No results for ""
EXPAND ALL
  • Home
  • API docs

Entra ID (formerly Azure AD)

Read time: 10 minutes
Last edited: Nov 20, 2024

Overview

This topic explains how to integrate LaunchDarkly with Microsoft Entra ID (formerly Azure AD).

The Entra ID App Gallery includes LaunchDarkly and provides a LaunchDarkly application template that facilitates configuration.

Integrate LaunchDarkly with Entra ID

To integrate LaunchDarkly with Entra ID:

  1. Log in to Entra ID.
  2. Navigate to "Enterprise applications."
  3. Click New application:
The "Enterprise applications" page with "New application" called out.
The "Enterprise applications" page with "New application" called out.
  1. Search for the LaunchDarkly application.
  2. After you add it, follow the Microsoft Entra integration with LaunchDarkly tutorial.

If your instance of Entra ID manages multiple LaunchDarkly accounts, start a Support ticket.

Entra ID user identifier guidelines

During configuration, we recommend using the identifier user.mail, provided that every user has their email address attribute set. If you haven't set attributes for every user, use the identifier user.userprincipalname.

If members cannot log in after you set up SSO, read the troubleshooting article New users are unable to log in with Azure AD once SSO is configured.

Map custom roles to Entra User Attributes

After you integrate LaunchDarkly with Entra ID, you can map LaunchDarkly role and custom role attributes to Entra User Attributes using Entra claims. The LaunchDarkly Entra SSO integration provides Just-In-Time (JIT) user provisioning for IdP-Initiated SSO.

To learn more about SSO provisioning for roles and custom roles, read Custom roles.

To set up role and customRole claims in Entra ID:

  1. Navigate to the "Attributes & Claims" section.
  2. Click Edit.
  3. Click Add new claim. The "Manage claim" screen appears:
The "Manage claim" screen.
The "Manage claim" screen.
  1. Enter "role" in the Name field.
  2. Leave the source as "Attribute."
  3. Choose a source attribute from the menu that is not currently mapped, such as user.country.
  4. Click Save:
  5. Repeat steps 1-7 with "customRole," mapping to a different unused source attribute.
Removing existing roles

SAML ignores empty fields if used in Roles or customRoles. To clear all existing roles, enter an empty string "" into the field.

Map custom roles to Entra Security Groups

In addition to Entra User Attributes, you can also assign LaunchDarkly custom roles to Entra Security Groups.

There are five steps to this process:

  1. Create custom roles in LaunchDarkly
  2. Create groups in Entra ID
  3. Create roles for the Entra LaunchDarkly Enterprise Application
  4. Set up groups and roles in the Entra LaunchDarkly Enterprise Application
  5. Update the Entra LaunchDarkly Enterprise Application SSO configuration

Each of these steps are outlined below.

Create custom roles in LaunchDarkly

To begin, create the custom roles in LaunchDarkly that you want to use with the Entra LaunchDarkly Enterprise Application. Make note of each custom role's key, as you will need the key when you set up your Entra ID app role.

To learn how, read Custom roles.

Create groups in Entra ID

After you have created your custom roles in LaunchDarkly, set up your groups in Entra ID:

  1. In Entra ID, navigate to "Groups," then click New group.
  2. Select a group type and enter a group name.
  3. Click “No members selected" to add new members:

A new Entra ID group.
A new Entra ID group.

  1. Select members from the list to add to the group, then click Select:
Adding members to a new Entra ID group.
Adding members to a new Entra ID group.

Your Entra ID members are now in the group.

Create roles for the Entra LaunchDarkly Enterprise Application

Next, create roles within Entra ID:

  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Navigate to App Registrations, then click All applications:
The App registrations page in Entra ID.
The App registrations page in Entra ID.
  1. Click LaunchDarkly to open the application.
  2. Navigate to "App roles" and click Create app role.
  3. Enter the role information. The value must be the key of the custom role you created during the Create custom roles in LaunchDarkly step:
A new role in Entra ID with the "Value" field called out.
A new role in Entra ID with the "Value" field called out.
  1. Click Apply.

Repeat this procedure for each new Entra app role.

