Overview

PagerTree offers several providers for single sign-on (SSO), and uses the SAML 2.0 protocol. SSO is supported on both the Web Application and Mobile Apps.

Note: Single Sign-On (SSO) requires the Elite pricing plan.

Login via SSO

After SSO has been configured on your PagerTree account, users can sign-in via your Identity Provider’s (IdP) application widget or the PagerTree SSO Login Page. All users will be forced to login via your Identity Provider, except those users with administrator permissions in PagerTree. Users with Administrator permissions may login via IdP or PagerTree credentials.

To access the PagerTree SSO login:

  1. Go to the PagerTree login page
  2. Click the Login with SSO link SSO Login Link
  3. Enter your IdP email, and click Login SSO Login Screen

Enable SSO

To enable SSO you must be on the Elite pricing plan and be an administrator of your PagerTree account.

  1. Navigate to the Settings & Billing page. Click Settings & Billing Navigation
  2. On the right side, navigate to the SSO tab. Navigate to SSO Tab
  3. Toggle the Single Sign-On Switch. Toggle SSO Switch
  4. Continue to the Configure SSO section.

Configure SSO

  1. Double click the provider to edit your identity provider. Click Provider
  2. Select the Provider you wish to use. Select Provider
  3. Copy the ACS URL Copy ACS URL
  4. Continue the steps below based on your Provider selection.

ADFS

Step 1 - Add a Relying Party Trust

In ADFS:

  1. Select the Relying Party Trusts folder from ADFS Management, and add a new Standard Relying Party Trust from the Actions sidebar. This will start the configuration wizard for a new trust. Start the Add Relying Part Trust Wizard
  2. On the Select Data Source screen, select Enter Data About the Party Manually. Select Data Source
  3. On the Specify Display Name screen, enter any Display name that you will recognize in the future. Specify a Display Name
  4. On the Choose Profile screen, select AD FS profile. Choose Profile
  5. On the Configure Certificate screen, leave the defaults and click Next. Leave Certificate Defaults
  6. On the Configure URL screen, check the box for Enable Support for the SAML 2.0 WebSSO protocol and paste the PagerTree ACS URL you copied earlier. Configure URL with SAML 2.0 WebSSO and the PagerTree ACS URL
  7. On the Configure Identifiers screen, add a Relying party trust identifier of the with the value https://api.pagertree.com/public/saml/consume. Click Add. Configure PagerTree Identifier
  8. Skip the Multi-factor authentication screen, its beyond the scope of this guide.
  9. On the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party. Configure Issuance Authorization Rules
  10. On the Finish screen, make sure Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checkbox is checked. Finish Screen

Step 2- Create Claim Rules

  1. The Claim Rule Editor should now be open in ADFS. Claim Rule Editor
  2. Click the Add Rule button.
  3. On the Rule Type screen, select Send LDAP Attributes as Claims rule type. Claim Rule LDAP
  4. On the next screen, using the Active Directory as your attribute store:
    1. From the LDAP Attribute column, select E-Mail Addresses
    2. From the Outgoing Claim Type, select E-mail Address
    3. Click OK Claim Rule LDAP Congifuration
  5. Create another rule by clicking Add Rule, but this time select Transform an Incoming Claim as the template. Claim Rule Transform
  6. On the next screen:
    1. Select E-mail Address as the Incoming Claim Type.
    2. For the Outgoing Claim Type select Name ID.
    3. For the Outgoing Name ID Format, select Email (THIS STEP IS VERY IMPORTANT!)
    4. Leave the rule to the default of Pass through all claim values Claim Rule Transform Configuration
    5. Click OK
  7. Click OK to finish creating rules

Step 3 - Adjust Trust Settings

  1. Select Properties from the Actions sidebar while you have the Relying Party Trust Selected.
  2. In the Advanced tab, make sure SHA-256 is specificed as the Secure hash algorithm. Select SHA-256 as the Secure hash algorithm
  3. In the Endpoints tab, click on add SAML to add a new endpoint.
  4. For Endpoint type, select SAML Logout
  5. For Binding, choost POST
  6. For Trusted URL create a URL using:
    1. The web address of your ADFS server
    2. The ADFS SAML endpoint you noted earlier
    3. The string ?wa=wsignout1.0 The URL should look something like this: https://${host.domain.com}/adfs/ls/?wa=wsignout1.0 Logout URL
  7. Click OK
Note: Your instance of ADFS may have security settings in place that require all Federation Services Properties to be filled out and published in the metadata. Check with your team to see if this applies in your instance. If it is, be sure to check the Publish organization information in federation metadata box.

