:
Step 5: SSO tab
This tab provides the values you’ll need to complete the setup in Lokalise:
X.509 Certificate: Click View Details to access and copy the certificate.
Issuer URL and SAML 2.0 Endpoint (HTTP) are also located here.
No changes are required on this tab. The SAML Signature Algorithm can remain as-is.
To get the certificate, click on the View Details and copy it from the next screen:
Step 6: Users tab
This tab shows users who have the SAML app assigned.
Add users to SAML app in OneLogin
You can assign apps on the Users page (https://company.onelogin.com/users
):
You can also create a Role at https://company.onelogin.com/roles
with your SAML app added, and assign users to that role:
Logging in with SSO
Once setup is complete, go to https://app.lokalise.com/sso
and enter the user’s email address associated with your OneLogin domain. On first login, Lokalise will prompt the user to confirm their email address before access is granted.