Get started with Opsgenie as a user
Learn how to configure your profile, get notifications from Opsgenie and view on-call schedules.
Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication/authorization data between parties to specify an identity provider and a service provider. Using the SAML model, Opsgenie acts as the service provider and supports SAML 2.0 based Single Sign-On to authenticate users through different identity providers.
Learn more about configuring SSO for Opsgenie to take a look at identity provider partners, the requirements to enable Single Sign-On for authentication, and how to configure and use Single Sign-On solution.
You can enable our Single Sign-On solution using any identity provider, even ones that are currently not one of our partners.
The order of the instructions below may vary by the identity provider. Contact us for any further assistance or problems you may encounter while setting up SSO integration with your identity provider.
From your Opsgenie, go to Settings → Login and SSO. Select SAML as your identity provider.
If your identity provider needs you to specify SAML Identifier for Opsgenie (It may also be referred to as Audience or Target URL), use the value of the field Identifier.
Use the value of the field SAML 2.0 Service URL as the Consumer URL (It may also be referred to as SSO Endpoint or Recipient URL) for your identity provider.
Retrieve Single Sign-On (SSO) Endpoint from your identity provider and paste the URL into the SAML 2.0 Endpoint field.
If your identity provider supports Single Logout (SLO),
Retrieve the SLO Endpoint from your identity provider and paste the URL into the SLO Endpoint field.
Copy SAML 2.0 Service Logout URL to your identity provider’s SLO Endpoint field.
Export your X.509 certificate, copy its content and paste this certificate value into X.509 Certificate field.
Check Enable Single Sign-on field and click Apply SSO Changes.
Now users in the directory of your identity provider can log in with Opsgenie via SSO using their directory credentials.
SAML Identifier/Audience/Target URL): Copy the Identifier field from from your SSO settings of Opsgenie account.
Assertion Consumer URL / Opsgenie SSO Endpoint:
https://app.opsgenie.com/auth/saml?id=<saml_id>
where <saml_id> is unique per Opsgenie account.
Go to Settings → Login and SSO from your Opsgenie account to find these endpoints.
Opsgenie uses the following attributes & values while performing an authentication request to your identity provider:
Version:
2.0
AssertionConsumerServiceURL:
https://app.opsgenie.com/auth/saml?id=<saml_id>
(which is the Opsgenie SSO Endpoint)
Issuer:
https://app.opsgenie.com/auth/saml
or
https://app.opsgenie.com/auth/saml?id=<saml_id>
(which is the Opsgenie SAML Identifier) See your Opsgenie settings page.
NameIDPolicy:
Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
AllowCreate: true
ProtocolBinding:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
The only supported SAML version is 2.0
Name ID format is expected to be:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
(Name ID which is also e-mail address of the user on your identity provider should be equal to Opsgenie user name of the user.)
An encryption certificate for claims should not be used.
Text
1
2
3
4
5
6
7
8
9
10
11
<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="_950adbf4-34fe-492b-91d9-b6418feb56eb"
Version="2.0" IssueInstant="2017-08-17T15:29:46Z"
AssertionConsumerServiceURL="https://app.opsgenie.com/auth/saml?id=SSO_ID"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://app.opsgenie.com/auth/saml</Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/>
</samlp:AuthnRequest>
The XML content above is the SAML request that Opsgenie gives to your IdP as Base 64 Encoded, Deflated and URL encoded according to SAMLv2.0 protocol. Your identity provider should be able to process this content.SSO_ID represents the unique identifier that Opsgenie generates and provides within SSO page. So, the following is an example AssertionConsumerServiceURL value:
https://app.opsgenie.com/auth/saml?id=53bd8491-ef30-4d3e-92ed-bec8f09188bc
Text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<samlp:Response
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="Ref34f454eda06982d99753378d61a2c21d160514"
Version="2.0"
IssueInstant="2017-08-16T13:41:51Z"
Destination="https://app.opsgenie.com/auth/saml"
InResponseTo="_5b7d882a-c1b0-4c6a-99e7-6c62ec267059">
<saml:Issuer>https://app.onelogin.com/saml/metadata/692790</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfxb2557bd0-0985-4bee-e1b7-be41c3f3f8c0" IssueInstant="2017-08-16T13:41:51Z">
<saml:Issuer>https://app.onelogin.com/saml/metadata/692790</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#pfxb2557bd0-0985-4bee-e1b7-be41c3f3f8c0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>NCvDMpITKYjYhSP0xHVFJNOUjpg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>HIQ/cvi6G6NoKCbDPTk9JugLhdGG3/VGGXGfS870M6aVOX09CTo9CCjZsdjmE7V8Tzf6GznR2B1cSBAvSVuVvMNqyrae6MxE+JIaCzyyKwhVmDEJyoWYXNK9VL8Kkfy4TROccW3D8eP6RKdC81TG1pUpqFWg3qczPLWdAEEAnBzfHDsGYg4x4KBCGDrx5YQsuV/qTi625tCJbUBezAfE9yut9D1GrHq5R2Sx+Sg07beqDlmHHRlUD4PEDjIQuHW5qfAabLit89JOsAdBrb2YkL6mYB3IhyuwQqVSZAIcYZlMnWHRMDnzg0axK4AwXpfs5xzokY3cG8aSIG5ylGs2nQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIEGjCCAwKgAwIBAgIUCzEy6NwCyLnG97HMVhLgzAZ9gy4wDQYJKoZIhvcNAQEFBQAwWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCE9wc0dlbmllMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTEyMzQ2MB4XDTE3MDgxNTEyNDMzOVoXDTIyMDgxNjEyNDMzOVowWTELMAkGA1UEBhMCVVMxETAPBgNVBAoMCE9wc0dlbmllMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTEyMzQ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvL5F9mMqveYJxUCk9yjGkg86FXinV6R70l2+nU5qZ+pOUoyzkeYziCcpgKKVPMGo5XUkkFcM5/BoLQB/t2XcRuBrGRIzKGzoushHHTVophVdQL2T6PvgXppr8TDMQ8YgvTf1mRxWlPxWVxR7QEZd3e+AKXyUZHTHEeay9UcPcRl9jvEp5MUZ0Gu3OjHVWoL4Vh1OMU+QKYXSk7zmdZ4/yRKq3mGJ8g9QLzRPvA39GRUXX4Qi34sjrRCK3A4bomylJPPU4gJKg0beFJmQJfAKQNHyvh43TF8Ry0trLsyJznkixxY6+q5EUeXc21B71XaVRpxKTRgjLIMkPtrlxr1YzwIDAQABo4HZMIHWMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFGc92CPSudOTjh2a/npNa/xeHOJFMIGWBgNVHSMEgY4wgYuAFGc92CPSudOTjh2a/npNa/xeHOJFoV2kWzBZMQswCQYDVQQGEwJVUzERMA8GA1UECgwIT3BzR2VuaWUxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMTIzNDaCFAsxMujcAsi5xvexzFYS4MwGfYMuMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAkdAjPRq5J7+RU3BBs2INT3SG/KMCJ+W/p5xHgkdQYuuucoBFVysUBN2x+66Njn/3bqsAgq2966sRJLOeaXBjtAcwHSOfu05LIGHxvfx8ZURHFF2U9+TupVXPf00Nza9BQ62w0jSPeo7+uvdm2iZnKdi1vHbhnjVzwT1+hDWXCBbN9SCxs+1ah6wF6IETXg84MSEB3ET2fM8PhNHdRjd78AHWqeJuFXpmkaXc8FnF3f8LDZF5w5p724e+5UAc75gSlknbUY5lnDzcp1zJHRvgMm+Kf8aAPWoZRyvAK2/O68navBLFrOiP9yqqowJWboMGJDKRpOPE0J48i2yTrRXT5g==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">USER_LOGIN_E_MAIL_ADDRESS</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2017-08-16T13:44:51Z" Recipient="https://app.opsgenie.com/auth/saml" InResponseTo="_5b7d882a-c1b0-4c6a-99e7-6c62ec267059" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-08-16T13:38:51Z" NotOnOrAfter="2017-08-16T13:44:51Z">
<saml:AudienceRestriction>
<saml:Audience>https://app.opsgenie.com/auth/saml</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
</saml:Assertion>
</samlp:Response>
USER_LOGIN_E_MAIL_ADDRESS is the login e-mail address (user name) of the authenticating user.
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
Was this helpful?