Single sign-on

Read time: 5 minutes

Last edited: Jun 17, 2022

Single sign-on is an Enterprise feature and is available to Starter and Pro plans as an add-on

Single sign-on is available to customers on an Enterprise plan. It is available to customers on Starter and Pro plans as an add-on. To learn more, read about our pricing. To upgrade your plan, contact Sales.

Overview

This topic explains what Single Sign-On (SSO) features are available in LaunchDarkly and how to configure your environment for SSO.

SSO allows your team to authenticate with LaunchDarkly using the same identity provider (IdP) you use for your other internal and external services. LaunchDarkly implements SSO with the SAML 2.0 protocol. Administrators can use SSO with their IdP to manage access rights in LaunchDarkly. After SSO is enabled, administrators can also enable System for Cross-domain Identity Management (SCIM) provisioning through their IdP.

Setting up SSO in LaunchDarkly

If you're a LaunchDarkly administrator or account owner, you can configure LaunchDarkly to use your IdP for account member authentication.

To do this:

Log in to LaunchDarkly as an administrator or account owner.
Navigate to the "SSO management" section of the Security tab on the Account settings page:

The "SSO management" section of the "Security" tab.

Click Configure SAML. The SAML configuration panel appears, pre-populated with information you need to set up LaunchDarkly as a SAML application with your identity provider:

You cannot complete SAML configuration without configuration details from your IdP.

Understanding default roles

If you have not specified a role or custom role for new LaunchDarkly members through your IdP, LaunchDarkly sets the default role to Reader. The Reader role gives view access to all projects and flags within your LaunchDarkly account. Certain Enterprise customers can change the default role to No access. The No access role can help you mitigate risk, for example if you have private projects that should be hidden from most members. To learn how, read the configuration guidance for your IdP.

The "Default initial role" section of the SAML configuration panel.

To learn more, about built-in roles and their permissions, read Understanding LaunchDarkly's built-in roles.

Configuring an external IdP

This table lists our external IdPs:

Identity providers	Configurable SAML SSO	IdP Integration SAML SSO	IdP Integration SCIM	Starter and Pro plan support	Enterprise plan support
ADFS
Azure
Google Apps
Okta
OneLogin

Support for ADFS and Azure is an Enterprise feature

ADFS and Azure are available to customers on a Starter or Pro plan with the SSO add-on, and to all customers on an Enterprise plan. However, support for ADFS and Azure from our Support team is available only to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

We provide configuration guidance for the following IdPs:

Some customers use the following identity providers, but we do not provide support or configuration guidance for these providers:

PingIdentity
Centrify
SecureAuth
DuoMobile

Specific configuration details vary between IdPs, but the basic process is the same regardless of which IdP you use.

To configure LaunchDarkly with an external IdP:

Create the SAML application in your IdP by following the IdP-specific instructions listed above.
Copy the SAML configuration metadata from the IdP into LaunchDarkly's SAML configuration panel.
Click Save.

User provisioning with SCIM

User provisioning with SCIM is an Enterprise feature

SCIM is only available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

We also have a SCIM API available to allow for user provisioning of account members from IdPs. The SCIM API is only supported for the OAuth2 authorization type. Not all supported third-party providers support user provisioning through SCIM.

We have pre-built integrations with the following providers:

You may also configure your provider manually with the following information. Specific names for these fields may vary by IdP:

SCIM Base URI: https://app.launchdarkly.com/trust/scim/v2
Authorization method: oauth2
Authorization URI: https://app.launchdarkly.com/trust/oauth/authorize
Access token URI: https://app.launchdarkly.com/trust/oauth/token
Unique Identifier field for account members: userName If you configure your provider manually, you will also need a client ID and client secret. Contact Support and we will generate these for you.

You cannot create new custom attributes through the SCIM API, but you can set two existing custom attributes for SCIM users:

role
customRole

To learn more about these attributes, read Custom attributes.

