Single Sign-On (SSO)
LangWatch supports sign-in via various SSO providers. There are two ways to set up SSO:1. Self-Hosted Deployment:
We’ve set up the following providers for you. If you’d prefer a different provider, feel free to reach out to us at [email protected]. For a complete list of possible supported providers, please refer to the NextAuth.js documentation.Azure AD/Entra ID
📄NextAuth Azure AD Provider Docs| Configuration | Value |
|---|---|
| Required Variables | AZURE_AD_CLIENT_IDAZURE_AD_CLIENT_SECRETAZURE_AD_TENANT_ID |
| OAuth Redirect URL | /api/auth/callback/azure-ad |
NEXTAUTH_PROVIDER to azure-ad in your .env file.
Azure AD Configuration: As of LangWatch version 1.4.0+, Azure AD authentication requires the
User.Read permission to be granted in your Azure application registration. Make sure this permission is added to avoid authentication errors.Okta
📄 Okta Docs| Configuration | Value |
|---|---|
| Required Variables | OKTA_CLIENT_IDOKTA_CLIENT_SECRETOKTA_ISSUER |
| OAuth Redirect URL | /api/auth/callback/okta |
NEXTAUTH_PROVIDER to okta in your .env file.
Auth0
📄 NextAuth Auth0 Provider Docs| Configuration | Value |
|---|---|
| Required Variables | AUTH0_CLIENT_IDAUTH0_CLIENT_SECRETAUTH0_ISSUER |
| OAuth Redirect URL | /api/auth/callback/auth0 |
NEXTAUTH_PROVIDER to auth0 in your .env file.
AWS Cognito
📄 NextAuth Cognito Provider Docs| Configuration | Value |
|---|---|
| Required ENV Variables | COGNITO_CLIENT_IDCOGNITO_CLIENT_SECRETCOGNITO_ISSUER |
| OAuth Redirect URL | /api/auth/callback/cognito |
NEXTAUTH_PROVIDER to cognito in your .env file.
| Configuration | Value |
|---|---|
| Required Variables | GOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRET |
| OAuth Redirect URL | /api/auth/callback/google |
NEXTAUTH_PROVIDER to google in your .env file.
GitHub
📄 NextAuth GitHub Provider Docs| Configuration | Value |
|---|---|
| Required ENV Variables | GITHUB_CLIENT_IDGITHUB_CLIENT_SECRET |
| OAuth Redirect URL | /api/auth/callback/github |
NEXTAUTH_PROVIDER to github in your .env file.
GitLab
📄 NextAuth GitLab Provider Docs| Configuration | Value |
|---|---|
| Required ENV Variables | GITLAB_CLIENT_IDGITLAB_CLIENT_SECRET |
| OAuth Redirect URL | /api/auth/callback/gitlab |
NEXTAUTH_PROVIDER to gitlab in your .env file.
On-Premises Domain Configuration
If you want to ensure only a single organization is created for on-premises deployments, you can configure theOrganization table to map email domains to their corresponding organizations and SSO providers:
ssoDomain: The email domain for your organization (e.g.,yourcompany.com)ssoProvider: The SSO provider name matching yourNEXTAUTH_PROVIDERvalue (e.g.,azure-ad,okta,auth0)
- New users with matching email domains are automatically assigned to the correct organization
- Users don’t need an explicit invite to join their organization
- Multi-tenant deployments can support multiple organizations with different domains
2. Managed Service (app.langwatch.ai)
If you want to use SSO with our Cloud version, contact our team with the required variables in hand for the following providers:Azure AD / Entra ID
📄 Azure AD Docs| Configuration | Value |
|---|---|
| Required Variables | AZURE_AD_CLIENT_IDAZURE_AD_CLIENT_SECRETAZURE_AD_TENANT_ID |
| Redirect URL | https://langwatch.eu.auth0.com/login/callback |
Google Workspace
📄 Google Docs| Configuration | Value |
|---|---|
| Required Variables | GOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRET |
| Redirect URL | https://langwatch.eu.auth0.com/login/callback |
Okta
📄 Okta Docs| Configuration | Value |
|---|---|
| Required Variables | OKTA_CLIENT_IDOKTA_CLIENT_SECRETOKTA_ISSUER |
| Redirect URL | https://langwatch.eu.auth0.com/login/callback |
Contact Us
Once you have all these details, please contact us so we can set them up from our side. If you use a different provider other than the ones listed above, contact us to check availability for a new implementation.Migrating from Email/Password Authentication
For security reasons, users are not automatically linked between email address and SSO provider, they can only link it themselves when already signed in. If you’re then transitioning from a previous LangWatch setup that used email/password authentication to SSO, you’ll need to enable automatic account linking to prevent “email already exists” errors and ensure a smooth migration for your existing users.Migration Steps
1
Enable SSO configuration
Configure your chosen SSO provider following the instructions in the sections above, including setting all required environment variables and
NEXTAUTH_PROVIDER.2
Update database for existing users
Run the following SQL command on your LangWatch database to enable automatic account linking:This flags all existing user accounts to automatically link with their SSO provider when they next sign in.
This is a one-time operation that only affects existing users. New users created after SSO is enabled will not need this flag.
3
Notify your users
Inform your users about the authentication method change. When they next attempt to sign in:
- They should use the SSO sign-in option instead of email/password
- Their existing account will be automatically linked to their SSO identity
- All their projects, data, and permissions will remain intact
Users will maintain access to all their existing resources after the migration.
Support
For any queries or issues, feel free to reach out to us. We are available via:- Email: [email protected]
- Slack: Connect with us directly on Slack for real-time support and assistance.
We look forward to helping you set up LangWatch seamlessly and efficiently.