Setting Up SAML Based SSO Integration with Other Identity Providers

Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication/authorization data between parties, to specify, an identity provider and a service provider. Using the SAML model, OpsGenie acts as the service provider and supports SAML 2.0 based Single Sign-On to authenticate users through different identity providers. You can take a glance at our identity provider partners, the requirements to enable Single Sign-On for authentication and how you can configure and use our Single Sign-On solution, you can refer here. You can enable our Single Sign-On solution using any identity provider, even ones that are currently not one of our partners.

Setup Instructions for SAML 2.0 Based SSO Integration:

Order of the setup instructions may vary by the identity provider. Please do not hesitate to contact us if you encounter any problem while setting up SSO integration with your identity provider or for any further assistance.

  • Open SSO Settings Page and switch to SAML segment as identity provider.
  • If your identity provider needs you to specify SAML Identifier for OpsGenie (It may also be referred as Audience or Target URL), use the value of the field Identifier.
  • Use the value of the field SAML 2.0 Endpoint as the Consumer URL (It may also be referred as SSO Endpoint or Recipient URL) for your identity provider.
  • Retrieve Single Sign-On (SSO) Endpoint from your identity provider and paste this URL into SAML 2.0 Endpoint field.
  • If your identity provider supports Single Logout (SLO), retrieve SLO Endpoint from your identity provider and paste this URL into SLO Endpoint field. This field is optional.
  • Export your X.509 certificate, copy its content and paste this certificate value into X.509 Certificate field.
  • Check Enabled field and click Save Changes.
  • Now users in the directory of your identity provider can login with OpsGenie via SSO using their directory credentials.

OpsGenie Endpoints

  • SAML Identifier/Audience/Target URL): https://app.opsgenie.com/auth/saml
  • Assertion Consumer URL / OpsGenie SSO Endpoint: https://app.opsgenie.com/auth/saml?id=<saml_id> where <saml_id> is unique per OpsGenie account.
  • These endpoints can be found on SSO page.

OpsGenie SAML Attributes

OpsGenie uses the following attributes & values while performing an authentication request to your identity provider:

  • Version: 2.0
  • AssertionConsumerServiceURL: https://app.opsgenie.com/auth/saml?id=<saml_id> (which is the OpsGenie SSO Endpoint)
  • Issuer: https://app.opsgenie.com/auth/saml (which is the OpsGenie SAML Identifier)
  • NameIDPolicy:
    • Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • AllowCreate: true
  • ProtocolBinding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Validations & Enforcements by OpsGenie using SAML

  • The only supported SAML version is 2.0
  • Name ID format is expected to be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. Name ID which is also e-mail address of the user on your identity provider should be equal to OpsGenie user name of the user.
  • An encryption certificate for claims should not be used.

References: