Okta

How to Configure SAML 2.0 for LaunchDarkly


Read this before you enable SAML

Enabling SAML will affect all users who use this application, which means that users will not be able to sign-in through their regular log-in page. They will only be able to access the app through the Okta service.

Backup URL

LaunchDarkly does not provide backup log-in URL where users can sign-in using their normal username and password. You can contact LaunchDarkly support (support@launchdarkly.com) to turn off SAML, if necessary.

Contents


Supported Features

The Okta/LaunchDarkly SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

  1. Login to your LaunchDarkly account as an administrator (account owner).

  2. Navigate to Account settings > Security.

  3. In the Single sign-on section, click CONFIGURE SAML:

    darkly1.png

  4. Do the following:

    • Make a copy of the Assertion consumer service URL, Entity ID, and Start URL values.

    • Sign-on URL: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • X.509 certificate: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.
    • Click SAVE.

    darkly2.png

  5. For now you are in the test-drive mode. Your team members can still sign on with their LaunchDarkly passwords.

    darkly3.png

  6. In Okta, select the Sign On tab for the LaunchDarkly app, then click Edit.

  7. Scroll down to the ADVANCED SIGN-ON SETTINGS section.

  8. Enter the Assertion consumer service URL and Entity ID values (step 4) into the corresponding fields.

  9. Click Save.

  10. darkly4.png

  11. Configure the role and customRole attributes (for instructions, see Notes, below).

  12. Assign a required user/group to the application.

  13. Try to login with a required user using the application chiclet from the Okta dashboard in order to make sure that SAML configuration works properly.

  14. After successful testing, select ENABLE SSO on the Single sign-on configuration page in LaunchDarkly:

    darkly5.png

  15. SAML configuration is now fully enabled, which means that users will not be able to sign-in through their regular log-in page using their normal username and password:

    darkly6.png

  16. Done!


Notes

The following SAML attributes are supported:

Notes:

Here is an example describing how to add and use the additional role and CustomRole attributes:

  1. In Okta, navigate to Directory > Profile Editor.

  2. Search for the LaunchDarkly app, then click Profile:

  3. darkly8.png

  4. Click Add Attribute, then enter the following:

    1. Display Name: Enter Role.

    2. Variable Name: Enter role.

    3. Click Save, and Add Another.

    4. darkly9.png

    5. Display Name: Enter Custom role.

    6. Variable Name: Enter customRole.

    7. Click Save.

    8. darkly10.png

      Note: Scope (optional): If you checkĀ User personal, it means that the current attribute will be available once you assign the user to the LaunchDarkly application and will not be available once you assign the group to the app.

  5. Now you can map these attributes to a required fields in Okta:

    darkly11.png

  6. Or provide a required values during application assignment (Assignments application tab):

    darkly12.png

SP-initiated SSO

  1. Open the Start URL (step 4).

  2. Enter your Email Address.

  3. Click NEXT:

  4. darkly13.png