Skip to main content
This page covers user management features in LangSmith, including access control, authentication, and automated user provisioning:
  • Set up access control: Configure role-based access control (RBAC) to manage user permissions within workspaces, including creating custom roles and assigning them to users.
  • SAML SSO (Enterprise plan): Set up Single Sign-On authentication for Enterprise customers using SAML 2.0, including configuration for popular identity providers.
  • SCIM User Provisioning (Enterprise plan, Beta): Automate user provisioning and deprovisioning between your identity provider and LangSmith using SCIM.

Set up access control

RBAC (Role-Based Access Control) is a feature that is only available to Enterprise customers. If you are interested in this feature, contact the LangChain sales team at sales@langchain.dev. Other plans default to using the Admin role for all users.
You may find it helpful to read the Administration overview page before setting up access control.
LangSmith relies on RBAC to manage user permissions within a workspace. This allows you to control who can access your LangSmith workspace and what they can do within it. Only users with the workspace:manage permission can manage access control settings for a workspace.

Create a role

By default, LangSmith comes with a set of system roles:
  • Admin: has full access to all resources within the workspace.
  • Viewer: has read-only access to all resources within the workspace.
  • Editor: has full permissions except for workspace management (adding/removing users, changing roles, configuring service keys).
If these do not fit your access model, Organization Admins can create custom roles to suit your needs. To create a role, navigate to the Roles tab in the Members and roles section of the Organization settings page. Note that new roles that you create will be usable across all workspaces within your organization. Click on the Create Role button to create a new role. A Create role form will open. Create Role Assign permissions for the different LangSmith resources that you want to control access to.

Assign a role to a user

Once you have your roles set up, you can assign them to users. To assign a role to a user, navigate to the Workspace members tab in the Workspaces section of the Organization settings page Each user will have a Role dropdown that you can use to assign a role to them. Assign Role You can also invite new users with a given role. Invite User

Set up SAML SSO for your organization

Single Sign-On (SSO) functionality is available for Enterprise Cloud customers to access LangSmith through a single authentication source. This allows administrators to centrally manage team access and keeps information more secure. LangSmith’s SSO configuration is built using the SAML (Security Assertion Markup Language) 2.0 standard. SAML 2.0 enables connecting an Identity Provider (IdP) to your organization for an easier, more secure login experience. SSO services permit a user to use one set of credentials (for example, a name or email address and password) to access multiple applications. The service authenticates the end user only once for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. The benefits of SSO include:
  • Streamlines user management across systems for organization owners.
  • Enables organizations to enforce their own security policies (e.g., MFA).
  • Removes the need for end users to remember and manage multiple passwords. Simplifies the end-user experience, by allowing sign in at one single access point across multiple applications.

Prerequisites

SAML SSO is available for organizations on the Enterprise plan. Please contact sales to learn more.
  • Your organization must be on an Enterprise plan.
  • Your Identity Provider (IdP) must support the SAML 2.0 standard.
  • Only Organization Admins can configure SAML SSO.
For instructions on using SCIM along with SAML for user provisioning and deprovisioning, refer to the SCIM setup.

Initial configuration

See IdP-specific instructions below
The URLs are different for the US and EU. Ensure you select your region from the dropdown in the top right.
  1. In your IdP: Configure a SAML application with the following details, then copy the metadata URL or XML for step 3.
    1. Single sign-on URL (or ACS URL): https://auth.langchain.com/auth/v1/sso/saml/acs.
    2. Audience URI (or SP Entity ID): https://auth.langchain.com/auth/v1/sso/saml/metadata
    3. Name ID format: email address.
    4. Application username: email address.
    5. Required claims: sub and email.
  2. In LangSmith: Go to Settings -> Members and roles -> SSO Configuration. Fill in the required information and submit to activate SSO login:
    1. Fill in either the SAML metadata URL or SAML metadata XML.
    2. Select the Default workspace role and Default workspaces. New users logging in via SSO will be added to the specified workspaces with the selected role.
  • Default workspace role and Default workspaces are editable. The updated settings will apply to new users only, not existing users.
  • (Coming soon) SAML metadata URL and SAML metadata XML are editable. This is usually only necessary when cryptographic keys are rotated/expired or the metadata URL has changed but the same IdP is still used.

Just-in-time (JIT) provisioning

LangSmith supports Just-in-Time provisioning when using SAML SSO. This allows someone signing in via SAML SSO to join the organization and selected workspaces automatically as a member.
JIT provisioning only runs for new users, that is, users who do not already have access to the organization with the same email address via a different login method.

Login methods and access

Once you have completed your configuration of SAML SSO for your organization, users will be able to log in via SAML SSO in addition to other login methods, such as username/password and Google Authentication”:
  • When logged in via SAML SSO, users can only access the corresponding organization with SAML SSO configured.
  • Users with SAML SSO as their only login method do not have personal organizations.
  • When logged in via any other method, users can access the organization with SAML SSO configured along with any other organizations they are a part of.

