SAML SSO (beta)
Single Sign-On (SSO) functionality is available for Enterprise customers to access LangSmith through a single authentication source. This allows administrators to centrally manage team access and keeps information more secure.
LangSmith's SSO configuration is built using the SAML (Security Assertion Markup Language) 2.0 standard. SAML 2.0 enables connecting an Identity Provider (IdP) to your organization for an easier, more secure login experience.
SAML SSO is available for organizations on the Enterprise plan. Please contact sales to learn more.
What is SAML SSO?
SSO services permit a user to use one set of credentials (for example, a name or email address and password) to access multiple applications. The service authenticates the end user only once for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.
Benefits of SSO
- Streamlines user management across systems for organization owners.
- Enables organizations to enforce their own security policies (e.g. MFA)
- Removes the need for end-users to remember and manage multiple passwords. Simplifies end-users experience by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.
Set up SAML SSO for your organization
Prerequisites
- While in beta, you must reach out to support@langchain.dev to enable for your organization
- Your organization must be on an Enterprise plan
- Your Identity Provider (IdP) must support the SAML 2.0 standard
- Only Organization Admins can configure SAML SSO
Initial configuration
See IdP-specific instructions below
- In your IdP: Configure a SAML application with the following details, then copy the metadata URL or XML for step 3 below
- Single sign-on URL a.k.a. ACS URL: https://smith.langchain.com/auth/v1/sso/saml/acs
- Audience URI a.k.a. SP Entity ID: https://smith.langchain.com/auth/v1/sso/saml/metadata
- Name ID format: email address
- Application username: email address
- Required claims:
sub
andemail
- In LangSmith: Go to
Settings
->Members and roles
->SSO Configuration
- Fill in the required information and submit to activate SSO login
- Fill in either the
SAML metadata URL
orSAML metadata XML
- Select the
Default workspace role
andDefault workspaces
. New users logging in via SSO will be added to the specified workspaces with the selected role.
- Fill in either the
- Fill in the required information and submit to activate SSO login
Editing SAML SSO settings
Default workspace role
andDefault workspaces
are editable. The updated settings will apply to new users only, not existing users.- (Coming soon)
SAML metadata URL
andSAML metadata XML
are editable. This is usually only necessary when cryptographic keys are rotated/expired or the metadata URL has changed but the same IdP is still used.
Just-in-time (JIT) provisioning
LangSmith supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the organization and selected workspaces automatically as a member.
JIT provisioning only runs for new users i.e. users who do not already have access to the organization with the same email address via a different login method
Login methods and access
Once you have completed your configuration of SAML SSO for your organization, users will be able to login via SAML SSO in addition to other login methods such as username/password and Google Authentication.
- When logged in via SAML SSO, users can only access the corresponding organization with SAML SSO configured.
- Users with SAML SSO as their only login method do not have personal organizations
- When logged in via any other method, users can access the organization with SAML SSO configured along with any other organizations they are a part of
Enforce SAML SSO only
To ensure users can only access the organization when logged in using SAML SSO and no other method, check the Login via SSO only
checkbox and click Save
.
Once this happens, users accessing the organization that are logged-in via a non-SSO login method are required to log back in using SAML SSO.
This setting can be switched back to allow all login methods by unselecting the checkbox and clicking Save
.
You must be logged in via SAML SSO in order to update this setting to Only SAML SSO
.
This is to ensure the SAML settings are valid and avoid locking users out of your organization.
Support and troubleshooting
If you have issues setting up SAML SSO, please reach out to support@langchain.dev.
FAQ
How do I change a SAML SSO user's email address?
Some identity providers retain the original User ID
through an email change while others do not, so we recommend that you follow these steps to avoid duplicate users in LangSmith:
- Remove the user from the organization (see here)
- Change their email address in the IdP
- Have them login to LangSmith again via SAML SSO - this will trigger the usual JIT provisioning flow with their new email address
Identity Provider (IdP) Setup
These are instructions for setting up LangSmith SAML SSO with Entra ID (formerly Azure), Google, and Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team.
Entra ID (Azure)
For additional information, see Microsoft's documentation.
Step 1: Create a new Entra ID application integration
- Log in to the Azure portal with a privileged role (e.g. Global Administrator). On the left navigation pane, select the
Entra ID
service. - Navigate to Enterprise Applications and then select All Applications.
- Click
Create your own application
. - In the Create your own application window:
- Enter a name for your application (e.g.
LangSmith
) - Select
Integrate any other application you don't find in the gallery (Non-gallery)
.
- Enter a name for your application (e.g.
- Click
Create
.
Step 2: Configure the Entra ID application and obtain the SAML Metadata
- Open the enterprise application that you created.