For an in-depth guide on how to use custom roles with IdPs, read Creating custom roles.

User provisioning with SSO

LaunchDarkly automatically creates accounts for new account members who sign in through your IdP. Every time an account member signs in to LaunchDarkly, LaunchDarkly also updates the account member's profile with user attributes submitted by the IdP.

You can configure your identity provider to send the following attributes when the account member is signing in to LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.

New account members must sign into LaunchDarkly through your IdP

New account members will not be able to sign in from LaunchDarkly's login screen until they have accessed LaunchDarkly through your IdP at least once.

NameID field formatting

Only use email addresses in the NameID field

LaunchDarkly only supports the use of email addresses in the NameID field. Do not use other types of identifying strings.

Below is an example of what your SSO provider should be providing LaunchDarkly:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@test.com</saml:NameID>

Custom attributes

These attributes are available for both SSO provisioning and SCIM provisioning:

Attribute name	Description
role	One of the built-in LaunchDarkly roles: `reader`, `writer`, `admin`, and for some customers, `no_access`. If unspecified, the default role is `reader`.
customRole	A list of keys for custom roles to give to the account member. These replace the member's existing custom roles. If a member has any custom roles, they supersede the built-in role. The value of customRole is case-sensitive and must match exactly the custom role key in LaunchDarkly.

SSO supports the following naming attributes:

firstName
lastName

SCIM provisioning uses the standard naming attributes:

givenName
familyName

For an in-depth guide on how to use custom roles with IdPs, read Creating custom roles.

Test-drive mode

When LaunchDarkly receives a valid SAML configuration, SSO enters test-drive mode. Test-drive mode lets you test the SSO integration before deploying the change to the rest of your organization.

When SSO is in test-drive mode, you can test authentication through your IdP, but LaunchDarkly's login screen will continue to use regular password-based authentication.

To use SSO in test-drive mode:

Log into LaunchDarkly as an administrator.
Navigate to Account settings > Security and scroll to the "SSO management" section.
Click Simulate SSO. This performs the same authentication request flow that occurs for LaunchDarkly-initiated SSO logins:

Enabling SSO

When you're satisfied with the SSO integration and are ready to enable it for all account members in LaunchDarkly, enable SSO by following the procedure below.

To enable SSO:

Log into LaunchDarkly as an administrator.
Navigate Account settings > Security and scroll to the "SSO management" section.
Click Enable SSO. A confirmation dialog appears.
Click Enable:

Once SSO is enabled, the LaunchDarkly login procedure defers to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password.

Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the organization. The only way to add additional account members is to have them log in through your IdP.

Disabling SSO

You can disable SSO at any time. When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords, or reset their passwords.

Users that were provisioned through SSO will be required to reset their password in order to sign into LaunchDarkly.

To disable SSO:

Log into LaunchDarkly as an administrator.
Navigate Account settings > Security and scroll to the "SSO management" section.
Click Disable SSO. A confirmation dialog appears.
Click Disable:

Enabling SCIM provisioning

SSO is required

You must be a LaunchDarkly administrator and have SSO enabled to complete the following procedure.

If you have enabled SSO, you can enable SCIM provisioning as well. SCIM facilitates user provisioning, which means your IdP can use it to create, update, and deactivate members in LaunchDarkly.

Initiate the workflow that links your IdP with SCIM from your IdP. The workflow will lead to an authorization screen where you can authorize your IdP to manage your account members.

You may only have one SCIM provider linked to your IdP at once. If you need to change providers, disconnect the original provider by following the workflow below and enable a different one through your IdP.

You cannot deactivate an account member using SCIM deprovisioning if you added the member to your LaunchDarkly account before you enabled SCIM provisioning or SSO.

Disconnecting SCIM

You can disconnect SCIM at any time.

To disconnect SCIM:

Log into LaunchDarkly as an administrator.
Navigate Account settings > Security and scroll to the "SSO management" section.
Click Disconnect SCIM.