Set up groups and roles in the Entra LaunchDarkly Enterprise Application

Then, set up groups and roles in Entra ID:

  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Users and groups. The "Users and groups" screen appears:
The "Users and groups" screen in Entra ID.
The "Users and groups" screen in Entra ID.
  1. On the "Groups" tab, choose the group you want to edit and click Select. The "Add Assignment" screen appears.
  2. Click None Selected under "Users and groups" to add a new group. The "Users and groups" screen appears:
The "Users and groups" screen.
The "Users and groups" screen.
  1. Choose the group you created in the Create groups in Entra ID step.
  2. Click Select. You are returned to the "Add Assignment" screen.
  3. Click None Selected under "Select a new role" to add a new role:
Selecting a role to add to a group.
Selecting a role to add to a group.
  1. Choose the role you created in the Create roles for the Entra LaunchDarkly Enterprise Application step.
  2. Click Select. You are returned to the "Add Assignment" screen.
  3. Click Assign.

Repeat this procedure for each group and role you want to set up.

Update the Entra LaunchDarkly Enterprise Application SSO configuration

Finally, update Entra's SSO configuration:

  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Single sign-on.
  3. Scroll to the "Attributes & Claims" section.
  4. Click Edit. The "Manage claims" form appears.
The "Attributes & Claims" section with the "Edit" button called out.
The "Attributes & Claims" section with the "Edit" button called out.
  1. Enter customRole in the Name field.
  2. Leave the Namespace field empty.
  3. Select "Attribute" as the source.
  1. Enter user.assignedroles in the Source attribute field.
  1. Click Save. You are returned to the "Attributes & Claims" screen.

Close the "Attributes & Claims" screen to return to the "Single sign-on" page. To test your SSO configuration, click Test at the bottom of the page.

For another example of this setup process, read How to setup LaunchDarkly custom roles from Azure AD Security Groups.

Assign Entra ID Security Groups to LaunchDarkly teams

You can assign LaunchDarkly teams to Entra Security Groups. This keeps the members of your LaunchDarkly teams in sync with your Entra ID groups.

There are four steps to this process:

  1. Create Security Groups in Entra ID
  2. Create teams in LaunchDarkly
  3. Assign Entra ID Security Groups to the LaunchDarkly Enterprise Application
  4. Create a new Entra ID claim

Create Security Groups in Entra ID

First, set up a Security Group in Entra ID:

  1. In Entra ID, navigate to "Groups," then click New group.
  2. Select the "Security" group type and enter a group name.
  3. Click Create. You are returned to the groups list.
  4. Copy the object ID of the group you want to link to a LaunchDarkly team:
The "Groups" section with the "Object Id" column called out.
The "Groups" section with the "Object Id" column called out.

You will use this group's name and ID in the next section.

Repeat this procedure for as many groups you want to assign to LaunchDarkly teams.

Create teams in LaunchDarkly

Next, create a team in LaunchDarkly using your Entra ID Group name and ID:

  1. Click the gear icon in the left sidenav to view Organization settings.
  2. Click Teams.
  3. Click Create team. The "Create team" dialog appears.
  4. In the Name field, enter your Entra ID group name.
  5. In the Key field, paste the Entra ID group ID you copied the previous section.
  6. Click Create team.

Repeat this procedure for as many teams as you want to sync with Entra ID Security Groups.

Assign Entra ID Security Groups to the LaunchDarkly Enterprise Application

Then, assign Entra ID Security Groups to the LaunchDarkly Enterprise Application:

  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Users and groups. The "Users and groups" screen appears:
The "Users and groups" screen in Entra ID.
The "Users and groups" screen in Entra ID.
  1. On the "Groups" tab, choose the group you want to edit and click Select. The "Add Assignment" screen appears.
  2. Click None Selected under "Users and groups" to add a new group. The "Users and groups" screen appears.
The "Users and groups" screen.
The "Users and groups" screen.
  1. Choose the group you created in the Create Security Groups in Entra ID step.
  2. Click Select. You are returned to the "Add Assignment" screen.
  3. Click Assign.

Repeat this procedure for each Entra ID Security Group you created.

Create a new Entra ID claim

Finally, create a new Entra ID claim:

  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Single sign-on.
  3. Scroll to the "Attributes & Claims" section.
  4. Click Edit. The "Manage claims" form appears.
The "Attributes & Claims" section with the "Edit" button called out.
The "Attributes & Claims" section with the "Edit" button called out.
  1. Click "+ Add a group claim." A "Group Claims" dialog appears.
  2. Select "Groups assigned to the application" under "Which groups associated with the user should be returned in the claim?"
  3. Select "Group ID" as the source attribute.
  4. Open the Advanced options section.
  5. Check the "Customize the name of the group claim" box.
  6. Enter teamKey into the Name field:
The "Group Claims" dialog.
The "Group Claims" dialog.

  1. Click Save. You are returned to the "Attributes & Claims" screen.

Close the "Attributes & Claims" screen to return to the "Single sign-on" page. To test your SSO configuration, click Test at the bottom of the page.