Skip to main content

SAML SSO (beta)

Single Sign-On (SSO) functionality is available for Enterprise customers to access LangSmith through a single authentication source. This allows administrators to centrally manage team access and keeps information more secure.

LangSmith's SSO configuration is built using the SAML (Security Assertion Markup Language) 2.0 standard. SAML 2.0 enables connecting an Identity Provider (IdP) to your organization for an easier, more secure login experience.

note

SAML SSO is available for organizations on the Enterprise plan. Please contact sales to learn more.

What is SAML SSO?

SSO services permit a user to use one set of credentials (for example, a name or email address and password) to access multiple applications. The service authenticates the end user only once for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.

Benefits of SSO

  • Streamlines user management across systems for organization owners.
  • Enables organizations to enforce their own security policies (e.g. MFA)
  • Removes the need for end-users to remember and manage multiple passwords. Simplifies end-users experience by allowing them to sign in at one single access point and enjoy a seamless experience across multiple applications.

Set up SAML SSO for your organization

Prerequisites

  • While in beta, you must reach out to support@langchain.dev to enable for your organization
  • Your organization must be on an Enterprise plan
  • Your Identity Provider (IdP) must support the SAML 2.0 standard
  • Only Organization Admins can configure SAML SSO

Initial configuration

  1. Configure a SAML application in your IdP (e.g. Okta) with the following details, then copy the metadata URL or XML for step 3 below
    1. Single sign-on URL a.k.a. ACS URL: https://smith.langchain.com/auth/v1/sso/saml/acs
    2. Audience URI a.k.a. SP Entity ID: https://smith.langchain.com/auth/v1/sso/saml/metadata
    3. Name ID format: email address
    4. Application username: email address
  2. Go to Settings -> Members and roles -> SSO Configuration
  3. Fill in the required information and submit to activate SSO login
    1. Fill in either the SAML metadata URL or SAML metadata XML
    2. Select the Default workspace role and Default workspaces. New users logging in via SSO will be added to the specified workspaces with the selected role.

Editing SAML SSO settings

  • Default workspace role and Default workspaces are editable. The updated settings will apply to new users only, not existing users.
  • (Coming soon) SAML metadata URL and SAML metadata XML are editable. This is usually only necessary when cryptographic keys are rotated/expired or the metadata URL has changed but the same IdP is still used.

Just-in-time (JIT) provisioning

LangSmith supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the organization and selected workspaces automatically as a member.

note

JIT provisioning only runs for new users i.e. users who do not already have access to the organization with the same email address via a different login method

Login methods and access

Once you have completed your configuration of SAML SSO for your organization, users will be able to login via SAML SSO in addition to other login methods such as username/password and Google Authentication.

  • When logged in via SAML SSO, users can only access the corresponding organization with SAML SSO configured.
  • Users with SAML SSO as their only login method do not have personal organizations
  • When logged in via any other method, users can access the organization with SAML SSO configured along with any other organizations they are a part of

Enforce SAML SSO Only

To ensure users can only access the organization when logged in using SAML SSO and no other method, update the Login method to Only SAML SSO. Once this happens, users in the organization will be logged out and required to log back in using SAML SSO.
This setting can be switched back to Any method at any point.

note

You must be logged in via SAML SSO in order to update this setting to Only SAML SSO.

Identity Provider (IdP) Setup

These are instructions for setting up LangSmith SAML SSO with Entra ID (formerly Azure), Google, and Okta. If you use a different Identity Provider and need assistance with configuration, please contact our support team.

Entra ID (Azure)

Step 1: Create a new application integration

  1. Log in to the Azure portal with a privileged role (e.g. Global Administrator). On the left navigation pane, select the Entra ID service.
  2. Navigate to Enterprise Applications and then select All Applications.
  3. Click Create your own application.
  4. In the Create your own application window:
    1. Enter a name for your application (e.g. LangSmith)
    2. Select Integrate any other application you don't find in the gallery (Non-gallery).
  5. Click Create.

Step 2: Configure the application and obtain the Microsoft Entra ID SAML Metadata

  1. Open the enterprise application that you created.
  2. In the left-side navigation, select Manage > Single sign-on.
  3. On the Single sign-on page, click SAML.
  4. Update the Basic SAML Configuration
    1. Identifier (Entity ID): https://smith.langchain.com/auth/v1/sso/saml/metadata
    2. Reply URL (Assertion Consumer Service URL): https://smith.langchain.com/auth/v1/sso/saml/acs
    3. Leave Relay State, Logout Url, and Sign on URL empty
    4. Click Save
  5. Ensure required claims are present with Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims
    1. sub: user.objectid
    2. emailaddress: user.userprincipalname or user.mail (if using the latter, ensure all users have the Email field filled in under Contact Information)
  6. On the SAML-based Sign-on page, under SAML Certificates, copy the App Federation Metadata Url.

Step 3: Create a SAML Provider for Microsoft Entra ID in the LangSmith SSO Configuration page

Follow the instructions under initial configuration in the Fill in required information step, using the metadata URL from the previous step.

Step 4: Verify the SSO setup

  1. Assign the application to users/groups in Entra ID
    1. Select Manage > Users and groups
    2. Click Add user/group
    3. In the Add Assignment window:
      1. Under Users, click None Selected.
      2. Search for the user you want to assign to the enterprise application, and then click Select.
      3. Verify that the user is selected, and click Assign.
  2. Have the user sign in via the unique login URL from the SSO Configuration page, or go to Manage > Single sign-on and select Test single sign-on with <application name>

Google

Okta

Was this page helpful?


You can leave detailed feedback on GitHub.