I can’t create API keys or manage users in the UI, what’s wrong?

  • You have likely deployed LangSmith without setting up SSO. LangSmith requires SSO to manage users and API keys. You can find more information on setting up SSO in the configuration section.

How does load balancing/ingress work?

  • You will need to expose the frontend container/service to your applications/users. This will handle routing to all downstream services.
  • You will need to terminate SSL at the ingress level. We recommend using a managed service like AWS ALB, GCP Load Balancer, or Nginx.

How can we authenticate to the application?

  • Currently, our self-hosted solution supports SSO with OAuth2.0 and OIDC as an authn solution. Note, we do offer a no-auth solution but highly recommend setting up oauth before moving into production.
You can find more information on setting up SSO in the configuration section.

Can I use external storage services?

  • You can configure LangSmith to use external versions of all storage services. In a production setting, we strongly recommend using external storage services. Check out the configuration section for more information.

Does my application need egress to function properly?

Our deployment only needs egress for a few things (most of which can reside within your VPC):
  • Fetching images (If mirroring your images, this may not be needed)
  • Talking to any LLM endpoints
  • Talking to any external storage services you may have configured
  • Fetching OAuth information
  • Subscription Metrics and Operational Metadata (if not running in offline mode)
    • Requires egress to https://beacon.langchain.com
    • See Egress for more information
Your VPC can set up rules to limit any other access. Note: We require the X-Organization-Id and X-Tenant-Id headers to be allowed to be passed through to the backend service. These are used to determine which organization and workspace (previously called “tenant”) the request is for.

Resource requirements for the application?

  • In kubernetes, we recommend a minimum helm configuration which can be found in here. For docker, we recommend a minimum of 16GB of RAM and 4 CPUs.
  • For Postgres, we recommend a minimum of 8GB of RAM and 2 CPUs.
  • For Redis, we recommend 4GB of RAM and 2 CPUs.
  • For Clickhouse, we recommend 32GB of RAM and 8 CPUs.

SAML SSO FAQs

How do I change a SAML SSO user’s email address?

Some identity providers retain the original User ID through an email change while others do not, so we recommend that you follow these steps to avoid duplicate users in LangSmith:
  1. Remove the user from the organization (see here)
  2. Change their email address in the IdP
  3. Have them login to LangSmith again via SAML SSO - this will trigger the usual JIT provisioning flow with their new email address

How do I fix “405 method not allowed”?

Ensure you’re using the correct ACS URL: https://auth.langchain.com/auth/v1/sso/saml/acs

SCIM FAQs

Can I use SCIM without SAML SSO?

  • Cloud: No, SAML SSO is required for SCIM in cloud deployments
  • Self-hosted: Yes, SCIM works with OAuth with Client Secret authentication mode

What happens if I have both JIT provisioning and SCIM enabled?

JIT provisioning and SCIM can conflict with each other. We recommend disabling JIT provisioning before enabling SCIM to ensure consistent user provisioning behavior.

How do I change a user’s role or workspace access?

Update the user’s group membership in your IdP. The changes will be synchronized to LangSmith according to the role precedence rules.

What happens when a user is removed from all groups?

The user will be deprovisioned from your LangSmith organization according to your IdP’s deprovisioning settings.

Can I use custom group names?

No, groups must follow the specific naming convention described in the Group Naming Convention section to properly map to LangSmith roles and workspaces.