Skip to main content

Configure secure authentication for your LaunchNotes workspace

Understanding Google SSO, JWT and SAML

Chelsea Davis avatar
Written by Chelsea Davis
Updated today

Summary

You can set up secure authentication for your LaunchNotes workspace by choosing from three methods: Google SSO for quick team access, JWT for embedded integrations, or SAML for enterprise-grade security and compliance. Each method handles authentication (verifying who someone is) and authorization (deciding if they can access your content) differently.

Understanding authentication vs. authorization

Before choosing an authentication method, it helps to understand two key concepts:

  • Authentication answers the question: "Who is this person?" It's the process of verifying someone's identity, typically through credentials like passwords, tokens, or single sign-on.

  • Authorization answers the question: "Can this person access this content?" It's the process of determining whether an authenticated user has permission to view your LaunchNotes page.

Different authentication methods split these responsibilities between LaunchNotes and your organization in different ways.

Choosing the right authentication method

LaunchNotes supports three authentication approaches, each designed for different use cases and levels of control.

Google SSO

Google SSO handles both authentication and authorization through LaunchNotes. When someone signs in with Google, LaunchNotes verifies their identity through Google's authentication system. Then LaunchNotes checks if their email domain matches your allowed domains list to authorize access. This means LaunchNotes takes care of both verifying who the person is and deciding if they can access your content. Setup takes just a few minutes and works across all LaunchNotes plans.

JWT (JSON Web Token)

JWT splits the responsibility: you handle authorization, and LaunchNotes handles authentication. You decide which users should receive a JWT token based on your own business rules and access policies. LaunchNotes then authenticates users by verifying the token is valid, but it's your responsibility to determine who gets a token in the first place. This gives you complete control over access decisions while LaunchNotes handles the technical authentication. JWT is ideal for embedding LaunchNotes content in your application where you already have your own user management system.

SAML

SAML delegates both authentication and authorization to your IT organization through your identity provider (like Okta, Azure AD, or OneLogin). Your IT team controls who can access LaunchNotes by assigning users in your identity provider, and they handle the authentication process when users sign in. This centralized approach is almost exclusively used for internal LaunchNotes pages where you need enterprise-grade security controls, compliance audit trails, and centralized access management. SAML is available on our Premium plan.

Google SSO (Single Sign-On)

What it does

Google SSO allows your team members to sign in to LaunchNotes using their Google Workspace credentials. This eliminates the need for separate passwords and streamlines access management.

How to enable Google SSO

  1. Open your LaunchNotes workspace

  2. Navigate to Settings > Security

  3. Located Google SSO and click Select SSO

  4. Click Go to authorization

  5. Click Add allowed email domain to add a domain.

Important notes

  • Team members must have a Google account with an email domain that matches your organization

  • You can restrict which Google Workspace domains are allowed to sign in

  • Existing team members will receive an email notification when Google SSO is enabled

JWT (JSON Web Token) Authentication

What it does

JWT authentication lets you build custom authentication flows between your application and LaunchNotes. This is ideal if you want to embed LaunchNotes content in your product while maintaining your own user authentication system.

Use cases for JWT

  • Embedding your LaunchNotes feed directly in your application

  • Showing personalized content based on your users' attributes

  • Maintaining a seamless user experience without requiring separate login

How to set up JWT authentication

  1. Navigate to Settings > Integrations > Authentication

  2. Select JWT Configuration

  3. Copy the JWT Secret we auto generated for you.

  4. Configure your token payload with required claims:

    • sub (subject): User identifier

    • aud: Project ID

    • iat: timestamp when the token was created

    • exp (expiration): Token expiration timestamp, required and sets the lifetime of the token

  5. Implement JWT signing in your application using the shared secret

  6. Pass the signed token when embedding LaunchNotes content

Security best practices

  • Set reasonable expiration times. The shorter the expiration time the better for security.

  • Rotate your signing secret periodically

  • Validate tokens server-side before generating them

Troubleshooting JWT

  • Token rejected: Verify your signing secret matches exactly

  • Authentication fails: Check that your token hasn't expired

  • Link to JWT docs https://www.jwt.io/

SAML (Security Assertion Markup Language)

What it does

SAML provides enterprise-grade single sign-on, allowing your team to authenticate through your organization's identity provider (like Okta, Azure AD, OneLogin, or Google Workspace). This gives you centralized control over user access, stronger security policies, and detailed audit logs.

Why choose SAML?

  • Centralized access control: Manage all user access from your identity provider

  • Enhanced security: Enforce multi-factor authentication and conditional access policies

  • Compliance: Meet SOC 2, HIPAA, or other regulatory requirements

  • Audit trails: Track authentication events through your identity provider

  • Automatic provisioning: Add and remove user access instantly when team members join or leave

Availability

SAML authentication is available on Premium plans. If you're on a lower-tier plan and need SAML, contact our sales team to discuss upgrading.

How to configure SAML

  1. Navigate to Settings > Team & Security > Authentication

  2. Select SAML Configuration

  3. Copy your LaunchNotes SAML metadata:

    • Entity ID (Service Provider ID)

    • ACS (Assertion Consumer Service) URL

    • Single Logout URL (optional)

  4. In your identity provider (Okta, Azure AD, etc.):

    • Create a new SAML application

    • Paste the LaunchNotes metadata values

    • Configure attribute mappings (email, name, groups)

  5. Copy your identity provider's metadata back to LaunchNotes:

    • SSO URL

    • Entity ID

    • X.509 Certificate

  6. Click Save and Test Connection

  7. Assign users in your identity provider to grant them access to LaunchNotes

Supported identity providers

  • Okta

  • Azure Active Directory

  • Google Workspace

  • OneLogin

  • Auth0

  • Any SAML 2.0 compliant identity provider

Required SAML attributes

  • email (required): User's email address

  • firstName (recommended): User's first name

  • lastName (recommended): User's last name

  • groups (optional): For role-based access control

Enforcing SAML for all users

Once SAML is configured and tested:

  1. Go to Settings > Team & Security

  2. Enable Require SAML for all team members

  3. Set a grace period (recommended: 7 days) to allow team members to transition

  4. All password-based logins will be disabled after the grace period

Troubleshooting SAML

  • Connection test fails: Verify your X.509 certificate is correctly formatted and hasn't expired

  • Users can't sign in: Check that users are assigned to the LaunchNotes app in your identity provider

  • Attribute mapping errors: Ensure the email attribute is being sent correctly from your identity provider

  • Certificate errors: Make sure you copied the entire certificate including the header and footer lines

Next up: Create your announcement in 5 minutes

Did this answer your question?