Create the Application

1. Go to Applications Create App Integration.
2. For Sign-in method, select OIDC - OpenID Connect, and for Application type, select Web Application. Click Next.

3. Under Application, enter a name for the application.

4. Copy the Redirect URL from the SSO configuration in PagerDuty and paste it into the Sign-in redirect URI. Do the same for the Login URL and the Sign-out redirect URIs.
5. Select how you would like to assign the application, and click Save.
6. On the next page, copy the client ID and client secret, and paste it into the OpenID client ID and OpenID client Secret fields on the PagerDuty SSO configuration page.

7. Go to Security API and select the Authorization Server you want to connect.
8. Copy the Metadata URI and paste it into the Configuration URL field in the PagerDuty SSO configuration page.

9. Replace the end of the url (oauth-authorization-server) with openid-configuration. The URL in PagerDuty must end with /.well-known/openid-configuration.
10. Save the SSO configuration.

Profile Mapping and Custom Claims

1. Go to Directory Profile Editor and select your application.
2. Click Add Attribute. For the Data type, select string. Enter a Display name. For the variable name enter pd_status_pages. Select Greater than for Attribute length, with a value of 0. Select Yes for Attribute required and click Save.

3. Click Mappings, and find pd_status_pages. Ensure that Apply mapping on user create and update is selected (the green arrow). Enter the custom claim value from the PagerDuty SSO configuration page, surrounded by single quotes, and click Save Mappings.

4. Go to Security API and select the authorization server you will be using. Then click on the Claims tab, and click Add Claim.
5. In the Name field, enter the name found under the Custom Claim Key on the PagerDuty SSO configuration page. Select ID Token as Always. Under Value, enter appuser.pd_status_pages.

📘

Data Requirement

The name of the claim must match the Custom Claim Key name.

Create the Application

1. In the Microsoft Entra Admin Center, navigate to App Registrations New Registration.
2. Enter a name for the app and the Redirect URI from the PagerDuty SSO Configuration page.

3. Find the newly created app under App Registrations and select it. Then, click Add a certificate or secret to create a client secret. On the next screen, click New Client Secret.

4. Copy newly created client secret and paste it into the PagerDuty SSO configuration page. Then go back to the previous page and copy and paste the Application (client) ID.
   Note: you will be presented with an array of values associated with your client secret.
   • Typically the values will include the following fields: "Description", "Expires", "Value", "Secret ID".
   • What you should be looking for is the Secret's "Value" field.
     • Note: Please do not use the data in the Secret's "Secret ID" field, which is UUID and not intended for the secure operations of interest.
5. Go back to the previous screen and click Authentication. Under Front-channel logout URL, add the logout URL from the PagerDuty SSO Configuration page and Save.

6. In the same menu where Authentication was found, select Manage Branding and Properties. In the Home page URL field, enter the login URL from the PagerDuty SSO Configuration page and click Save.

7. Go back to the created application (as in step 3), and click on Endpoints. Locate the OpenID Connect metadata document url and copy it and paste it into the Configuration URL on the PagerDuty SSO Configuration page.

Profile Mapping and Custom Claims

1. On your app page (from app registration), select Manage App roles.

2. Click Create Role, and enter the custom claim key and custom claim value found on the PagerDuty SSO configuration page. Click Apply.

3. Under Manage, select Manifest. In the JSON representation, update acceptMappedClaims to true and save.
4. Go to Applications Enterprise Applications, select the application, and go to Single Sign-On. Click Edit next to Attributes and Claims.

5. Click Add New Claim. Enter the custom claim key (status_pages) for the name. Under Source, select Attribute, and under Source attribute, enter users.assignedroles. Click Save.

Create the Application

1. Ensure that the Identity Provider is enabled in Salesforce. In the Setup view go to Settings > Identity > Identity Provider, and click Enable Identity Provider.

   

2. Go to Settings > Identity > OAuth and OpenID Connect Settings and ensure that the Allow Authorization Code and Credentials Flows option is enabled.

   

3. Go to Platform Tools > Apps > App Manager and click New Connected App.

   

4. Enter basic information, then enable OAuth settings and populate the following fields, and save:

   1. Callback URL: use the redirect URL from your PagerDuty Private Page

   2. Selected OAuth Scopes: Add Access unique user identifiers (openid)

   3. Enable Authorization Code and Credentials Flow: Enable

   4. Require user credentials in the POST body for Authorization Code and Credentials Flow: Enable

   5. Require Secret for Web Server Flow: Enable (optional)

   6. Issue JSON Web Token (JWT)-based access tokens for named users: Enable

   7. Configure ID Token: Enable

   8. Include Custom Attributes: Enable

      

5. After saving, click on Manage Consumer Details to get the Consumer Key and Consumer Secret.

   

6. On your PagerDuty private page Single Sign-On Settings, populate the following fields and save:

   1. Configuration URL: https://{{your-workspace-domain}}.my.salesforce.com/.well-known/openid-configuration
   2. OpenID client ID: {{Consumer Key}}
   3. OpenID client secret: {{Consumer Secret}}

Profile Mapping and Custom Claims

1. Back in Salesforce, grant permissions to the groups that you want to be able to access the page (if users are not self-authorizing). To do this, go to Apps > Connected Apps > Manage Connected Apps and click on Manage Permissions under the Permission Sets field.

   

2. Finally, to add the status page ID, go back to the previous view (Manage Connected Apps) and click New next to Custom Attributes.

3. Paste the Custom Claim Key and Custom Claim Value from the PagerDuty SSO settings, into the attribute key and attribute value fields.

   

Create the Application

1. Go to Applications, and click the + button to add a new application.

   

2. Enter an application name, select an application type, and click Save.

   

3. Click on the Configuration tab and the URLs dropdown.

4. Copy the OIDC Discovery Endpoint, the Client ID, and the Client Secret, and paste these values into the PagerDuty private page Single Sign-On Settings.

   

5. Edit the configuration by clicking the pencil button in the top right corner, update the following fields, and save:

   1. Client Credentials: Enable
   2. Redirect URIs: the redirect URL from the PagerDuty Single Sign-On page
   3. Token Endpoint Authentication Method: Client Secret Post
   4. Initiate Login URI: Login URL from the PagerDuty Single Sign-On page
   5. Signoff URLs: Logout URL from the PagerDuty Single Sign-On page
   

6. In the resources tab, check that the openid scope is available.

   

Profile Mapping and Custom Claims

1. Go to Directory > User Attributes and click the + button to add a new attribute.

2. Select Declared, enter a name for the attribute and save it.

   

3. Go to Users, edit any users you want to grant access and click the + button next to custom attributes. Enter the custom claim ID value found on the Single Sign-On page.

   

4. Go to Applications > Resources, find the openid resource that is being used, and select it.

5. Go to the attributes tab and click the pencil button to add a new attribute.

   

6. Enter the Custom Claim Key from the Single Sign-On page and select the attribute that you created in steps 1-3.