Affected: Azure SSO
Overview
If you have SSO enabled, you can assign custom roles from within the LaunchDarkly dashboard or from Azure Active Directory (AD) Security Groups.
Solution
Configure Azure AD Groups for LaunchDarkly. Before you begin, complete the following:
- Enable Azure AD integration with LaunchDarkly: Configure Azure AD SSO
- Create the custom roles that the LaunchDarkly Enterprise Application will use: Custom roles
1. Create LaunchDarkly AD Groups and assign members in Azure.
-
Create a new AD Group by going to Azure Active Directory > Groups > New group.
-
Assign members to the Group by clicking the No members selected link to open the "Add members" dialog.
-
Select the user(s) you want to include in the group and click Select when done.
-
Click Create to create the group.
-
2. Create roles for LaunchDarkly Enterprise Application in Azure AD.
-
Open the LaunchDarkly Enterprise Application by going to Azure Active Directory > App Registrations > View All.
-
Load the LaunchDarkly Enterprise Application by selecting the LaunchDarkly application on the registration dashboard.
-
Click LaunchDarkly to open.
-
Click Create app role.
-
Ensure you use the same key generated in LaunchDarkly as the value for your new role.
-
After you have created the role in Azure, click Apply when done.
Example:
-
3. Add LaunchDarkly Groups to LaunchDarkly Enterprise Application.
-
Open the LaunchDarkly Enterprise Application and go to Azure Active Directory > Enterprise Application > All applications > LaunchDarkly.
-
To add the LaunchDarkly AD Group, go to Users and groups > Add user/group.
-
Assign the LaunchDarkly Group to the application.
-
Assign a role.
-
-
Click Single sign-on.
4. Update LaunchDarkly Enterprise Application “SSO User Attributes & Claims” to start sending custom roles.
-
Click User Attributes & claims.
-
Enter or select the following values in the “Manage claim” form.
-
Name:
customRole
-
Namespace: [leave blank]
-
Source:
Attribute
-
Source attribute:
user.assignedroles
-
-
Click Save.
-
To test, you can click on the Test button.
-
If your test is successful, you will be logged in as the user.
Example:
-