Okta

How to Configure SAML 2.0 for LaunchDarkly


Read this before you enable SAML

Enabling SAML will affect all users who use this application, which means that users won't be able to sign in with their regular usernames and passwords. They will only be able to access the app through the Okta service.

Backup URL

LaunchDarkly doesn't provide a backup sign-in URL where users can sign in using their regular username and password. You can contact LaunchDarkly Support (support@launchdarkly.com) to turn off SAML, if necessary.

Contents


Supported Features

The Okta/LaunchDarkly SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

  1. Login to your LaunchDarkly account as an administrator (account owner).

  2. Go to Account settings > Security, then under SSO management click Configure SAML.

  3. Do the following:

    • Make a copy of the Assertion consumer service URL, Entity ID, and Start URL values.

    • Sign-on URL: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.

    • X.509 certificate: Copy and paste the following:

      Sign into the Okta Admin Dashboard to generate this variable.
    • Click Save.

    go to: Account settings > Security, then under SSO management click Configure SAML, Enter SAML config values

  4. For now you are in the test-drive mode. Your team members can still sign on with their LaunchDarkly passwords.

    example of test drive mode

  5. In Okta, select the Sign On tab for the LaunchDarkly app, then click Edit.

    • Scroll down to Advanced Sign-on Settings.

    • Enter the Assertion consumer service URL and Entity ID values (step 4) into the corresponding fields.

    • Click Save.

  6. Configure the role and customRole attributes (for instructions, see Notes, below).

  7. Assign a required user/group to the application.

  8. Try to login with a required user using the application chiclet from the Okta dashboard in order to make sure that SAML configuration works properly.

  9. After successful testing, select Turn on SSO on the Single sign-on configuration page in LaunchDarkly:

    After successful testing, select Turn on SSO on the Single sign-on configuration page in LaunchDarkly

  10. SAML configuration is now fully enabled, which means that users will not be able to sign-in through their regular log-in page using their normal username and password.

  11. Done!


Notes

The following SAML attributes are supported:


About Roles:


Here is an example describing how to add and use the additional role, customRole and teamKey attributes:

  1. In Okta, navigate to Directory > Profile Editor.

  2. Search for the LaunchDarkly app, then click Profile:

  3. Add custom roles: Directory > Profile Editor. Search for the LaunchDarkly app, then click Profile

  4. Click Add Attribute, then add the following attributes:

      Display name Variable name
      Role role
      Custom role customRole
      teamKey teamKey

    Click Add Attribute and add custom role display name/variable name

    Note: Scope (optional): If you check User personal, it means that the current attribute will be available once you assign the user to the LaunchDarkly application and will not be available once you assign the group to the app.

  5. Now you can map these attributes to required fields in Okta:

    Map attributes to required fields in Okta

  6. Or provide a required values during application assignment (Assignments application tab):

    Provide a required values during application assignment


SP-initiated SSO

  1. Open the Start URL (Configuration step 3).

  2. Enter your Email Address.

  3. Click NEXT.