For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Sign inTry it free
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
DocsGuidesSDKsIntegrationsAPI docsTutorialsFlagship blog
  • Get started
    • Overview
    • Onboarding
    • Get started
    • Launch Insights
    • LaunchDarkly architecture
    • LaunchDarkly vocabulary
  • AgentControl
    • AgentControl
    • Manage AgentControl
  • Feature flags
    • Create flags
    • Target with flags
    • Flag templates
    • Manage flags
    • Code references
    • Contexts
    • Segments
  • Releases
    • Releasing features with LaunchDarkly
    • Release policies
    • Percentage rollouts
    • Progressive rollouts
    • Guarded rollouts
    • Feature monitoring
    • Release pipelines
    • Engineering insights
    • Release management tools
    • Applications and app versions
    • Change history
    • Restoring previous flag versions
  • Observability
    • Observability
    • Session replay
    • Error monitoring
    • Logs
    • Traces
    • Observability metrics
    • Product analytics events
    • LLM observability
    • Alerts
    • Dashboards
    • Service map
    • Vega for auto-remediation
    • Observability MCP server
    • Search specification
    • Observability settings
    • Observability integrations
  • Experimentation
    • Experimentation
    • Experiment metric types
    • Experiment configuration
    • Managing experiments
    • Analyzing experiments
    • Multi-armed bandits
    • Holdouts
  • Metrics and events
    • Metrics in LaunchDarkly
    • Creating metrics
    • Metric groups
    • Events
    • Autogenerated metrics
  • Warehouse native
    • Warehouse native metrics
    • Setting up external warehouses
    • Creating experiments using warehouse native metrics
  • Infrastructure
    • Connect apps and services to LaunchDarkly
    • LaunchDarkly in China and Pakistan
    • LaunchDarkly in the European Union (EU)
    • LaunchDarkly in federal environments
    • Public IP list
  • Your account
    • Projects
    • Views
    • Environments
    • Tags
    • Teams
    • Members
    • Roles
    • Account security
      • Single sign-on
        • Configure SAML SSO
          • Active Directory Federation Services (ADFS)
          • Entra ID
          • Google Workspace
          • Okta
          • OneLogin
          • PingIdentity
        • Enable SCIM provisioning
        • Enable SSO
        • Disable SSO
        • Change SSO providers
        • Google OAuth
        • GitHub OAuth
      • API access tokens
      • Multi-factor authentication
      • Domain verification
      • IP allowlist
      • Managing sessions
      • Organization access settings
      • Organization announcements
      • Support options
      • Resetting your password
    • Feature previews
    • Billing and usage
    • Changelog
Sign inTry it free
LogoLogo
On this page
  • Overview
  • Prerequisites
  • Retrieve your Entity ID and ACS URL from LaunchDarkly
  • Add the LaunchDarkly application in PingIdentity
  • Update LaunchDarkly with URL and exchange certificate details
  • Define user attributes in PingIdentity
  • Map user attributes to LaunchDarkly
  • Create PingIdentity groups for LaunchDarkly access
  • Assign the group to the LaunchDarkly app
  • Test your setup
Your accountAccount securitySingle sign-onConfigure SAML SSO

PingIdentity

Was this page helpful?
Previous

Enable SCIM provisioning

Next
Built with
PingIdentity is not officially supported

We provide guidance for setting up SAML-based single sign-on (SSO) with PingIdentity, but PingIdentity is not an officially supported identity provider (IdP). We cannot provide additional support or configuration guidance for this configuration.

Overview

This topic explains how to set up SAML-based single sign-on (SSO) with PingIdentity.

Setting up SSO with PingIdentity requires the following steps:

  1. Retrieving your Entity ID and ACS URL from LaunchDarkly
  2. Adding the LaunchDarkly application in PingIdentity
  3. Updating LaunchDarkly with URL and exchange certificate details

You can also set up member roles using the following steps:

  1. Defining user attributes in PingIdentity
  2. Mapping user attributes to LaunchDarkly
  3. Creating a PingIdentity group for LaunchDarkly access
  4. Assigning the group to the LaunchDarkly app

Prerequisites

To give your organization access to LaunchDarkly through PingIdentity, you need the following components:

  • A LaunchDarkly Admin organization role, or an Admin or Owner base role, or another role with permissions to update account SSO settings
  • PingIdentity Admin permissions

Retrieve your Entity ID and ACS URL from LaunchDarkly

To begin, retrieve your Entity ID and assertion consumer service (ACS) URL from LaunchDarkly:

  1. In LaunchDarkly, click the gear icon in the left sidenav to view Organization settings.
  2. Click Security.
  3. Click Edit SAML configuration.
  4. In the “SAML application details” section, copy the Assertion consumer service URL and the Entity ID, and save them for use in the next section.

