Using Single Sign-On with OpsGenie
OpsGenie offers several providers for Single Sign On solution in which you can control authentication of the hosted accounts on your identity provider to OpsGenie. Authentication via Single Sign-On is available on both OpsGenie web and mobile applications.
What are the benefits of Single Sign-On?
Using a Single Sign-On solution, you can:
- Reduce password fatigue: You have to remember one less password. Users of your organization who are granted access to OpsGenie do not need to set or use password on OpsGenie to login and use our features.
- Easily manage user access: You can grant/prohibit access to OpsGenie for your users using the console of your identity provider without being have to login OpsGenie. Administrator's ability to manage users and their configurations is improved.
- Improve security: Assertions that are generated by your identity provider are used while you are authenticating to OpsGenie instead of passwords that are created by users. Furthermore, your organization can easily enforce your users to choose a strong password that will work with any service your organization uses. Also, our mobile apps do not keep user passwords for the users who use our SSO solution; tokens that will be invalidated on next login are kept instead.
- Reduce help desk costs: Organizations that use many different services can greatly reduce the amount of recoveries for single accounts.
To configure Single Sign-On for OpsGenie:
- You must have an OpsGenie account with Enterprise plan. You can, of course, use and test our SSO solution as you like during the 14-day Trial period. For details, see our Pricing Page.
- You must have an account with an identity provider.
Our Identity Provider Partners
- Google: Click here for instructions needed to setup SSO integration with Google.
- Microsoft Active Directory Federation Services (AD FS): Click here for instructions needed to setup SSO integration with Microsoft ADFS.
- Azure Active Directory: Click here for instructions needed to setup SSO integration with Azure Active Directory.
- OneLogin: Click here for instructions needed to setup SSO integration with OneLogin.
- Okta: Click here for instructions needed to setup SSO integration with Okta.
- PingIdentity: Click here for instructions needed to setup SSO integration with Ping Identity.
- Generic Support: Click here for instructions and information needed to setup SSO integration with an identity provider that is currently not one of our partners.
Configuring Single Sign-On for OpsGenie
- Navigate to Single Sign-On page within OpsGenie Web Application. This page is the place to configure your Single Sign-On Settings.
- Select your identity provider from among the list of available identity providers as above. If your identity provider is not one of our Single Sign-On partners, you can select the SAML 2.0 segment that provides a generic configuration for other SAML 2.0 based SSO identity providers.
- The setup instructions of each identity provider are available within both the configuration page and the related document under the Our Identity Provider Partners section.
- You will be able to authenticate via Single Sign-On to OpsGenie as soon as you save your Single Sign-On configuration with Enabled state.
- By default, the owners and admins are able to authenticate without Single Sign-On for OpsGenie Web Application. If you enable enforcing them to authenticate via Single Sign-On, they will also have to authenticate via your Identity Provider on OpsGenie Web Application.
- For OpsGenie Mobile Apps, all users including the owners and admins are enforced to authenticate via your IdP regardless of the related setting.
After you save your SSO configuration, you can start using the SSO Login page to login to OpsGenie:
- Go to OpsGenie's standard Login page and click on the link "Login via your Identity Provider".
- Enter your username, and click Login. You'll be redirected to your identity provider's login page.
- As soon as you login to your identity provider, you'll be redirected and logged in to OpsGenie.
While your account has enabled SSO, your users will have to use SSO Login page to login to OpsGenie. Login attempts with username/password credentials will not work. Owner/admin users, however, can still use their passwords to login to OpsGenie, for e.g. troubleshooting problems with the SSO.
When you add a new user to your SSO-enabled account, upon verification the user can immediately start using OpsGenie, without the need to specify a password.
Provisioning new users automatically
If you have "Provision new users on the first login automatically." setting as enabled, OpsGenie will create and add your users to your account automatically, on their first login via SSO. The first login in this case must be initiated in the Identity provider.
Points on auto-provisioning new users:
- OpsGenie will create the user based on the e-mail address used for login, i.e for email@example.com, a new user with username firstname.lastname@example.org and name james will be created in OpsGenie.
- The new user, upon first login, will be created, verified and logged in automatically.
- The first login must be initiated in the identity provider.
Please note: Provisioning is not available for Azure Active Directory.
If you'd like to disable SSO, go to the SSO page, uncheck the "Enabled" field and save. Upon disable, an informational e-mail will be sent to your users, directing them to use their passwords to authenticate to OpsGenie from now on. Users without a password will be sent a link that they can use to specify their passwords.
When SSO is disabled, login attempts via SSO Login page will not work.
To enable SSO back, you can check "Enabled" and save again in the SSO page. Upon enable, an informational e-mail will be sent to your users, directing them to use the SSO Login page to login to OpsGenie from now on.