Single sign-on

Read time: 4 minutes

Last edited: Mar 16, 2021

Overview

This topic explains what Single Sign-On (SSO) features are available in LaunchDarkly and how to configure your environment for SSO.

Single sign-on and user provisioning are Enterprise features

Single sign-on and user provisioning are available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.

SSO allows your team to authenticate with LaunchDarkly using the same identity provider (IdP) you use for your other internal and external services. LaunchDarkly implements SSO with the SAML 2.0 protocol. Administrators can use SSO with their IdP to manage access rights in LaunchDarkly. After SSO is enabled, administrators can also enable System for Cross-domain Identity Management (SCIM) provisioning through their IdP.

Setting up SSO in LaunchDarkly

If you're a LaunchDarkly administrator or account owner, you can configure LaunchDarkly to use your IdP for team member authentication.

Log in to LaunchDarkly as an administrator or account owner.
Navigate to the Security tab on the Account Settings page.

The Team Management section of the Security tab.

Click Configure SAML. The SAML configuration screen appears, pre-populated with information you need to set up LaunchDarkly as a SAML application with your identity provider.

You cannot complete SAML configuration without configuration details from your IdP.

Configuring an External IdP

Supported Identity Providers	Configurable SAML SSO	IdP Integration SAML SSO	IdP Integration SCIM
Okta
OneLogin
Google Apps
ADFS
Azure
PingIdentity
Centrify
SecureAuth
DuoMobile
Other/Custom

We've provided configuration guidance for some of the IdPs LaunchDarkly supports.

The supported IdPs are:

We have also tested the following identity providers:

PingIdentity
Centrify
SecureAuth
DuoMobile

Specific configuration details vary between IdPs, but the basic process is the same regardless of which IdP you use.

To configure LaunchDarkly with an external IdP:

Create the SAML application in your IdP by following the IdP-specific instructions listed above.
Copy the SAML configuration metadata from the IdP into LaunchDarkly's SAML configuration screen.
Click Save.

User provisioning with SCIM

We also have a SCIM API available to allow for user provisioning from IdPs.

We have pre-built integrations with the following providers:

You may also configure your provider manually with the following information:

SCIM Base URI: https://app.launchdarkly.com/trust/scim/v2
Authorization method: oauth2
Authorization URI: https://app.launchdarkly.com/trust/oauth/authorize
Access token URI: https://app.launchdarkly.com/trust/oauth/token
Unique Identifier field for users: userName If you go down this route, you will also need a client ID and client secret. Please contact us at support@launchdarkly.com and we will generate these for you.

We support two custom attributes for SCIM users: role and customRole. To learn more about these attributes, read Custom Attributes.

User provisioning with SSO

LaunchDarkly automatically creates accounts for new team members who sign in through your IdP. Every time a team member signs into LaunchDarkly, LaunchDarkly also updates the team member's profile with user attributes submitted by the IdP.

You can configure your identity provider to send the following attributes when the team member is signing into LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.

First-time users must sign into LaunchDarkly through your IdP

New team members will not be able to sign in from LaunchDarkly's login screen until they have accessed LaunchDarkly through your IdP at least once.

NameID field formatting

Only use email addresses in the NameID field

LaunchDarkly only supports the use of email addresses in the NameID field. Do not use other types of identifying strings.

See below for an example of what your SSO provider should be providing LaunchDarkly:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@test.com</saml:NameID>

Custom attributes

These attributes are available for both SSO provisioning and SCIM provisioning.

Attribute name	Description
role	One of three built-in LaunchDarkly roles: `reader`, `writer`, `admin`. If unspecified, the default role is `reader`.
customRole	A list of keys for custom roles to give to the team member. These replace the member's existing custom roles. If a member has any custom roles, they supersede the built-in role. The value of customRole is case-sensitive and must match exactly the custom role key in LaunchDarkly.

SSO supports the following naming attributes:

firstName
lastName

SCIM provisioning uses the standard naming attributes:

givenName
familyName

Test-drive Mode

When LaunchDarkly receives a valid SAML configuration, SSO enters test-drive mode. Test-drive mode lets you test the SSO integration before deploying the change to the rest of your team.

When SSO is in test-drive mode, you can test authentication through your IdP, but LaunchDarkly's login screen will continue to use regular password-based authentication.

To use SSO in test-drive mode:

Log into LaunchDarkly as an administrator.
Navigate to the Team Management screen.
Click Simulate SSO. This performs the same authentication request flow that occurs for LaunchDarkly-initiated SSO logins.

Enabling SSO

When you're satisfied with the SSO integration and are ready to enable it for all team members in LaunchDarkly, enable SSO by following the procedure below.

To enable SSO:

Log in to LaunchDarkly as an administrator or account owner.
Navigate to the Security tab on the Account Settings page.
Click Enable SSO. A confirmation screen appears.
Click Enable.

Once SSO is enabled, the LaunchDarkly login procedure defers to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password.

Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the team. The only way to add additional team members is to have them log in through your IdP.

Disabling SSO

You can disable SSO at any time. When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords, or reset their passwords.

Users that were provisioned through SSO will be required to reset their password in order to sign into LaunchDarkly.

To disable SSO:

Log in to LaunchDarkly as an administrator or account owner.
Navigate to the Security tab on the Account Settings page.
Click Disable SSO. A confirmation screen appears.
Click Disable.

Enabling SCIM Provisioning

SSO is required

You must be a LaunchDarkly administrator and have SSO enabled to complete the following procedure.

If you have enabled SSO, you can enable SCIM provisioning as well. SCIM facilitates user provisioning, which means your IdP can use it to create update, and deactivate members in LaunchDarkly.

Initiate the workflow that links your IdP with SCIM from your IdP. The workflow will lead to an authorization screen where you can authorize your IdP to manage your users.

You may only have one SCIM provider linked to your IdP at once. If you need to change providers, disconnect the original provider by following the workflow below and enable a different one through your IdP.

Disconnecting SCIM

You can disconnect SCIM at any time.

To disconnect SCIM:

Log into LaunchDarkly as an administrator.
Navigate to the Team Management screen.
Click Disconnect SCIM.