AWS IAM Identity Center (successor to AWS SSO) Integration Guide for PagerDuty

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for PagerDuty using SAML.

Topics

Prerequisites

You'll need the following to set up SSO access to PagerDuty:

Setup instructions

  1. On the Configure page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

  1. Login to your PagerDuty account as an administrator.(example: https://DOMAINNAME.pagerduty.com)

  2. On the header, choose Configuration.

  3. Click Account Settings.

  4. In the top-right corner of the Account Setings page, choose *Single Sign-on8.

  5. Under Login Authentication click the radio button titled SAML.

  6. For each of the following fields on the SAML section, insert these values.

  1. Download the IAM Identity Center certificate.

  1. Paste the certificate into the X.509 Certificate section.

  2. Mark the check boxes below the Logout URL field per your preferences.

  3. Click Save Changes.

  4. Go back to the IAM Identity Center console page where you are configuring the Application.

  5. Under Application metadata, choose specify configuration values individually to display the application metadata settings.

  6. Insert these values:

Field Value
Application ACS URL https://DOMAINNAME.pagerduty.com/sso/saml/consume
Application SAML audience https://DOMAINNAME.pagerduty.com

  1. Choose Save Changes.

  2. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Note

Users will not be able to login using SSO unless the user exists in both your directory and Custom SAML 2.0, and the user is assigned to the application.

Verifying SSO from IAM Identity Center

  1. Access the AWS access portal using the credentials of a user assigned to the PagerDuty application.

  2. In the list of applications, choose PagerDuty to initiate a login to PagerDuty.

  3. If login was successful you will be signed-in to the PagerDuty application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from PagerDuty

  1. Access PagerDuty using the following URL: https://DOMAINNAME.pagerduty.com.

  2. In the user portal, login as a user assigned to the application.

  3. In the user portal, choose the application you are signing-in to.

  4. On the PagerDuty home page, verify that both PagerDuty and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error Issue Solution
"404 Error" The Application SAML Audience URL and the Application ACS URL are incorrect. Make sure that the correct Application SAML Audience URL and the Application ACS URL.
"Other" When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user's email address. By default your directory is configured to send 'windowsUPN' in both fields. Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of: