LangChain Support Portal

Overview

LangSmith supports Single Sign-On (SSO) via SAML and OIDC with corporate identity providers such as Okta, Azure AD, Duo, and others. When SSO is configured, users authenticate through their corporate IdP, but the resulting session token is issued by LangSmith's internal auth layer, not by the IdP directly.

The user initiates login from the LangSmith UI.
LangSmith redirects the user to their corporate IdP (e.g., Okta, Duo) for authentication.
The IdP authenticates the user and sends an assertion back to LangSmith.
LangSmith's auth layer validates the assertion and issues its own session token (JWT).
The browser uses this LangSmith-issued JWT for all subsequent API calls.

This means the JWT iss (issuer) claim will reference LangSmith's auth infrastructure, not the corporate IdP. This is expected behavior and applies to all LangSmith users regardless of the upstream SSO provider.

Implications for Hybrid Deployments

In a hybrid deployment, the LangSmith UI (running in the user's browser) makes API calls directly to Agent Servers running in the customer's Kubernetes cluster through the customer-managed ingress. These requests carry the LangSmith-issued JWT.

The Agent Server validates these tokens by calling back to the LangSmith SaaS backend. It does not perform local JWT validation. Any request with an invalid or missing token is rejected.

Common issue: 401 errors from infrastructure-level JWT validation

If the customer's ingress or service mesh (e.g., Istio) is configured to validate JWT issuers at the infrastructure level, it may reject LangSmith-issued tokens because the issuer does not match the corporate IdP. Symptoms include:

401 errors when browsing deployment details (threads, assistants) in the LangSmith UI
Studio not loading or returning authentication errors
API calls to Agent Servers failing despite successful SSO login

Resolution: Exclude Agent Server traffic from infrastructure-level JWT validation (e.g., Istio RequestAuthentication or AuthorizationPolicy) and allow the Agent Server to handle authentication at the application layer, which it already does.

Key Takeaways

SSO login flows through the corporate IdP, but the session token is issued by LangSmith's auth layer. This is by design and is not configurable.
The Agent Server validates tokens by calling back to the LangSmith backend. It does not inspect the JWT issuer locally.
Infrastructure-level JWT validation policies should exclude Agent Server traffic to avoid false 401 rejections.

Overview

How SSO Login Works

The user initiates login from the LangSmith UI.

LangSmith redirects the user to their corporate IdP (e.g., Okta, Duo) for authentication.

The IdP authenticates the user and sends an assertion back to LangSmith.

LangSmith's auth layer validates the assertion and issues its own session token (JWT).

The browser uses this LangSmith-issued JWT for all subsequent API calls.

Implications for Hybrid Deployments

The Agent Server validates these tokens by calling back to the LangSmith SaaS backend. It does not perform local JWT validation. Any request with an invalid or missing token is rejected.

Common issue: 401 errors from infrastructure-level JWT validation

401 errors when browsing deployment details (threads, assistants) in the LangSmith UI

Studio not loading or returning authentication errors

API calls to Agent Servers failing despite successful SSO login

Key Takeaways

SSO login flows through the corporate IdP, but the session token is issued by LangSmith's auth layer. This is by design and is not configurable.

The Agent Server validates tokens by calling back to the LangSmith backend. It does not inspect the JWT issuer locally.

Infrastructure-level JWT validation policies should exclude Agent Server traffic to avoid false 401 rejections.

SSO Authentication and Token Issuance in LangSmith

Overview

Implications for Hybrid Deployments

Common issue: 401 errors from infrastructure-level JWT validation

Key Takeaways