Configuring SAML SSO

Read time: 3 minutes

Last edited: Feb 27, 2023

Overview

This topic explains how to configure your LaunchDarkly account for SSO.

If you're a LaunchDarkly administrator or account owner, you can configure LaunchDarkly to use your IdP when account members authenticate.

Configure your IdP

To set up a LaunchDarkly connection, follow the instructions for your chosen IdP.

We support the following IdP connectors:

Configure LaunchDarkly SAML

To configure SAML within LaunchDarkly:

Log in to LaunchDarkly as an administrator or account owner.
Navigate to the "SSO management" section of the Security tab on the Account settings page:

The "SSO management" section of the "Security" tab.

Click Configure SAML. The SAML configuration panel appears, pre-populated with information you need to set up LaunchDarkly as a SAML application with your identity provider:

To complete SAML configuration, follow the instructions specific to your IdP. The list of IdPs we support is in the Overview.

Specific configuration details vary between IdPs, but the basic process is the same regardless of which IdP you use.

To configure LaunchDarkly with an external IdP:

Create the SAML application in your IdP. To do this, follow the instructions in the documentation for your IdP.
Copy the SAML configuration metadata from the IdP into LaunchDarkly's SAML configuration panel.
Click Save.

Test-drive mode

When LaunchDarkly receives a valid SAML configuration, SSO enters test-drive mode. Test-drive mode lets you test the SSO integration before deploying the change to the rest of your organization.

When SSO is in test-drive mode, you can test authentication through your IdP, but LaunchDarkly's login screen will continue to use regular password-based authentication.

To use SSO in test-drive mode:

Log into LaunchDarkly as an administrator.
Navigate to Account settings > Security and scroll to the "SSO management" section.
Click Test-drive SSO. This performs the same authentication request flow that occurs for LaunchDarkly-initiated SSO logins:

User provisioning with SAML

LaunchDarkly automatically creates accounts for new account members who sign in through your IdP. Every time an account member signs in, LaunchDarkly also updates the account member's profile with user attributes from the IdP. To learn more, read Understanding default roles.

You can configure your identity provider to send the following attributes when the account member signs in to LaunchDarkly. Each attribute is optional. Specify attribute names with the "basic" format. You can also manage custom attributes in LaunchDarkly.

New account members must sign into LaunchDarkly through your IdP

New account members will not be able to sign in from LaunchDarkly's login screen until they have accessed LaunchDarkly through your IdP at least once.

NameID field formatting

Only use email addresses in the NameID field

LaunchDarkly only supports the use of email addresses in the NameID field. Do not use other types of identifying strings.

Below is an example of an SSO-provided nameID that LaunchDarkly will accept:

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@test.com</saml:NameID>

Setting custom attributes

These attributes are available for SAML SSO provisioning and SCIM provisioning:

Attribute name	Attribute format	Availability	Description
role	string	SSO & SCIM	One of the built-in LaunchDarkly roles: `reader`, `writer`, `admin`, and for some customers, `no_access`. If unspecified, the default role is `reader`.
customRole	String array, or comma-separated string	SSO & SCIM	A list of the keys of the custom roles to assign to the account member. These replace the member's existing custom roles. If a member has any custom roles, they supersede the built-in role. The elements of the `customRole` list are case-sensitive, and each element of the list must match a custom role key in LaunchDarkly exactly.
teamKey	String array, or comma-separated string	SSO only	A list of the keys of the teams that the account member belongs to. These replace the member's existing teams. The elements of the `teamKey` list are case-sensitive, and each element of the list must match a team key in LaunchDarkly exactly. To learn more about Teams, read Teams. To learn about managing teams with SCIM, read Team sync with SCIM.

SAML SSO supports the following naming attributes:

firstName
lastName

SCIM provisioning uses the standard naming attributes:

givenName
familyName

Enabling SSO

When you're satisfied with the SSO integration and are ready to enable it for all account members in LaunchDarkly, enable SSO by following the procedure below.

To enable SSO:

Log into LaunchDarkly as an administrator.
Navigate Account settings > Security and scroll to the "SSO management" section.
Click Enable SSO. A confirmation dialog appears.
Click Enable:

Once SSO is enabled, the LaunchDarkly login procedure defers to your identity provider for authentication. Account members will no longer be able to log in with their existing LaunchDarkly password.

Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the organization. The only way to add additional account members is to have them log in through your IdP.

Disabling SSO

You can disable SSO at any time. When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords, or reset their passwords.

Users that were provisioned through SSO will be required to reset their password in order to sign into LaunchDarkly.

To disable SSO:

Log into LaunchDarkly as an administrator.
Navigate Account settings > Security and scroll to the "SSO management" section.
Click Disable SSO. A confirmation dialog appears.
Click Disable: