Customers on our Business and Digital Operations pricing plans have access to Single Sign-On. If your account is on one of these plans, the Account Owner can access SSO settings by going to Configuration Account Settings Single Sign-On.
With single sign-on, you get:
One-click corporate login: This eliminates the need for a separate PagerDuty username and password, which means one less thing to remember.
On-demand user provisioning: PagerDuty user accounts are created on-demand once access is granted via the SSO provider.
Revoke user access: When an employee leaves the company, administrators can remove PagerDuty access within the SSO provider rather than having to log directly into PagerDuty.
Revoking a user's access at your SSO provider will prevent the user from logging in via SSO, but will not delete the user in PagerDuty. You must still log in to PagerDuty to delete the user.
Auto-provisioning users can get responders up and running quickly, but it will affect billing. If you do not wish to auto-provision users, the Account Owner can optionally redirect non-provisioned users to a destination link, such as an internal wiki, for more information about getting provisioned in your identity provider.
You can find step-by-step guides for configuring many common identity providers (IdP) in the PagerDuty Extensions Directory.
You can hand-craft a metadata file if you wish. The contents should look similar to the following. Be sure to replace
subdomain with your own PagerDuty subdomain.
In addition to configuration via metadata, a RelyingParty configuration, such as shown the example below, will need to be created in Shibboleth. Be sure to replace the provider URL with your own.
<rp:RelyingParty id="https://subdomain.pagerduty.com" provider="https://domain/idp/shibboleth" defaultAuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="300000" assertionProxyCount="0" signResponses="conditional" signAssertions="never" signRequests="conditional" encryptAssertions="never" encryptNameIds="never" /> </rp:RelyingParty>
For custom SAML configurations, we provide the following metadata URL to make your configuration easier:
For manual SAML configurations, we will validate and enforce the following attributes in the SAML payload:
- Destination (sometimes labeled SAML Recipient in IdP configuration forms) is expected to be:
- Audiences (sometimes labeled SAML Audience in IdP configuration forms) is expected to be:
There should be no trailing slash. Users will receive an
HTTP 400 error when trying to log in if there is a
/ after your subdomain.
- Name ID is expected to be the user's email address:
User names will be set to the value of the
nameattribute we receive in your SAML payload. If there is no
nameattribute in your SAML payload then the user's name will default to their email address.
User roles will be set to the value of the
roleattribute we receive, where the value must match one of our REST API user role values:
read_only_user(known as Stakeholder user). Accounts with Advanced Permissions may also pass an
observerrole. If there is no
roleattribute in your SAML payload then the user's role will default to the
userrole. This User role is linked to the User basic role and Manager advanced permission role.
The job title of the user will be derived from the
jobresponsibilitiesattribute in the SAML payload, if present.
These attributes will only be used when a user is initially created. Changing the user's email address, name, or role in your IdP will not change these values in PagerDuty; you will still need to update a user's login email address, name, or role in PagerDuty if you change them in your IdP after the user has already been automatically provisioned in PagerDuty.
To log in using SSO:
- Ensure that you are logged in to your identity provider (e.g. Okta, OneLogin, etc).
- Go to your PagerDuty account at
- Click the green Sign In With Your Identity Provider button.
- Your identity provider will automatically sign you into your PagerDuty account.
If you do not see the Sign In With Your Identity Provider button, or if you are unable to log in to your account, please contact your Account Owner to troubleshoot and ensure that SSO has been properly configured.
Error "Account saml configuration x509 cert is invalid" in the web app after inserting your x509 cert
- Confirm that you are using a valid x509 certificate.
- Confirm that each row in your x.509 certificate is a maximum of 64 characters.
- Confirm there is the text
-----BEGIN CERTIFICATE-----at the beginning of the certificate and
-----END CERTIFICATE-----at the end of the certificate.
Yes. PagerDuty will treat signatures from the identity provider as valid as long as:
- The certificate stored in the PagerDuty SAML settings matches the private key that the identity provider uses to sign SAML responses, and:
- The identity provider is configured to sign assertions.
Once these conditions have been met, users should be able to authenticate.
Account Owners retain the ability to log in by email address and password in the event that there is an issue with the SSO provider. This cannot be turned off.
Not at this time. Currently only one SSO option is configurable.
If configuring an on-premises identity provider, you should treat its private key with utmost secrecy and take adequate security precautions.
Updated 9 days ago