Affected: LaunchDarkly members signed in with Google OAuth
Symptoms
The following symptoms occur when a LaunchDarkly member account is linked to Google OAuth:
- The email field is greyed out on the LaunchDarkly profile page (https://app.launchdarkly.com/profile) and displays the error: "You cannot change your email address as it is connected to Google."
- Affected members cannot update their own email addresses when their organization is using username and password and OAuth for authentication, even after your organization disables SSO or SCIM or switches to test-drive mode.
Cause
Your LaunchDarkly member account is linked to Google OAuth. This happens to any account that has ever signed in using the Sign in with Google button on the LaunchDarkly login page, even once. After a member account is linked via Google OAuth, LaunchDarkly locks the email field on the profile page because the email is considered managed by Google.
This Google OAuth link is a property of the individual member, not of the organization. It is independent of your organization's SAML, SSO, or SCIM configuration. Disabling SSO or switching SSO providers does not remove the link.
If you are the affected member, you will need someone with LaunchDarkly Admin access to help resolve the issue. Contact a LaunchDarkly administrator at your organization and ask them to follow the procedure in the Solution section below. The fix is administrator-only.
Solution
The only supported path to resolve this is to recreate the affected member with a new email address. Here's how to recreate the affected member:
- An organization administrator removes the affected member from LaunchDarkly under Settings > Members.
- The administrator invites the member again using the new email address.
- The member accepts the invite and creates their LaunchDarkly account using the new email.
- When signing in for the first time with the new account, the member must use email and password (or your organization's SSO or SCIM) — not the Sign in with Google button. Using Sign in with Google will re-link the new account to Google OAuth and reproduce the same lock.
After recreation, the member can sign in normally. Custom roles, team memberships, and any personal access tokens associated with the old member account will need to be reconfigured, as they are tied to the removed account.
Planning an organization-wide migration
If you are migrating email domains, switching SSO or SCIM providers, or otherwise need to change email addresses for members in your organization, expect that any member who has ever used Sign in with Google will be in this state and will need to be recreated.
There is no bulk admin action to unlink Google OAuth or migrate emails across the organization. Plan to:
- Identify affected members in advance. These are the members whose email cannot be changed through the profile page.
- Communicate the recreation step to those members in advance, including the loss of personal access tokens and per-member configuration that comes with it.
- After recreation, instruct affected members not to use Sign in with Google when signing in for the first time on the new account. Direct them to sign in through your IdP (if SSO or SCIM is enabled) or with email and password.
- Plan to re-grant custom roles and team memberships after recreation.