• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
No results for ""
EXPAND ALL

EDIT ON GITHUB

Okta

Read time: 4 minutes
Last edited: Jan 05, 2022

Overview

This topic explains how Okta and LaunchDarkly work together to provide user management for your user base. Okta and LaunchDarkly communicate through the System for Cross-domain Identity Management (SCIM) API specification. SCIM is designed to make managing user identities in cloud-based applications and services easier.

A LaunchDarkly app is available in Okta. You can connect LaunchDarkly and Okta through the Okta UI, give Okta permissions to modify users in LaunchDarkly, and even integrate LaunchDarkly custom roles with Okta.

Prerequisites

To use Okta with LaunchDarkly, you must meet the following prerequisites:

  • You must have Administrator privileges in LaunchDarkly
  • You must have Administrator privileges in Okta
  • You must have followed Okta's documentation to Enable Single Sign-On with SAML
  • You must have your Assertion consumer service URL and Entity ID from LaunchDarkly's SAML configuration page
  • You must have access to the email addresses of the users you wish to configure

Using Okta to manage LaunchDarkly users with SCIM

SCIM-based user provisioning is an Enterprise feature

User provisioning with SCIM is available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

If you have more than one SCIM connection

If you get an error during configuration that you cannot add an additional SCIM connection, go to the Security tab in LaunchDarkly's Account Settings and click Disconnect SCIM. This allows you to connect Okta's SCIM-based protocols to LaunchDarkly.

To get started, navigate to the Okta Administrator Dashboard to add an application and search for LaunchDarkly.

If you have not configured SAML SSO for LaunchDarkly in Okta, you must do that first. To learn more, read How to configure SAML 2.0 for LaunchDarkly in Okta's documentation.

To authorize Okta to manage your LaunchDarkly users:

  1. Log in to Okta as an administrator.
  2. Navigate to Applications and click Browse App Integration Catalog.
  3. In the search bar, type "LaunchDarkly". The LaunchDarkly app appears in the search results:
The Browse App Integration Catalog screen with search results populating.
The Browse App Integration Catalog screen with search results populating.
  1. Click Add. The General Settings page for the LaunchDarkly app appears.
  2. (Optional) Give the app a custom name by modifying the Application Label.
  3. (Optional) Configure the Application Visibility checkboxes however you prefer.
  4. Click Done. The LaunchDarkly Application page appears.

You just activated the LaunchDarkly app in Okta.

Granting Okta permission to manage users in LaunchDarkly

This procedure tells you how to connect the LaunchDarkly app and Okta by using SCIM. This allows you to provision, manage, and deprovision LaunchDarkly users in Okta.

To grant Okta permission to manage users:

  1. Navigate to the LaunchDarkly app in Okta.

  2. Click the Provisioning tab. The Integration page opens.

  3. Click Configure API Integration:

    The Integration page with the API integration button called out.
    The Integration page with the API integration button called out.
  4. Check the Enable API Integration checkbox and click Save. An authorization window appears.

  5. Click Authenticate with LaunchDarkly. A new browser window opens describing what permissions Okta requires to integrate with LaunchDarkly. Review the permissions and verify that you are comfortable granting them.

  6. Click Authorize. You return to the Integration page.

  7. Click Save. The To App page appears.

  8. In the Provisioning to App section, click Edit. Fields on the screen become configurable. Set the following fields to Enable:

    • Create Users
    • Update User Attributes
    • Deactivate Users
  9. Click Save.

Okta is now connected to LaunchDarkly.

Setting email addresses as the username

Next, you must configure Okta to recognize email addresses as the usernames for individual users.

How LaunchDarkly and Okta use email addresses

LaunchDarkly stores emails in lowercase, and does not differentiate between usernames and email addresses. You may use one email address with one LaunchDarkly account at a time. Okta uses email addresses as SCIM usernames. If you change a username or email address in Okta or LaunchDarkly after configuration, the corresponding value also changes. Only use lowercase letters to configure email addresses. Email addresses including uppercase letters cause an error.

To configure Okta to recognize email addresses as usernames:

  1. Navigate to the LaunchDarkly app in Okta.

  2. Click the Sign On tab. The Settings page opens.

  3. Click the Edit button in the top right corner of the Settings window.

  4. Scroll to the bottom of the settings page and enter your Assertion consumer service URL.

  5. Enter your Entity ID.

  6. Use the dropdown to set the Application username format to Email:

    The Credentials Details screen, with username format set to "Email."
    The Credentials Details screen, with username format set to "Email."
  7. Click Save.

You have successfully connected Okta and LaunchDarkly

Assigning custom roles in Okta

You can assign custom roles that you created in LaunchDarkly to users through the Okta UI.

If you use Okta to manage users, you cannot change back to LaunchDarkly.

SCIM setup takes precedence over LaunchDarkly's configuration options. If you begin to manage users and their role assignment in Okta, you must continue managing them in Okta for additional changes to take effect.

Use Okta's Group Assignment feature to set up custom roles for a LaunchDarkly user or group. The roles you set up in Okta are passed to LaunchDarkly as user attributes.

To learn more about user attributes, read Setting user attributes.

Users with multiple roles have permissions combining them

If a user has multiple Okta groups representing different roles, they are assigned permissions for all of their roles. For example, if a user is in both a Marketing role and a more permissive Engineering role, they can use the permissions granted by the Engineering role.

To assign custom roles to groups:

  1. Navigate to the LaunchDarkly application's General Settings page.
  2. Navigate to the Assignments tab.
  3. In the Assign dropdown, choose Assign to Groups:
The "Assign" dropdown.
The "Assign" dropdown.
Assigning custom roles to one user

You can also specify custom roles for individual users by performing this procedure after choosing Assign to Users in step 3.

  1. Find the groups you want to assign custom roles to and click Assign:

    The "Assign LaunchDarkly to Groups" screen.
    The "Assign LaunchDarkly to Groups" screen.
  1. Enter the key for the custom role you wish to assign to this group. This connects one role to the selected group.
You cannot assign roles and custom roles at the same time

You can assign either a role or a custom role in this step, but not both. If you enter values in both the Role and customRole fields, LaunchDarkly will ignore the Role field. If you want to assign a custom role, leave the Role field set to the default value of Reader.

  1. Add more custom roles by entering additional keys in the customRole field separated by commas, with no spaces:

    The "Add Another Role" screen.
    The "Add Another Role" screen.
  2. Click Save and Go Back.

Adding custom roles to new users

If you have custom roles already configured in Okta, you can set up custom roles in Attribute Mapping when you first set up a user in Okta:

The Okta LaunchDarkly Attribute Mappings screen with custom roles available.
The Okta LaunchDarkly Attribute Mappings screen with custom roles available.
Removing existing roles

SAML ignores empty fields if used in user roles or custom roles. If you want to clear all existing roles for a user, enter an empty string "" into the field.