PagerDuty SAML Integration Guide
Suggest an editPrerequisites
- Account Owner access to your PagerDuty account
- PagerDuty plan that supports SSO (Professional, Business, Enterprise for Incident Management, or Digital Operations)
- A SplitSecure Identity Provider created and approved
- Your PagerDuty subdomain (e.g., if your URL is
https://my-name.pagerduty.com, your subdomain ismy-name) - A separate browser or browser profile with SplitSecure configured (for testing)
PagerDuty Configuration
1 Navigate to SSO Settings
- Log in to PagerDuty at
https://{subdomain}.pagerduty.com - Click your User Icon in the top right corner
- Select Account Settings
- Click the Single Sign-On tab
2 Download PagerDuty Metadata
- Download the PagerDuty SAML metadata file from:
https://{subdomain}.pagerduty.com/sso/saml/metadata- Save this XML file - you will upload it to SplitSecure later
3 Configure SAML Authentication
- Under Login Authentication, select SAML
- Enter the following information from SplitSecure (found at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details):
| Field | Value |
|---|---|
| X.509 Certificate | Paste the certificate (.pem) content from SplitSecure (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) |
| Login URL | Under SSO URL (POST) |
| Logout URL (optional) | (None for now) |
4 Configure Authentication Options
Configure the following options based on your security requirements:
| Option | Recommendation | Description |
|---|---|---|
| Allow username/password login | Enable initially, disable after testing | Account Owners retain the ability to log in by email/password |
| Require EXACT authentication context comparison | Enable | |
| Require signed authentication requests | Enable | Enables request signing for enhanced security |
5 Configure User Provisioning
Choose one of the following options:
Option A: Auto-Provision Users on First Login (Recommended)
- Check Auto-provision users on first login
- Users will be automatically created in PagerDuty when they first authenticate via SSO
- Ensure attribute mappings are configured in SplitSecure
Option B: Redirect Non-Provisioned Users
- Check Redirect non-provisioned users
- Enter a Destination Link (e.g., internal wiki with provisioning instructions)
- Users without PagerDuty accounts will be redirected to this URL
Option C: Pre-Provision Users
- Leave both options unchecked
- Manually create users in PagerDuty before they can log in via SSO:
- Navigate to People → Users → Add Users
6 Save Configuration
Click Save Changes at the bottom of the page.
Note
Changes may take several minutes to take effect. If SSO doesn’t work immediately, wait a few minutes and try again.
SplitSecure Configuration
1 Create a Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account
- Select PagerDuty
- Enter a name for the account (e.g.,
PagerDuty Secure Account) - Select your Identity Provider
- Upload the PagerDuty metadata XML file downloaded in Part 1
- Click Create Account
2 User Provisioning Settings
SplitSecure supports user provisioning for PagerDuty. When initiating an authentication flow (either IdP-initiated or SP-initiated) with Create User enabled, the following fields must be filled:
| Field | Description |
|---|---|
| Name | The user’s display name |
| Role | The user’s role in PagerDuty (see roles documentation) |
| Job Responsibilities | The user’s job title |
Test Authentication
Tip
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
1 SP-Initiated SSO (User starts at PagerDuty)
- Navigate to
https://{subdomain}.pagerduty.com - Click Sign in with SSO or your company’s SSO option
- You will be redirected to SplitSecure
- Authenticate with your SplitSecure credentials
- You should be redirected back to PagerDuty, logged in
2 IdP-Initiated SSO (User starts at SplitSecure)
- Navigate to SplitSecure
- Go to Secure Accounts
- Click on your PagerDuty Secure Account
- Click Authenticate or Launch
- You should be logged directly into PagerDuty
Post-Configuration Steps
1 Disable Password Login (After Testing)
Once SSO is working correctly:
- Navigate to User Icon → Account Settings → Single Sign-On
- Uncheck Allow username/password login
- Click Save Changes
Note
The Account Owner always retains the ability to log in with email/password for emergency access. This cannot be disabled.
2 User Offboarding
When an employee leaves:
- Remove their access in SplitSecure
- In PagerDuty:
- Remove the user from schedules and escalation policies
- Delete or deactivate their user account
Important
Revoking SSO access prevents login but does not automatically remove the user from PagerDuty.
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| HTTP 400 error on login | Trailing slash in Audience URL | Ensure there is no / at the end of the Audience URL |
| User not authorized | User doesn’t exist and auto-provisioning is disabled | Enable auto-provisioning or pre-create the user |
| SAML assertion error | Name ID format mismatch | Ensure Name ID is set to emailAddress format |
| Certificate error | Expired or incorrect certificate | Re-download the X.509 certificate from SplitSecure |
| “An unexpected error occurred” after entering certificate | Malformed certificate | Ensure certificate has max 64 characters per line and includes BEGIN/END markers |
External Resources
- Single Sign-On Documentation — SSO setup and configuration
- Integration Directory — Available integrations
- User Roles — Role definitions and permissions
- Advanced Permissions — Granular access control
- Offboarding — User removal procedures