Azure Active Directory SSO Integration Guide

Azure Active Directory (Azure AD) provides an easy way for businesses to manage identity and access, both in the cloud and on-premises. Your users can use the same work or school account for single sign-on to any cloud and on-premises web application.  Your users can use their favorite devices, including iOS, Mac OS X, Android, and Windows. Your organization can protect sensitive data and applications both on-premises and in the cloud with integrated multi-factor authentication ensuring secure local and remote access. Azure AD extends your on-premises directories so that information workers can use a single organizational account to securely and consistently access their corporate resources. Azure AD also offers comprehensive reports, analytics, and self-service capabilities to reduce costs and enhance security. The Azure AD SLA ensures that your business runs smoothly at all times and can be scaled to enterprise levels.

 

Note

You must be the Account Owner of your PagerDuty account in order to make these changes. Additionally, SSO capabilities within PagerDuty are only available on our Standard and Enterprise plans. Please contact our sales team if you are interested in upgrading your plan.

 

In your Azure Management portal

  1. Click on the Azure Active Directory icon on the left menu and then click on Enterprise Applications. Main menu: Azure Active Directory: Enterprise Applications
  2. Click on New application. Create new enterprise application
  3. In Add from the gallery, search for and select PagerDuty. Give it a name and click Add. Add the PagerDuty application
  4. From back in the Azure Active Directory from the left menu, go to the All Applications and click on the new PagerDuty application. Navigate to the PagerDuty application
  5. Configure the settings as follows:
    • Single Sign-on Mode: set to SAML-based Sign-on
    • Sign-on URL and Identifier: set both to the base URL of your PagerDuty login page, https://(your-subdomain).pagerduty.com
    • User Identifier: set this to user.mail.
      Azure enterprise application SAML settings
  6. Scroll down further to the User Attributes section and check the box View and edit all other user attributes.
  7. To ensure that user fields are properly populated when auto-provisioning, configure the user attributes as follows:
    • Set the Namespace field to empty.
    • Name name, value user.displayname for the user’s full name
    • Name emailaddress, value user.mail for the user’s email
    • Name jobresponsibilities, value user.jobtitle for the user’s job title
      Azure user attribute configuration
  8. Click Save to save the current settings.
  9. Return to the Single sign-on settings page and scroll down to the bottom of the page, to the PagerDuty Configuration section, and click on Configure PagerDuty to get additional information for setup. Additional setup instructions for SSO
  10. Follow the instructions on that page. In particular, look for the the necessary pieces of information to put into the PagerDuty SAML settings page:
    • X.509 SAML signing certificate,
    • Login URL
    • Logout URL
  11. Go to the Users and groups page of the PagerDuty app, and click Add user. This will take you to a page where you can grant your Azure Active Directory users and groups access to PagerDuty. Users and groups page of the app
  12. Select the users (round icons) and groups (flag-shaped icons) that you wish to grant access to PagerDuty, click Select, then click Assign. Add assignment to app

In PagerDuty

  1. As the Account Owner, click on Configuration and select Account Settings.
  2. Click Single Sign-On in the menu on the right side of the page.
  3. Select SAML as the login authentication type.
  4. Fill in the X.509 certificate, the login URL, logout URL with the values copied from Azure.
  5. Make sure the Require EXACT authentication context comparison option is checked.
  6. If you’d like to disable username and password authentication for your PagerDuty account for all users, except the Account Owner, you can uncheck the Allow username/password login check box.
  7. If you’d like PagerDuty to automatically create accounts for anyone who has access via Azure SSO upon their first login, check the box next to Auto-provision users on first login.