Add the LaunchDarkly application in PingIdentity

To add the LaunchDarkly application in PingIdentity:

  1. Log in to the PingIdentity admin console.
  2. Navigate to Applications.
  3. Click the + icon to add a new application.

The "Applications" screen in PingIdentity.

The "Applications" screen in PingIdentity.
  1. Enter “LaunchDarkly SSO” as the Application Name.
  2. (Optional) Add a Description and Icon.
  3. Click SAML Application.

The "Add Application" screen in PingIdentity.

The "Add Application" screen in PingIdentity.
  1. Select Manually enter.
  2. Enter the LaunchDarkly ACS URL you copied from the previous section into the ACS URLs field.
  3. Enter the LaunchDarkly Entity ID you copied from the previous section into the Entity ID field.

The "Applications" screen in PingIdentity.

The "Applications" screen in PingIdentity.
  1. Click Save. The LaunchDarkly application appears in the Applications list.
  2. Copy the Signon URL and save it for use in the next section.
  3. Click Download Signing Certificate and select the “X509 PEM (.crt)” format. The X.509 certificate downloads to your machine.

You will use the Signon URL and X.509 certificate in the next section.

Update LaunchDarkly with URL and exchange certificate details

Next, update LaunchDarkly with the SSO URL and the X.509 exchange certificate:

  1. In LaunchDarkly, click the gear icon in the left sidenav to view Organization settings.
  2. Click Security.
  3. Click Edit SAML configuration.
  4. in the “SAML identity provider details” section, enter the Signon URL you copied from PingIdentity into the Sign-on URL field.
  5. Click Upload one to upload the X.509 certificate you downloaded from PingIdentity. Or, paste the certificate contents into the X.509 certificate field.
  6. Click Save.

Define user attributes in PingIdentity

You can assign LaunchDarkly roles to account members through PingIdentity. In PingIdentity, your account members are called “users.”

First, define user attributes in PingIdentity:

  1. In PingIdentity, navigate to Directory, then User Attributes.
  2. Click the + icon to add a new attribute.

The "User Attributes" screen in PingIdentity.

The "User Attributes" screen in PingIdentity.
  1. Select Declared.
  2. Enter “role” as the Name.
  3. Enter “LaunchDarkly Built-in role” as the Display Name.
  4. (Optional) Enter a Description.
  5. Select Enumerated values.
  6. Click + Add Value and enter “admin.”
  7. Repeat step 8 for “writer” and “reader.”
  8. Click Save.

The "Add Attribute" screen in PingIdentity.

The "Add Attribute" screen in PingIdentity.
  1. To repeat the process for custom roles, click the + icon to add a new attribute and select Declared.
  2. Enter “customRole” as the Name.
  3. Enter “LaunchDarkly Custom Roles” as the Display Name.
  4. (Optional) Enter a Description.
  5. Select No Validation.
  6. Click Save.

The role and customRole attributes appear in your PingIdentity user directory.

Map user attributes to LaunchDarkly

Next, map PingIdentity user attributes to LaunchDarkly:

  1. In PingIdentity, navigate to Applications.
  2. Select the “LaunchDarkly SSO” application.
  3. Click the Attributes Mappings tab.
  4. Click +Add.
  5. Enter “role” in the Attributes field.
  6. Select “LaunchDarkly Built-in role” from the PingOne Mappings menu.
  7. Click +Add.
  8. Enter “customRole” in the Attributes field.
  9. Select “LaunchDarkly Custom Roles” from the PingOne Mappings menu.

The "Edit Attribute Mappings" screen in PingIdentity.

The "Edit Attribute Mappings" screen in PingIdentity.

PingIdentity user attributes are now mapped to LaunchDarkly roles and custom roles.

Create PingIdentity groups for LaunchDarkly access

Next you can allow LaunchDarkly access using PingIdentity groups:

  1. In PingIdentity, navigate to Directory, then Groups.
  2. Click Add Group.
  3. Enter “Access to LaunchDarkly App” or similar as the Name.
  4. (Optional) Add a Description.
  5. Select a PingIdentity Population that should have access to LaunchDarkly.
  6. Click Save.

The "Add Group" screen in PingIdentity.

The "Add Group" screen in PingIdentity.

Assign the group to the LaunchDarkly app

Next, assign the group to the LaunchDarkly app:

  1. In PingIdentity, navigate to Applications.
  2. Select the “LaunchDarkly SSO” application.
  3. Click the Access tab.
  4. Click the pencil icon.
  5. Search for and select the “Access to LaunchDarkly App” group.
  6. Click Save.

The application "Access" screen in PingIdentity.

The application "Access" screen in PingIdentity.

Test your setup

Finally, you can test your SSO setup using Test drive mode.