Single sign-on
Read time: 4 minutes
Last edited: Mar 16, 2021
Overview
This topic explains what Single Sign-On (SSO) features are available in LaunchDarkly and how to configure your environment for SSO.
Single sign-on and user provisioning are available to customers on an Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.
SSO allows your team to authenticate with LaunchDarkly using the same identity provider (IdP) you use for your other internal and external services. LaunchDarkly implements SSO with the SAML 2.0 protocol. Administrators can use SSO with their IdP to manage access rights in LaunchDarkly. After SSO is enabled, administrators can also enable System for Cross-domain Identity Management (SCIM) provisioning through their IdP.
Setting up SSO in LaunchDarkly
If you're a LaunchDarkly administrator or account owner, you can configure LaunchDarkly to use your IdP for team member authentication.
- Log in to LaunchDarkly as an administrator or account owner.
- Navigate to the Security tab on the Account Settings page.
- Click Configure SAML. The SAML configuration screen appears, pre-populated with information you need to set up LaunchDarkly as a SAML application with your identity provider.
You cannot complete SAML configuration without configuration details from your IdP.
Configuring an External IdP
Supported Identity Providers | Configurable SAML SSO | IdP Integration SAML SSO | IdP Integration SCIM |
---|---|---|---|
Okta | |||
OneLogin | |||
Google Apps | |||
ADFS | |||
Azure | |||
PingIdentity | |||
Centrify | |||
SecureAuth | |||
DuoMobile | |||
Other/Custom |
We've provided configuration guidance for some of the IdPs LaunchDarkly supports.
The supported IdPs are:
We have also tested the following identity providers:
- PingIdentity
- Centrify
- SecureAuth
- DuoMobile
Specific configuration details vary between IdPs, but the basic process is the same regardless of which IdP you use.
To configure LaunchDarkly with an external IdP:
- Create the SAML application in your IdP by following the IdP-specific instructions listed above.
- Copy the SAML configuration metadata from the IdP into LaunchDarkly's SAML configuration screen.
- Click Save.
User provisioning with SCIM
We also have a SCIM API available to allow for user provisioning from IdPs.
We have pre-built integrations with the following providers:
You may also configure your provider manually with the following information:
- SCIM Base URI:
https://app.launchdarkly.com/trust/scim/v2
- Authorization method:
oauth2
- Authorization URI:
https://app.launchdarkly.com/trust/oauth/authorize
- Access token URI:
https://app.launchdarkly.com/trust/oauth/token
- Unique Identifier field for users:
userName
If you go down this route, you will also need a client ID and client secret. Please contact us at support@launchdarkly.com and we will generate these for you.
We support two custom attributes for SCIM users: role
and customRole
. To learn more about these attributes, read Custom Attributes.
User provisioning with SSO
LaunchDarkly automatically creates accounts for new team members who sign in through your IdP. Every time a team member signs into LaunchDarkly, LaunchDarkly also updates the team member's profile with user attributes submitted by the IdP.
You can configure your identity provider to send the following attributes when the team member is signing into LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.
NameID field formatting
See below for an example of what your SSO provider should be providing LaunchDarkly:
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@test.com</saml:NameID>
Custom attributes
These attributes are available for both SSO provisioning and SCIM provisioning.
Attribute name | Description |
---|---|
role | One of three built-in LaunchDarkly roles: `reader`, `writer`, `admin`. If unspecified, the default role is `reader`. |
customRole | A list of keys for custom roles to give to the team member. These replace the member's existing custom roles. If a member has any custom roles, they supersede the built-in role. The value of customRole is case-sensitive and must match exactly the custom role key in LaunchDarkly. |
SSO supports the following naming attributes:
firstName
lastName
SCIM provisioning uses the standard naming attributes:
givenName
familyName
Test-drive Mode
When LaunchDarkly receives a valid SAML configuration, SSO enters test-drive mode. Test-drive mode lets you test the SSO integration before deploying the change to the rest of your team.
When SSO is in test-drive mode, you can test authentication through your IdP, but LaunchDarkly's login screen will continue to use regular password-based authentication.
To use SSO in test-drive mode:
- Log into LaunchDarkly as an administrator.
- Navigate to the Team Management screen.
- Click Simulate SSO. This performs the same authentication request flow that occurs for LaunchDarkly-initiated SSO logins.
Enabling SSO
When you're satisfied with the SSO integration and are ready to enable it for all team members in LaunchDarkly, enable SSO by following the procedure below.
To enable SSO:
- Log in to LaunchDarkly as an administrator or account owner.
- Navigate to the Security tab on the Account Settings page.
- Click Enable SSO. A confirmation screen appears.
- Click Enable.
Once SSO is enabled, the LaunchDarkly login procedure defers to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password.
Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the team. The only way to add additional team members is to have them log in through your IdP.
Disabling SSO
You can disable SSO at any time. When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords, or reset their passwords.
Users that were provisioned through SSO will be required to reset their password in order to sign into LaunchDarkly.
To disable SSO:
- Log in to LaunchDarkly as an administrator or account owner.
- Navigate to the Security tab on the Account Settings page.
- Click Disable SSO. A confirmation screen appears.
- Click Disable.
Enabling SCIM Provisioning
If you have enabled SSO, you can enable SCIM provisioning as well. SCIM facilitates user provisioning, which means your IdP can use it to create update, and deactivate members in LaunchDarkly.
Initiate the workflow that links your IdP with SCIM from your IdP. The workflow will lead to an authorization screen where you can authorize your IdP to manage your users.
You may only have one SCIM provider linked to your IdP at once. If you need to change providers, disconnect the original provider by following the workflow below and enable a different one through your IdP.
Disconnecting SCIM
You can disconnect SCIM at any time.
To disconnect SCIM:
- Log into LaunchDarkly as an administrator.
- Navigate to the Team Management screen.
- Click Disconnect SCIM.