LaunchDarkly Developer Documentation

Get started in under 30 minutes.
LaunchDarkly provides feature flags as a service for Java · Python · Ruby · Go · Node.js · PHP · .NET. Control feature launches -- who sees what and when -- without multiple code deploys. Easy dashboard for phased rollouts, targeting and segmenting.
Need more help? write us at support@launchdarkly.com

Get Started    

Single sign-on

Available to enterprise customers

Single sign-on is only available to customers on our enterprise plans. If you're interested in learning more about our enterprise plans, contact sales@launchdarkly.com.

Single sign-on (SSO) allows your team to authenticate with LaunchDarkly via the same identity provider you use for your other internal and external services. Additionally, with single sign-on, administrators can use their identity provider to manage access rights in LaunchDarkly.

LaunchDarkly implements single sign-on via the SAML 2.0 protocol. At present, we provide support for the following identity providers:

Setting up SSO

If you're a LaunchDarkly administrator or account owner, you can configure your LaunchDarkly account to rely on your identity provider for team member authentication. To start the setup process, click the Configure SAML button on the Security tab.

After clicking on the Configure SAML button, you will see the SAML configuration screen. You can copy the configuration details when setting up the SAML application in your identity provider.

Once you have created the SAML application in your identity provider, you will need to copy SAML configuration metadata into the SAML configuration screen in LaunchDarkly and click Save.

Identity provider configuration tips

The following are specific tips for configuring the integration between LaunchDarkly and your identity provider.

Okta

Okta field
Notes

Single Sign On URL

Use LaunchDarkly's Assertion Consumer Service URL value. Leave “Use this for Recipient URL and Destination URL” checked.

Audience URI (SP Entity ID)

Use LaunchDarkly's Entity ID value.

Default RelayState

Leave empty.

Name ID format

Select “EmailAddress”.

Application Username

Select “Email”.

Single Logout URL

Leave empty.

  • Use the defaults under Advanced Settings.
  • In LaunchDarkly, copy Okta's Identity Provider Single Sign-On URL to the Sign-on URL field.

OneLogin

OneLogin field
Notes

RelayState

Leave empty.

Audience

Use LaunchDarkly's Entity ID value.

Recipient

Use LaunchDarkly's Assertion Consumer Service URL value.

ACS (Consumer) URL Validator

Use LaunchDarkly's Assertion Consumer Service URL value.

ACS (Consumer) URL

Use LaunchDarkly's Assertion Consumer Service URL value.

Single Logout URL

Leave empty.

  • In LaunchDarkly, copy OneLogin's "SAML 2.0 Endpoint (HTTP)" value to the Sign-on URL field.

User provisioning via SSO

LaunchDarkly will automatically create accounts for new team members who sign in via your identity provider. New team members will not be able to sign in via LaunchDarkly's login screen until they have accessed LaunchDarkly from your identity provider.

Every time a team member signs into LaunchDarkly, LaunchDarkly will also update the team member's profile with any user attributes submitted by the identity provider. You can configure your identity provider to send the following attributes when the team member is signing into LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.

Field name
Description

firstName

First name

lastName

Last name

role

LaunchDarkly role: one of reader, writer, admin. If the user has custom roles, specify a role of reader. If unspecified, the default role is reader.

Custom roles

At this time, custom roles cannot be managed via your identity provider. If you need to manage custom roles for a user, you can do so from your LaunchDarkly account settings page.

Test-drive mode

When LaunchDarkly receives a valid SAML configuration, the Single Sign-On feature enters test-drive mode. When the Single Sign-On feature is in test-drive mode, you can test authentication via your identity provider, but LaunchDarkly's login screen will continue to use regular password-based authentication. Test-drive mode allows you to test the SSO integration in a controlled manner before rolling out the change to the rest of your team. The Simulate SSO button will perform the same authentication request flow that would occur for LaunchDarkly-initiated SSO logins.

Enabling SSO

From test-drive mode, when you're satisfied with the SSO integration and are ready to enable it for all team members in LaunchDarkly, click the Enable SSO button in the Single Sign-On section. You will need to confirm the request.

Once SSO is enabled, the LaunchDarkly login screen will defer to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password.

Disabling SSO

If you need to disable SSO for any reason, you can click the Disable SSO button in the Single Sign-On section. You will need to confirm the request.

When SSO is disabled, any existing members will be able to sign into LaunchDarkly with their previous passwords or reset their passwords.

Users that were provisioned via SSO will be required to reset their password in order to sign into LaunchDarkly.

Single sign-on