Enforce SAML SSO only

To ensure users can only access the organization when logged in using SAML SSO and no other method, check the Login via SSO only checkbox and click Save. Once this happens, users accessing the organization that are logged-in via a non-SSO login method are required to log back in using SAML SSO. This setting can be switched back to allow all login methods by unselecting the checkbox and clicking Save.
You must be logged in via SAML SSO in order to update this setting to Only SAML SSO. This is to ensure the SAML settings are valid and avoid locking users out of your organization.
For troubleshooting, refer to the SAML SSO FAQs. If you have issues setting up SAML SSO, reach out to the LangChain support team at support@langchain.dev.

Identity Provider (IdP) Setup

These are instructions for setting up LangSmith SAML SSO with Entra ID (formerly Azure), Google, and Okta. If you use a different Identity Provider and need assistance with configuration, contact the LangChain support team.

Entra ID (Azure)

For additional information, see Microsoft’s documentation. Step 1: Create a new Entra ID application integration
  1. Log in to the Azure portal with a privileged role (e.g., Global Administrator). On the left navigation pane, select the Entra ID service.
  2. Navigate to Enterprise Applications and then select All Applications.
  3. Click Create your own application.
  4. In the Create your own application window:
    1. Enter a name for your application (e.g., LangSmith).
    2. Select *Integrate any other application you don’t find in the gallery (Non-gallery)**.
  5. Click Create.
Step 2: Configure the Entra ID application and obtain the SAML Metadata
  1. Open the enterprise application that you created.
  2. In the left-side navigation, select Manage > Single sign-on.
  3. On the Single sign-on page, click SAML.
  4. Update the Basic SAML Configuration:
    1. Identifier (Entity ID): https://auth.langchain.com/auth/v1/sso/saml/metadata.
    2. Reply URL (Assertion Consumer Service URL): https://auth.langchain.com/auth/v1/sso/saml/acs.
    3. Leave Relay State, Logout Url, and Sign on URL empty.
    4. Click Save.
  5. Ensure required claims are present with Namespace: http://schemas.xmlsoap.org/ws/2005/05/identity/claims:
    1. sub: user.objectid.
    2. emailaddress: user.userprincipalname or user.mail (if using the latter, ensure all users have the Email field filled in under Contact Information).
    3. (Optional) For SCIM, see the setup documentation for specific instructions about Unique User Identifier (Name ID).
  6. On the SAML-based Sign-on page, under SAML Certificates, copy the App Federation Metadata URL.
Step 3: Set up LangSmith SSO Configuration Follow the instructions under initial configuration in the Fill in required information step, using the metadata URL from the previous step. Step 4: Verify the SSO setup
  1. Assign the application to users/groups in Entra ID:
    1. Select Manage > Users and groups.
    2. Click Add user/group.
    3. In the Add Assignment window:
      1. Under Users, click None Selected.
      2. Search for the user you want to assign to the enterprise application, and then click Select.
      3. Verify that the user is selected, and click Assign.
  2. Have the user sign in via the unique login URL from the SSO Configuration page, or go to Manage > Single sign-on and select Test single sign-on with (application name).

Google

For additional information, see Google’s documentation. Step 1: Create and configure the Google Workspace SAML application
  1. Make sure you’re signed into an administrator account with the appropriate permissions.
  2. In the Admin console, go to Menu -> Apps -> Web and mobile apps.
  3. Click Add App and then Add custom SAML app.
  4. Enter the app name and, optionally, upload an icon. Click Continue.
  5. On the Google Identity Provider details page, download the IDP metadata and save it for Step 2. Click Continue.
  6. In the Service Provider Details window, enter:
    1. ACS URL: https://auth.langchain.com/auth/v1/sso/saml/acs
    2. Entity ID: https://auth.langchain.com/auth/v1/sso/saml/metadata
    3. Leave Start URL and the Signed response box empty.
    4. Set Name ID format to EMAIL and leave Name ID as the default (Basic Information > Primary email).
    5. Click Continue.
  7. Use Add mapping to ensure required claims are present:
    1. Basic Information > Primary email -> email
Step 2: Set up LangSmith SSO Configuration Follow the instructions under initial configuration in the Fill in required information step, using the IDP metadata from the previous step as the metadata XML. Step 3: Turn on the SAML app in Google
  1. Select the SAML app under Menu -> Apps -> Web and mobile apps
  2. Click User access.
  3. Turn on the service:
    1. To turn the service on for everyone in your organization, click On for everyone, and then click Save.
    2. To turn the service on for an organizational unit:
      1. At the left, select the organizational unit then On.
      2. If the Service status is set to Inherited and you want to keep the updated setting, even if the parent setting changes, click Override.
      3. If the Service status is set to Overridden, either click Inherit to revert to the same setting as its parent, or click Save to keep the new setting, even if the parent setting changes.
    3. To turn on a service for a set of users across or within organizational units, select an access group. For details, go to Use groups to customize service access.
  4. Ensure that the email addresses your users use to sign in to LangSmith match the email addresses they use to sign in to your Google domain.
Step 4: Verify the SSO setup Have a user with access sign in via the unique login URL from the SSO Configuration page, or go to the SAML application page in Google and click TEST SAML LOGIN.

