• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
    No results for ""
    EXPAND ALL
    launchdarkly.com

    EDIT ON GITHUB

    Single sign-on

    Read time: 2 minutes
    Last edited: Feb 27, 2023
    Single sign-on is an Enterprise feature and is available to Starter and Pro plans as an add-on

    Single sign-on is available to customers on an Enterprise plan. It is available to customers on Starter and Pro plans as an add-on. To learn more, read about our pricing. To upgrade your plan, contact Sales.

    Overview

    This topic explains what Single Sign-On (SSO) features are available in LaunchDarkly.

    SSO allows your team to authenticate with LaunchDarkly using the same identity provider (IdP) you use for your other internal and external services. LaunchDarkly implements SSO with the SAML 2.0 protocol. You can use SSO with your IdP to manage access rights in LaunchDarkly.

    After you enable SSO, System for Cross-domain Identity Management (SCIM) becomes available. SCIM facilitates user provisioning, which means your IdP can use it to create, update, and deactivate members in LaunchDarkly. Administrators can optionally turn on and configure team sync with SCIM, which lets admins sync groups in their IdP with LaunchDarkly teams.

    Summarizing how to enable SSO in LaunchDarkly

    To configure SSO in your LaunchDarkly account:

    1. Enable SAML SSO in your account. Configure LaunchDarkly to use your IdP when account members request access. To learn how to do this, read Configuring SAML SSO.
    2. (Optional) Configure SCIM to enable the automation of user and group provisioning. To learn how to do this, read Enabling SCIM provisioning.

    Supported external identity providers

    LaunchDarkly supports the following external IdPs:

    Identity providersIdP Integration SAML SSOIdP Integration SCIMTeam sync with SCIMStarter and Pro plan supportEnterprise plan support
    ADFS
    Azure
    Google Apps
    Okta
    OneLogin
    Support for ADFS and Azure is an Enterprise feature

    ADFS and Azure are available to customers on a Starter or Pro plan with the SSO add-on, and to all customers on an Enterprise plan. However, support for ADFS and Azure from our Support team is available only to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

    Some customers use the following identity providers, but we do not provide support or configuration guidance for these providers:

    • PingIdentity
    • Centrify
    • SecureAuth
    • DuoMobile

    Understanding default roles

    During account member provisioning, LaunchDarkly sets the default role for new members to Reader unless you have specified a different role in your IdP. The Reader role gives view access to all projects and flags within your LaunchDarkly account. Enterprise customers can change the default role to No access. The No access role can help you mitigate risk. For example if you have private projects that should be hidden from most members. To learn more, read Configuring roles with no access.

    The "Default initial role" section of the SAML configuration panel.
    The "Default initial role" section of the SAML configuration panel.

    To learn more about built-in roles and their permissions, read Understanding LaunchDarkly's built-in roles. For an in-depth guide on how to use custom roles with IdPs, read Creating custom roles.