LaunchDarkly Developer Documentation

Get started in under 30 minutes.
LaunchDarkly provides feature flags as a service for Java · Python · Ruby · Go · Node.js · PHP · .NET. Control feature launches -- who sees what and when -- without multiple code deploys. Easy dashboard for phased rollouts, targeting and segmenting.
Need more help? write us at support@launchdarkly.com

Get Started    Documentation

Single sign-on

Only available to enterprise customers

Single sign-on is only available to customers on our enterprise plans. If you're interested in learning more about our enterprise plans, contact sales@launchdarkly.com.

Single sign-on (SSO) allows your team to authenticate with LaunchDarkly via the same identity provider you use for your other internal and external services. Additionally, with single sign-on, administrators can use their identity provider to manage access rights in LaunchDarkly.

Setting up SSO in LaunchDarkly

If you're a LaunchDarkly administrator or account owner, you can configure your LaunchDarkly account to delegate to your identity provider for team member authentication. LaunchDarkly implements single sign-on via the SAML 2.0 protocol.

To start the setup process, click the Configure SAML button on the Security tab of your account settings page.

After clicking on the Configure SAML button, you will see the SAML configuration screen. You'll see a set of configuration details that you'll need to set up LaunchDarkly as a SAML application in your identity provider:

Configuring your identity provider

We've provided a set of configuration tips for some of our supported identity providers that should help you configure your provider correctly:

We have also tested and verified support for the following identity providers:

  • PingIdentity
  • Centrify

Once you have created the SAML application in your identity provider, you will need to copy SAML configuration metadata from your identity provider into the SAML configuration screen in LaunchDarkly and click Save.

User provisioning via SSO

LaunchDarkly will automatically create accounts for new team members who sign in via your identity provider. Please note that new team members will not be able to sign in via LaunchDarkly's login screen until they have accessed LaunchDarkly through your identity provider at least once.

Every time a team member signs into LaunchDarkly, LaunchDarkly will also update the team member's profile with any user attributes submitted by the identity provider. You can configure your identity provider to send the following attributes when the team member is signing into LaunchDarkly. Each attribute is optional and can also be managed from LaunchDarkly. Attribute names should be specified using "basic" format.

Field name
Description

firstName

First name

lastName

Last name

role

Built-in LaunchDarkly role: one of reader, writer, admin. If unspecified, the default role is reader.

customRole

A list of keys for custom roles to give to the team member. These will replace the member's existing custom roles. If a member has any custom roles, they will supersede the built-in role.

Test-drive mode

When LaunchDarkly receives a valid SAML configuration, the Single Sign-On feature enters test-drive mode. When the Single Sign-On feature is in test-drive mode, you can test authentication via your identity provider, but LaunchDarkly's login screen will continue to use regular password-based authentication. Test-drive mode allows you to test the SSO integration in a controlled manner before rolling out the change to the rest of your team. The Simulate SSO button will perform the same authentication request flow that would occur for LaunchDarkly-initiated SSO logins.

Enabling SSO

From test-drive mode, when you're satisfied with the SSO integration and are ready to enable it for all team members in LaunchDarkly, click the Enable SSO button in the Single Sign-On section. You will need to confirm the request.

Once SSO is enabled, the LaunchDarkly login screen will defer to your identity provider for authentication. Users will no longer be able to log in with their existing LaunchDarkly password. Additionally, LaunchDarkly administrator and account owners will no longer be able to invite members to the team. The only way to add additional team members will be to have them log in via your identity provider.

Disabling SSO

If you need to disable SSO for any reason, you can click the Disable SSO button in the Single Sign-On section. You will need to confirm the request.

When SSO is disabled, any existing members will still be able to sign into LaunchDarkly with their previous passwords or reset their passwords.

Users that were provisioned via SSO will be required to reset their password in order to sign into LaunchDarkly.

Single sign-on