Catalytic is now PagerDuty Workflow Automation

Implement Single Sign-On (SSO)

🕙  4 minute read

SSO gives your team members access to PagerDuty Workflow Automation through their Identify Provider (IdP) account. SSO is configured from the Admin Team Center. SSO Settings can only be accessed by Admin users and are enabled per team.

screen readers look here

Before getting started with SSO

PagerDuty Workflow Automation uses SAML 2.0 for SSO and a self signed certificate for SAML assertion encryption. We also support CA signed certificates if your SSO implementation requires it—contact PagerDuty Support to get this set up for your organization.

During setup, configure your Identity Provider to use the user’s email address as the NameID. PagerDuty Workflow Automation does not support any custom attributes and any custom attributes passed to PagerDuty Workflow Automation will be ignored.

PagerDuty Workflow Automation does not have built-in support for Two Factor Authentication (2FA). To require 2FA for users logging into your team, use an Identity Provider (IDP) that has 2FA enabled.

We use a self signed certificate for SAML which is provided in the metadata downloadable from the SSO page.

Required Setup

Set up a connection with your identity provider using the configuration settings below, then configure SSO in PagerDuty Workflow Automation.

To make sure implementation is seamless, PagerDuty Workflow Automation can test your SSO configuration in a testing environment before implementing it in production. Contact PagerDuty Support if you’re interested in testing SSO.

Step 1. Configure with your identity provider

To configure SSO, you first create a connection within your IdP using information from PagerDuty Workflow Automation. Set up requires a unique ACS URL and Entity ID, which PagerDuty Workflow Automation provides from the SSO Settings page.

screen readers look here
Note that with some IdP's, the ACS URL is called the "Reply URL" and the Entity ID is called the "Identifier"

Follow the steps supplied by your IdP to configure a connector for PagerDuty Workflow Automation. Your IdP may support uploading a metadata file to expedite SSO setup. If so, you can Download the Metadata and upload it to your IdP to prepopulate the required fields.

Step 2. Create the SSO integration in PagerDuty Workflow Automation

After creating the connection, finish the setup in PagerDuty Workflow Automation. An Entity ID, Login URL, and Signing Certificate is required. Your IdP should provide these after completing step 1.

  1. From the SSO Settings page, select Enable Single Sign-On

    screen readers look here

  2. Fill out all required fields.

    💡   Tip: Your IdP may provide a downloadable metadata file to expedite SSO setup. Look for this file during configuration and upload it into the Metadata file field to prepopulate the required fields.

  3. Once SSO is configured, select . Then flip the in the top right. Return to this page to edit your configuration at any time.

Important information after SSO is enabled

When SSO is enabled for a team, SSO is the only authentication method allowed and users can no longer log in using their PagerDuty Workflow Automation password. Any changes to the SSO settings will affect your team immediately.

PagerDuty Workflow Automation does not support user provisioning with SAML 2.0. After configuring SSO, you’ll continue to create, update and deactivate PagerDuty Workflow Automation users within PagerDuty Workflow Automation, either manually from the Team Page or by building a user provisioning process using actions like: Catalytic: Create a User, Workflow: Update a User, Catalytic: Deactivate a User

Single Logout (SLO)

SLO lets your IdP control the log out parameters for users. PagerDuty Workflow Automation does not support Single Logout (SLO). Users who authenticated using SSO will stay logged in until their PagerDuty Workflow Automation session expires.

If a user attempts to log out of PagerDuty Workflow Automation, they will go through the SSO login flow. If their user is authorized to use PagerDuty Workflow Automation by the IdP, they will be re-authenticated. If their access to PagerDuty Workflow Automation has been revoked in the IdP, they will be logged out.

Set up user provisioning with SCIM

Once SSO is enabled, you can set up System for Cross-domain Identity Management (SCIM) to make it easy to update and create users and user information. SCIM is an industry standard and widely used in identity providers like Okta and Active Directory.

To set up SCIM provisioning, see Manage users with SCIM provisioning.

Get help with a problem or question

If something’s not working as expected, or you’re looking for suggestions, check through the options below.

What happens to users on my team after I enable SSO?

Users in PagerDuty Workflow Automation who are provisioned in your IdP will stay logged in, or may be asked to log in through their SSO account.

Users in PagerDuty Workflow Automation who are not provisioned in your IdP are logged out. Depending on your IdP, unprovisioned users are redirected to a splash page that explains they do not have access. In some cases this may not happen until they refresh their browser or log out.

Sorry about that. What was the most unhelpful part?









Thanks for your feedback

We update the Help Center daily, so expect changes soon.

Link Copied

Paste this URL anywhere to link straight to the section.

User Permissions ›

Give a user permissions to a table, Workflow, or integration ›

Set whether new users can build Workflows ›

Custom Outbound Email Domains ›

Require approval to publish a Workflow ›