Okta

For additional information, see Okta’s documentation. Step 1: Create and configure the Okta SAML application
  1. Log in to Okta as an administrator, and go to the Okta Admin console.
  2. Under Applications > Applications click Create App Integration.
  3. Select SAML 2.0.
  4. Enter an App name (e.g., LangSmith) and optionally an App logo, then click Next.
  5. Enter the following information in the Configure SAML page:
    1. Single sign-on URL (ACS URL): https://auth.langchain.com/auth/v1/sso/saml/acs. Keep Use this for Recipient URL and Destination URL checked.
    2. Audience URI (SP Entity ID): https://auth.langchain.com/auth/v1/sso/saml/metadata.
    3. Name ID format: EmailAddress.
    4. Application username: email.
    5. Leave the rest of the fields empty or set to their default.
    6. Click Next.
  6. Click Finish.
  7. Copy the Metadata URL from the Sign On page to use in the next step.
Step 2: Set up LangSmith SSO Configuration Follow the instructions under initial configuration in the Fill in required information step, using the metadata URL from the previous step. Step 3: Assign users to LangSmith in Okta
  1. Under Applications > Applications, select the SAML application created in Step 1.
  2. Under the Assignments tab, click Assign then either Assign to People or Assign to Groups.
  3. Make the desired selection(s), then Assign and Done.
Step 4: Verify the SSO setup Have a user with access sign in via the unique login URL from the SSO Configuration page, or have a user select the application from their Okta dashboard.

Set up SCIM for your organization (beta)

System for Cross-domain Identity Management (SCIM) is an open standard that allows for the automation of user provisioning. Using SCIM, you can automatically provision and de-provision users in your LangSmith organization and workspaces, keeping user access synchronized with your organization’s identity provider.
SCIM is available for organizations on the Enterprise plan. Contact sales to learn more.SCIM is available on Helm chart versions 0.10.41 (application version 0.10.108) and later.While in Beta, SCIM support is API-only (see instructions below).
SCIM eliminates the need for manual user management and ensures that user access is always up-to-date with your organization’s identity system. This allows for:
  • Automated user management: Users are automatically added, updated, and removed from LangSmith based on their status in your IdP.
  • Reduced administrative overhead: No need to manage user access manually across multiple systems.
  • Improved security: Users who leave your organization are automatically deprovisioned from LangSmith.
  • Consistent access control: User attributes and group memberships are synchronized between systems.
  • Scaling team access control: Efficiently manage large teams with many workspaces and custom roles.
  • Role assignment: Select specific Organization Roles and Workspace Roles for groups of users.

Role Precedence

When a user belongs to multiple groups for the same workspace, the following precedence applies:
  1. Organization Admin groups take highest precedence. Users in these groups will be Admin in all workspaces.
  2. Most recently created workspace-specific group takes precedence over other workspace groups.
When a group is deleted or a user is removed from a group, their access is updated according to their remaining group membership, following the precedence rules.SCIM group membership will override manually assigned roles or roles assigned via Just-in-Time (JIT) provisioning. We recommend disabling JIT provisioning to avoid conflicts.

Group Naming Convention

Group membership maps to LangSmith workspace membership and workspace roles with a specific naming convention: Organization Admin Groups Format: <optional_prefix>Organization Admin or <optional_prefix>Organization Admins Examples:
  • LS:Organization Admins
  • Groups-Organization Admins
  • Organization Admin
** Workspace-Specific Groups** Format: <optional_prefix><org_role_name>:<workspace_name>:<workspace_role_name> Examples:
  • LS:Organization User:Production:Annotators
  • Groups-Organization User:Engineering:Developers
  • Organization User:Marketing:Viewers

Email verification

In cloud only, creating a new user with SCIM triggers an email to the user. They must verify their email address by clicking the link in this email. The link expires in 24 hours, and can be resent if needed by removing and re-adding the user via SCIM.

Prerequisites

  • Your organization must be on an Enterprise plan.
  • Your Identity Provider (IdP) must support SCIM 2.0.
  • Only Organization Admins can configure SCIM.
  • For cloud customers: SAML SSO must be configured for your organization.
  • For self-hosted customers: OAuth with Client Secret authentication mode must be enabled.
Note the following:
  • Support for Okta is not yet released. If you are interested in using Okta with SCIM, please let us know at support@langchain.dev.
  • Other identity providers have not been tested but may function depending on their SCIM implementation.

Step 1: Configure SAML SSO (Cloud only)

If you’re using LangSmith Cloud, ensure SAML SSO is configured for your organization. LangSmith uses the SAML NameID to identify users. The NameID is a required field in the SAML response and is case-insensitive. The NameID must:
  1. Be unique to each user.
  2. Be a persistent value that never changes, such as a randomly generated unique user ID.
  3. Match exactly on each sign-in attempt. It should not rely on user input.
The NameID should not be an email address or username because email addresses and usernames are more likely to change over time and can be case-sensitive. The NameID format must be Persistent, unless you are using a field, like email, that requires a different format.

Step 2: Disable JIT provisioning (Cloud only)

Before enabling SCIM, disable Just-in-Time (JIT) provisioning to prevent conflicts between automatic and manual user provisioning. Use the PATCH /orgs/current/info endpoint: 
curl -X PATCH $LANGCHAIN_ENDPOINT/orgs/current/info \
  -H "X-Api-Key: $LANGCHAIN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jit_provisioning_enabled": false}'

Step 3: Generate SCIM bearer token

Generate a SCIM Bearer Token for your organization. This token will be used by your IdP to authenticate SCIM API requests. Ensure env vars are set appropriately, for example: 
curl -X POST $LANGCHAIN_ENDPOINT/v1/platform/orgs/current/scim/tokens \
  -H "X-Api-Key: $LANGCHAIN_API_KEY" \
  -H "X-Organization-Id: $LANGCHAIN_ORGANIZATION_ID" \
  -H "Content-Type: application/json" \
  -d '{"description": "Your description here"}'
Note that the SCIM Bearer Token value is not available outside of the response to this request. These additional endpoints are present:
  • GET /v1/platform/orgs/current/scim/tokens
  • GET /v1/platform/orgs/current/scim/tokens/{scim_token_id}
  • PATCH /v1/platform/orgs/current/scim/tokens/{scim_token_id} (only the description field is supported)
  • DELETE /v1/platform/orgs/current/scim/tokens/{scim_token_id}

Step 4: Configure your Identity Provider

Follow the IdP-specific instructions to configure SCIM integration.

Azure Entra ID

For additional information, see Microsoft’s documentation. Step 1: Configure SCIM in your Enterprise Application
  1. Log in to the Azure portal with a privileged role (e.g., Global Administrator).
  2. Navigate to your existing LangSmith Enterprise Application.
  3. In the left-side navigation, select Manage > Provisioning.
  4. Click Get started.
Step 2: Configure Admin credentials
  1. Under Admin Credentials:
    • Tenant URL:
      • US: https://api.smith.langchain.com/scim/v2
      • EU: https://eu.api.smith.langchain.com/scim/v2
      • Self-hosted: <langsmith_url>/scim/v2
    • Secret Token: Enter the SCIM Bearer Token generated in Step 3.
  2. Click Test Connection to verify the configuration.
  3. Click Save.
Step 3: Configure Attribute Mappings Configure the following attribute mappings under Mappings: User Attributes Set Target Object Actions to Create and Update (start with Delete disabled for safety):
LangSmith App AttributeMicrosoft Entra ID AttributeMatching Precedence
userNameuserPrincipalName
activeNot([IsSoftDeleted])
emails[type eq "work"].valuemail1
name.formatteddisplayName OR Join(" ", [givenName], [surname])2
externalIdobjectId31
  1. User’s email address must be present in Entra ID.
  2. Use the Join expression if your displayName does not match the format of Firstname Lastname.
  3. To avoid inconsistency, this should match the SAML NameID assertion and the sub OAuth2.0 claim. For SAML SSO in cloud, the Unique User Identifier (Name ID) required claim should be user.objectID and the Name identifier format should be persistent.
Group Attributes Set Target Object Actions to Create and Update only (start with Delete disabled for safety):
LangSmith App AttributeMicrosoft Entra ID AttributeMatching Precedence
displayNamedisplayname11
externalIdobjectId
membersmembers
  1. Groups must follow the naming convention described in the Azure Group Naming Convention section.
Step 4: Assign Users and Groups
  1. Under Applications > Applications, select your LangSmith Enterprise Application.
  2. Under the Assignments tab, click Assign then either Assign to People or Assign to Groups.
  3. Make the desired selection(s), then Assign and Done.
Step 5: Enable Provisioning
  1. Set Provisioning Status to On under Provisioning.
  2. Monitor the initial sync to ensure users and groups are provisioned correctly.
  3. Once verified, enable Delete actions for both User and Group mappings.
For troubleshooting, refer to the SAML SSO FAQs. If you have issues setting up SCIM, reach out to the LangChain support team at support@langchain.dev.
I