Skip to main content

SSO, JWT & SAML

Understanding SSO options and installation instructions

Chelsea Davis avatar
Written by Chelsea Davis
Updated this week

Summary

LaunchNotes supports secure single sign-on through Google, SAML, or JWT authentication. This lets your team access LaunchNotes using your existing authentication system, improving security and simplifying login management.

Out of the box, LaunchNotes supports team member login via:

  • Email and password

  • Google account

  • Microsoft account

Additionally, LaunchNotes integrates with any Identity Provider (IdP) that supports SAML 2.0, including:

  • Okta

  • PingID

  • Microsoft ADFS

  • OneLogin

  • And others

Understanding your options

LaunchNotes offers three authentication methods, each designed for different use cases:

  • Google SSO (All plans) - Quick team access using Google Workspace credentials. LaunchNotes handles both authentication and authorization by verifying identities through Google and checking email domains against your allowed list. Setup takes just a few minutes.

  • SAML (Premium Plans) - Enterprise-grade security where your identity provider (like Okta, Azure AD, or OneLogin) controls both authentication and authorization. Your IT team manages who can access LaunchNotes through centralized policies, compliance controls, and audit trails.

  • JWT (All plans) - Custom authentication for embedded integrations. You control authorization by deciding who receives tokens, while LaunchNotes handles authentication by verifying those tokens. Ideal when embedding LaunchNotes content in your application.

Setting up Google SSO

Google SSO allows team members to sign in with their Google Workspace credentials:

  1. Open your LaunchNotes workspace

  2. Navigate to Settings > Security

  3. Locate Google SSO and click Select SSO

  4. Click Go to authorization

  5. Click Add allowed email domain and enter your organization's domain

Important: Team members must have a Google account with an email domain that matches your allowed domains. Existing team members will receive an email notification when Google SSO is enabled.

Setting up SAML authentication

SAML provides enterprise-grade single sign-on through your organization's identity provider:

Why choose SAML?

  • Centralized access control - Manage all user access from your identity provider

  • Enhanced security - Enforce multi-factor authentication and conditional access policies

  • Compliance - Meet SOC 2, HIPAA, or other regulatory requirements

  • Audit trails - Track authentication events through your identity provider

  • Automatic provisioning - Add and remove user access instantly when team members join or leave

Configuration steps

  1. Navigate to Settings > Team & Security > Authentication

  2. Select SAML Configuration

  3. Copy your LaunchNotes SAML metadata:

    • Entity ID (Service Provider ID)

    • ACS (Assertion Consumer Service) URL

    • Single Logout URL (optional)

  4. In your identity provider (Okta, Azure AD, etc.):

    • Create a new SAML application

    • Paste the LaunchNotes metadata values

    • Configure attribute mappings (email, name, groups)

  5. Copy your identity provider's metadata back to LaunchNotes:

    • SSO URL

    • Entity ID

    • X.509 Certificate

  6. Click Save and Test Connection

  7. Assign users in your identity provider to grant them access

Supported identity providers

  • Okta

  • Azure Active Directory

  • Google Workspace

  • OneLogin

  • Auth0

  • Any SAML 2.0 compliant identity provider

Required SAML attributes

  • email (required) - User's email address

  • firstName (recommended) - User's first name

  • lastName (recommended) - User's last name

  • groups (optional) - For role-based access control

Enforcing SAML for your organization

Once SAML is configured and tested:

  1. Go to Settings > Team & Security

  2. Enable Require SAML for all team members

  3. Set a grace period (recommended: 7 days) to allow team members to transition

  4. All password-based logins will be disabled after the grace period

Note: SAML authentication is available on Premium plans. Contact [email protected] to discuss upgrading if you're on a different plan.

Setting up JWT authentication

JWT authentication is ideal for embedding LaunchNotes content in your application while maintaining your own user authentication system.

Use cases for JWT

  • Embedding your LaunchNotes feed directly in your application

  • Showing personalized content based on your users' attributes

  • Maintaining a seamless user experience without requiring separate login

Configuration steps

  1. Navigate to Settings > Integrations > Authentication

  2. Select JWT Configuration

  3. Copy the JWT Secret that was auto-generated for you

  4. Configure your token payload with required claims:

    • sub (subject) - User identifier

    • aud - Project ID

    • iat - Timestamp when the token was created

    • exp (expiration) - Token expiration timestamp (required, sets token lifetime)

  5. Implement JWT signing in your application using the shared secret

  6. Pass the signed token when embedding LaunchNotes content

Security best practices

  • Set reasonable expiration times (shorter is better for security)

  • Rotate your signing secret periodically

  • Validate tokens server-side before generating them

For more technical details, visit jwt.io.

Two-factor authentication (2FA)

LaunchNotes doesn't offer built-in two-factor authentication. However, when using SAML authentication, you can enforce 2FA and other conditional access policies through your identity provider. This gives you centralized control over authentication security requirements.

Notes & important info

Authentication vs. Authorization: Different methods split these responsibilities differently. Google SSO and SAML handle both through their respective systems. JWT splits them - you control who gets tokens (authorization), and LaunchNotes verifies those tokens (authentication).

Plan requirements: Google SSO and JWT are available on all plans. SAML requires a Premium or Enterprise plan.

Multiple authentication methods: You can enable multiple methods simultaneously. Team members can use whichever authentication method works best for them, though many organizations prefer to standardize on SAML for security and compliance reasons.

Troubleshooting

  • SAML connection test fails Verify your X.509 certificate is correctly formatted and hasn't expired. Ensure you copied the entire certificate including the header and footer lines.

  • Users can't sign in with SAML Check that users are assigned to the LaunchNotes app in your identity provider. Verify they're accessing LaunchNotes through your identity provider's portal.

  • SAML attribute mapping errors Ensure the email attribute is being sent correctly from your identity provider. This is the required field for successful authentication.

  • JWT token rejected Verify your signing secret matches exactly what appears in LaunchNotes. Check that your token hasn't expired and includes all required claims.

  • I can't find the SAML setup option SAML authentication requires a Premium or Enterprise plan. Contact [email protected] to discuss plan options.

Related Articles
An introduction to private pages
JWT (JSON Web Token) authentication for Private pages
Responsible disclosure policy
Organize announcements so the right customers see your updates
Configure secure authentication for your LaunchNotes workspace
Did this answer your question?