Active Directory Federation Services (ADFS)
Read time: 2 minutes
Last edited: Feb 13, 2020
This topic explains how to configure SSO integration between a self-hosted Active Directory Federation Services (ADFS) server and LaunchDarkly.
ADFS is a service provided by Microsoft as a standard role for Windows Server. It provides a web login using existing Active Directory credentials.
To give your team access to LaunchDarkly through ADFS, you need the following components:
- An Enterprise LaunchDarkly account.
- A signed SSL certificate.
- An Active Directory instance where all users have an email address attribute.
- A Microsoft Server instance with ADFS installed and configured.
This topic will not tell you how to set up ADFS. To learn more about setting up ADFS, read Microsoft's documentation
For more information on configuring LaunchDarkly's SSO, read Single sign-on.
|Sign-on URL||Copy the Token Signing certificate to a Base-64 encoded x.509 file and import it into LaunchDarkly|
|X.509 certificate||Default value: |
If the default value fails, confirm that the endpoint is enabled and the URL path is correct.
Find the endpoint in Service > Endpoints Search for an endpoint with the
- Log into ADFS Management tool.
- Click Add Relying Party Trust... to open the Add Relying Party Trust Wizard.
- Click Start to begin. Keep the default value, which is Claims aware.
- Choose Enter data about the relying party manually and click Next.
- Set the display name. You can enter any name you want and click Next.
- Click Next on the following screen. You do not need to choose a certificate.
- Select Enable support for the SAML 2.0 WebSSO protocol.
- Enter the Assertion consumer service URL from the SSO section of LaunchDarkly into the Relying party SAML 2.0 SSO service URL field and click Next.
- In the Relying party trust identifier field, enter
app.launchdarkly.comand click Add and click Next.
- Click Next. You do not need to change any access control policies.
- Review your changes and click Next.
- If you are satisfied with the configuration, click Close.
After you have successfully completed this procedure, a new LaunchDarkly trust will appear in the ADFS Management tool.
- Log into the ADFS Management tool
- Select the LaunchDarkly Trust
- Click Edit Claim Issuance Policy... in the dropdown. The Edit Claim Issuance Policy window opens.
- Click Add Rule.
- Set Claim rule template to Transform an Incoming Claim and click Next.
- Set the following options:
- Claim rule name: Enter a human-readable name. In this example, we use
UPN to NameID.
- Incoming claim type: UPN
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Select Pass through all claim values and click Finish.
After you have successfully completed this procedure, ADFS will be configured with LaunchDarkly.
After you successfully complete the procedures in this topic, you can log in through ADFS when test drive is enabled. For more information about test drive, read Test drive mode.
If you are able to successfully log in with test drive enabled, you can enable SSO fully. For more information about enabling SSO, read Enabling SSO.