PagerDuty
Configure PagerDuty incident management SSO
Prerequisites
- Account Owner access to your PagerDuty account
- PagerDuty plan that supports SSO (Professional, Business, Enterprise for Incident Management, or Digital Operations)
- A SplitSecure Identity Provider created and approved
- Your PagerDuty subdomain (e.g., if your URL is
https://my-name.pagerduty.com, your subdomain ismy-name) - A separate browser or browser profile with SplitSecure configured (for testing)
PagerDuty Configuration
Navigate to SSO Settings
- Log in to PagerDuty at
https://{subdomain}.pagerduty.com - Click your User Icon in the top right corner
- Select Account Settings
- Click the Single Sign-On tab
Download PagerDuty Metadata
Download the PagerDuty SAML metadata file from:
https://<subdomain>.pagerduty.com/sso/saml/metadataSave this XML file - you will upload it to SplitSecure later
Configure SAML Authentication
Under Login Authentication, select SAML
Enter the following information from SplitSecure (found at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details):
Field Value X.509 Certificate Paste the certificate (.pem) content from SplitSecure (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) Login URL Under SSO URL (POST) Logout URL (optional) (None for now)
Configure Authentication Options
Configure the following options based on your security requirements:
| Option | Recommendation | Description |
|---|---|---|
| Allow username/password login | Enable initially, disable after testing | Account Owners retain the ability to log in by email/password |
| Require EXACT authentication context comparison | Enable | |
| Require signed authentication requests | Enable | Enables request signing for enhanced security |
Configure User Provisioning
Choose one of the following options:
Option A: Auto-Provision Users on First Login (Recommended)
- Check Auto-provision users on first login
- Users will be automatically created in PagerDuty when they first authenticate via SSO
- Ensure attribute mappings are configured in SplitSecure
Option B: Redirect Non-Provisioned Users
- Check Redirect non-provisioned users
- Enter a Destination Link (e.g., internal wiki with provisioning instructions)
- Users without PagerDuty accounts will be redirected to this URL
Option C: Pre-Provision Users
- Leave both options unchecked
- Manually create users in PagerDuty before they can log in via SSO:
- Navigate to People → Users → Add Users
Save Configuration
Click Save Changes at the bottom of the page.
Changes may take several minutes to take effect. If SSO doesn’t work immediately, wait a few minutes and try again.
SplitSecure Configuration
Create a Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account
- Select PagerDuty
- Enter a name for the account (e.g.,
PagerDuty Secure Account) - Select your Identity Provider
- Upload the PagerDuty metadata XML file downloaded in Part 1
- Click Create Account
User Provisioning Settings
SplitSecure supports user provisioning for PagerDuty. When initiating an authentication flow (either IdP-initiated or SP-initiated) with Create User enabled, the following fields must be filled:
| Field | Description |
|---|---|
| Name | The user’s display name |
| Role | The user’s role in PagerDuty (see roles documentation) |
| Job Responsibilities | The user’s job title |
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
SP-Initiated SSO (User starts at PagerDuty)
- Navigate to
https://{subdomain}.pagerduty.com - Click Sign in with SSO or your company’s SSO option
- You will be redirected to SplitSecure
- Authenticate with your SplitSecure credentials
- You should be redirected back to PagerDuty, logged in
IdP-Initiated SSO (User starts at SplitSecure)
- Navigate to SplitSecure
- Go to Secure Accounts
- Click on your PagerDuty Secure Account
- Click Authenticate or Launch
- You should be logged directly into PagerDuty
Post-Configuration Steps
Disable Password Login (After Testing)
Once SSO is working correctly:
- Navigate to User Icon → Account Settings → Single Sign-On
- Uncheck Allow username/password login
- Click Save Changes
The Account Owner always retains the ability to log in with email/password for emergency access. This cannot be disabled.
User Offboarding
When an employee leaves:
- Remove their access in SplitSecure
- In PagerDuty:
- Remove the user from schedules and escalation policies
- Delete or deactivate their user account
Revoking SSO access prevents login but does not automatically remove the user from PagerDuty.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| HTTP 400 error on login | Trailing slash in Audience URL | Ensure there is no / at the end of the Audience URL |
| User not authorized | User doesn’t exist and auto-provisioning is disabled | Enable auto-provisioning or pre-create the user |
| SAML assertion error | Name ID format mismatch | Ensure Name ID is set to emailAddress format |
| Certificate error | Expired or incorrect certificate | Re-download the X.509 certificate from SplitSecure |
| “An unexpected error occurred” after entering certificate | Malformed certificate | Ensure certificate has max 64 characters per line and includes BEGIN/END markers |
External Resources
- Single Sign-On Documentation SSO setup and configuration
- Integration Directory Available integrations
- User Roles Role definitions and permissions
- Advanced Permissions Granular access control
- Offboarding User removal procedures
Last updated: