Automatically manage users in your PagerDuty account via SCIM and keep them synchronized with our supported IdPs:

• Okta
• Onelogin
• MS Entra ID.

Configure SCIM User Provisioning

Step 1: Enable Incident Reassignment in Your PagerDuty Account(s)

If a user has an assigned incident, you cannot delete them unless you’ve enabled incident reassignment on your account. Please see Enable Incident Reassignment for instructions to enable this feature if you have not already done so.

Step 2: Create a PagerDuty API Key

Create a PagerDuty API key if you do not already have one.

Step 3: Configure the SCIM Integration in Your IdP

Use one of the following instruction sets for the IdP your organization uses:

Okta

1. In Okta, add the SCIM 2.0 Test App (Header Auth) integration.
2. In the Provisioning tab, configure the connection to PagerDuty’s API by entering the following:
   1. Base URL: https://api.pagerduty.com/scim/v2
   2. API Token: Token token=<PagerDuty API KEY>
3. Click Test API Credentials and ensure you get a successful response.
4. Click Save.

OneLogin

1. In OneLogin, navigate to Applications Add App to create an app.
2. Search and select SCIM Provisioner with SAML (SCIM v2 Core).
3. Enter a Display Name value for your SCIM test app that will help you recognize it.
4. Click Save.
5. Select the Configuration tab and enter the following:
   1. SCIM Base URL: https://api.pagerduty.com/scim/v2
   2. SCIM Bearer Token: token=<PagerDuty API KEY>
   3. SCIM JSON Template:

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "{$parameters.scimusername}",
  "displayName": "{$user.display_name}",
  "externalId": "{$parameters.externalId}", // Optional
  "active": "{$user.status}", // Optional
  "title": "{$parameters.title}", // Optional
  "roles": [{"type": "base", "value": "{$parameters.role}"}], // Optional
  "timezone": "{$parameters.timezone}", //Optional
  "entitlements": [{"type": "base", "value": "{$parameters.license}"}], // Optional
}

Note: The "roles", "timezone" and "entitlements" mappings don't have basic mappings on the User object in OneLogin. These mappings can all be achieved via custom User roles. This is explained further down with the PagerDuty Role example. The process is to create a custom user role for the mapping, then create a parameter in the SCIM application that maps the custom User attribute to the parameter used in this schema: "role", "license", "timezone".

6. Click Save.

Microsoft Entra ID

1. In Microsoft Entra, follow the instructions in Microsoft’s documentation to configure a new Microsoft Entra SCIM integration. Create your SCIM app with any name, according to your preferences. Ensure that you select Integrate any other application you don’t find in the gallery.

📘

Disregard Suggested Apps

You may see suggested apps pop up when typing in the name of your application (e.g., the PagerDuty app). Please disregard these suggested apps.

2. Create a new provisioning configuration by entering the following:
   1. Tenant URL: https://api.pagerduty.com/scim/v2
   2. API Token: token=<PagerDuty API KEY>
3. Test the connection to ensure that it works, then click Save.
4. Ensure that you’ve only enabled user provisioning/mapping. We do not currently support groups, so you should disable those.

Step 4: Configure Provisioning

Okta

1. Ensure that you’ve enabled the Create Users, Update User Attributes, and Deactivate Users checkboxes.
2. Finally, configure any required mappings for the user:
   1. To create an attribute mapping for roles, use Okta’s instructions to create an attribute: roles.^[type==‘base’].value
   2. To create an attribute mapping for entitlements, use Okta’s instructions to create an attribute: entitlements.^[type==‘license’].value

OneLogin

1. In the Provisioning tab under Applications, select the Enable provisioning option for the SCIM Provisioner with SAML.
2. You can use Custom User Fields along with parameter mappings to set the PagerDuty Role via role, the license via entitlements and the time zone via timezone in the schema in step 3.

Microsoft Entra ID

1. Perform the following to update the user attribute mapping:
   1. Enabled: Select Yes
   2. Target Object Actions: Check the Create, Update and Delete checkboxes.
   3. Attribute Mappings: Define your attribute mappings:
      1. Important: The userName mapping should match the email your users use in PagerDuty to ensure that Microsoft Entra and PagerDuty users get linked correctly.
      2. Ensure the active attribute mapping has the expression Switch([IsSoftDeleted], "true", "False", "true", "True", "false"). Copy this exactly, as it is case-sensitive.
      3. If you’re setting fields via SCIM, which do not have a basic mapping to an Entra ID user field, edit the attribute list to include the desired attributes:
         1. PagerDuty role creates an attribute mapping: roles[type eq "base"].value
         2. PagerDuty license creates an attribute mapping: entitlements[type eq "license"].value
         3. Time zone creates an attribute mapping: timezone

Step 5: Assign or Deactivate Users

Assign new users to the application to provision them to PagerDuty, or deactivate them to remove them from PagerDuty.

🚧

Deactivation Warning

PagerDuty does not support deactivating and reactivating the same user. If you deactivate a user in the IdP, this action will delete them in PagerDuty. If you reactivate the user, the behavior of the IdP’s SCIM client implementation determines how to reconcile the user. Okta, for example, creates a new user, while OneLogin throws a provisioning error message when the user fails to update.

Supported User Attributes

The PagerDuty SCIM API currently exposes the following user attributes: