Only available to enterprise customers
Single sign-on is only available to customers on our enterprise plans. If you're interested in learning more about our enterprise plans, contact firstname.lastname@example.org.
Single sign-on (SSO) allows your team to authenticate with LaunchDarkly via the same identity provider you use for your other internal and external services. Additionally, with single sign-on, administrators can use their identity provider to manage access rights in LaunchDarkly.
If you're a LaunchDarkly administrator or account owner, you can configure your LaunchDarkly account to delegate to your identity provider for team member authentication. LaunchDarkly implements single sign-on via the SAML 2.0 protocol.
To start the setup process, click the Configure SAML button on the Security tab of your account settings page.
After clicking on the Configure SAML button, you will see the SAML configuration screen. You'll see a set of configuration details that you'll need to set up LaunchDarkly as a SAML application in your identity provider:
We've provided a set of configuration tips for some of our supported identity providers that should help you configure your provider correctly:
We have also tested and verified support for the following identity providers:
Once you have created the SAML application in your identity provider, you will need to copy SAML configuration metadata from your identity provider into the SAML configuration screen in LaunchDarkly and click Save.
LaunchDarkly will automatically create accounts for new team members who sign in via your identity provider. Please note that new team members will not be able to sign in via LaunchDarkly's login screen until they have accessed LaunchDarkly through your identity provider at least once.
Every time a team member signs into LaunchDarkly, LaunchDarkly will also update the team member's profile with any user attributes submitted by the identity provider. You can configure your identity provider to send the following attributes when the team member is signing into LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.
Built-in LaunchDarkly role: one of
admin. If unspecified, the default role is
A list of keys for custom roles to give to the team member. These will replace the member's existing custom roles. If a member has any custom roles, they will supersede the built-in role.
When LaunchDarkly receives a valid SAML configuration, the Single Sign-On feature enters test-drive mode. When the Single Sign-On feature is in test-drive mode, you can test authentication via your identity provider, but LaunchDarkly's login screen will continue to use regular password-based authentication. Test-drive mode allows you to test the SSO integration in a controlled manner before rolling out the change to the rest of your team. The Simulate SSO button will perform the same authentication request flow that would occur for LaunchDarkly-initiated SSO logins.
From test-drive mode, when you're satisfied with the SSO integration and are ready to enable it for all team members in LaunchDarkly, click the Enable SSO button in the Single Sign-On section. You will need to confirm the request.
Once SSO is enabled, the LaunchDarkly login screen will defer to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password. Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the team. The only way to add additional team members will be to have them log in via your identity provider.
If you need to disable SSO for any reason, you can click the Disable SSO button in the Single Sign-On section. You will need to confirm the request.
When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords or reset their passwords.
Users that were provisioned via SSO will be required to reset their password in order to sign into LaunchDarkly.