- In the left-side navigation, select
Manage > Single sign-on
. - On the Single sign-on page, click
SAML
. - Update the
Basic SAML Configuration
Identifier (Entity ID)
: https://smith.langchain.com/auth/v1/sso/saml/metadataReply URL (Assertion Consumer Service URL)
: https://smith.langchain.com/auth/v1/sso/saml/acs- Leave
Relay State
,Logout Url
, andSign on URL
empty - Click
Save
- Ensure required claims are present with
Namespace
:http://schemas.xmlsoap.org/ws/2005/05/identity/claims
sub
:user.objectid
emailaddress
:user.userprincipalname
oruser.mail
(if using the latter, ensure all users have theEmail
field filled in underContact Information
)
- On the SAML-based Sign-on page, under
SAML Certificates
, copy theApp Federation Metadata Url
.
Step 3: Set up LangSmith SSO Configuration
Follow the instructions under initial configuration in the Fill in required information
step, using the metadata URL from the previous step.
Step 4: Verify the SSO setup
- Assign the application to users/groups in Entra ID
- Select
Manage > Users and groups
- Click
Add user/group
- In the Add Assignment window:
- Under Users, click
None Selected
. - Search for the user you want to assign to the enterprise application, and then click
Select
. - Verify that the user is selected, and click
Assign
.
- Under Users, click
- Select
- Have the user sign in via the unique login URL from the
SSO Configuration
page, or go toManage > Single sign-on
and selectTest single sign-on with <application name>
Google
For additional information, see Google's documentation.
Step 1: Create and configure the Google Workspace SAML application
- Make sure you're signed into an administrator account with the appropriate permissions.
- In the Admin console, go to
Menu -> Apps -> Web and mobile apps
. - Click
Add App
and thenAdd custom SAML app
. - Enter the app name and, optionally, upload an icon. Click
Continue
. - On the Google Identity Provider details page, download the
IDP metadata
and save it for Step 2 below. Click Continue. - In the
Service Provider Details
window, enter:ACS URL
: https://smith.langchain.com/auth/v1/sso/saml/acsEntity ID
: https://smith.langchain.com/auth/v1/sso/saml/metadata- Leave
Start URL
and theSigned response
box empty. - Set
Name ID
format toEMAIL
and leaveName ID
as the default (Basic Information > Primary email
). - Click
Continue
.
- Use
Add mapping
to ensure required claims are present:Basic Information > Primary email
->email
Step 2: Set up LangSmith SSO Configuration
Follow the instructions under initial configuration in the Fill in required information
step, using the IDP metadata
from the previous step as the metadata XML.
Step 3: Turn on the SAML app in Google
- Select the SAML app under
Menu -> Apps -> Web and mobile apps
- Click
User access
. - Turn on the service:
- To turn the service on for everyone in your organization, click
On for everyone
, and then clickSave
. - To turn the service on for an organizational unit:
- At the left, select the organizational unit then
On
. - If the Service status is set to
Inherited
and you want to keep the updated setting, even if the parent setting changes, clickOverride
. - If the Service status is set to
Overridden
, either clickInherit
to revert to the same setting as its parent, or clickSave
to keep the new setting, even if the parent setting changes.
- At the left, select the organizational unit then
- To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
- To turn the service on for everyone in your organization, click
- Ensure that the email addresses your users use to sign in to LangSmith match the email addresses they use to sign in to your Google domain.
Step 4: Verify the SSO setup
Have a user with access sign in via the unique login URL from the SSO Configuration
page, or go to the SAML application page in Google and click TEST SAML LOGIN
.
Okta
For additional information, see Okta's documentation.
Step 1: Create and configure the Okta SAML application
- Log in to Okta as an administrator, and go to the
Okta Admin console
. - Under
Applications > Applications
clickCreate App Integration
- Select
SAML 2.0
- Enter an
App name
(e.g.LangSmith
) and optionally anApp logo
, then clickNext
- Enter the following information in the
Conofigure SAML
page:Single sign-on URL
a.k.a.ACS URL
: https://smith.langchain.com/auth/v1/sso/saml/acs. KeepUse this for Recipient URL and Destination URL
checked.Audience URI (SP Entity ID)
: https://smith.langchain.com/auth/v1/sso/saml/metadataName ID format
:EmailAddress
Application username
:email
- Leave the rest of the fields empty or set to their default.
- Click `Next
- Click
Finish
- Copy the
Metadata URL
from theSign On
page to use in the next step
Step 2: Set up LangSmith SSO Configuration
Follow the instructions under initial configuration in the Fill in required information
step, using the metadata URL from the previous step.
Step 3: Assign users to LangSmith in Okta
- Under
Applications > Applications
, select the SAML application created in Step 1 - Under the
Assignments
tab, clickAssign
then eitherAssign to People
orAssign to Groups
- Make the desired selection(s), then
Assign
andDone
Step 4: Verify the SSO setup
Have a user with access sign in via the unique login URL from the SSO Configuration
page, or have a user select the application from their Okta dashboard.