Step 4 - Configure PagerTree

  1. In ADFS
    1. Locate the FederationMetadata.xml URL for ADFS (most of the time it looks like https://${host.domain.com}/FederationMetadata/2007-06/FederationMetadata.xml) Locate the FederationMetadata URL in ADFS
    2. Check that the URL is valid, by copy and pasting the URL in your browser. If an XML file appears or downloads, proceed to the next step.
  2. In PagerTree
    1. Paste the FederationMetatdata URL in the Metadata URL field Paste the FederationMetadata URL in the Metadata URL field

Azure Active Directory

  1. Go to your Azure Portal.
  2. Click Azure Active Directory. Click Azure Active Directory
  3. Click App registrations. Click App Registrations
  4. Click New application registration. Click New Application Registration
  5. In the create blade, New application registration
    1. Name - PagerTree
    2. Redirect URI - paste the PagerTree ACS Url Create Blade Settings
  6. Click the Register Button
  7. Copy the Application (client) ID and the Directory (tenant) ID
  8. In PagerTree, paste the Application ID and the Directory ID to their respective fields. Paste the Application and Directory IDs

Google

  1. Go to your Google Admin Dashboard.
  2. Click the Apps icon. Apps Icon
  3. Click the SAML apps icon. SAML Apps Icon
  4. In the lower right hand corner, click the yellow + button. Add App Button
  5. In the Step 1 (Enable SSO for SAML Application) dialog box, click the SETUP MY OWN CUSTOM APP link on the bottom of the box. Click Setup My Own Custom App Button
  6. In the Step 2 (Google IdP Information) dialog box:
    1. Copy the Google Entity ID and paste it in the PagerTree Entity ID field. Copy Entity ID
    2. Download the certificate. Open in a text editor. Copy & Paste the contents of the certificate file to the PagerTree X.509 Certificate field. Copy X.509 Certificate
    3. Click Next.
  7. In the Step 3 (Basic information for your Custom App) dialog box:
    1. Application Name - PagerTree
    2. Description - On-Call. Simplified.
    3. Upload Logo - icon
    4. Click Next. Copy X.509 Certificate
  8. In the Step 4 (Service Provider Details) dialog box:
    1. Copy the PagerTree ACS Url and paste it in the Google ACS Url & Google Entity ID fields.
    2. Ensure the Name ID Format is set to EMAIL.
    3. Click Next. Step 4 Settings
  9. In the Step 5 (Attribute Mapping) dialog box, click Finish.
  10. If everything went correctly you should see a success dialog box. Click OK. Click OK
  11. Click Edit Service. Click Edit Service
  12. Click ON for everyone.
  13. Click Save. Click ON for everyone
  14. From the Google Admin Dashboard navigation bar, click the Apps icon. Organization Apps Button
  15. Click More. Organization Apps More
  16. Right click the PagerTree application icon, and click Copy Link Address. Paste this into the PagerTree SSO Url field. Copy SSO Link Address
  17. Your PagerTree SSO configuration should look like this PagerTree SSO Settings for Google
Note: If you do not see the PagerTree application, you may need to logout and and then re-login to the Google Admin Application.

Okta

  1. Go to your Okta Admin Dashboard.
  2. Go to Applications.
  3. Click the Add Application button. Click Add Application Button
  4. Click the Create New App button. Click Create New App Button
  5. In the Create a New Application Integration dialog box:
    1. Platform - Web
    2. Sign on method - SAML 2.0
    3. Click Create Select Web and SAML
  6. Step 1 (General Settings)
    1. App Name - PagerTree
    2. App Logo - icon
    3. Click Next. Step 1 (General Settings)
  7. Step 2 (Configure SAML)
    1. Single sign on URL - paste the PagerTree ACS Url.
    2. Use this for Recipient URL and Destination URL** - checked
    3. Audience URI (SP Entity ID) - paste the PagerTree ACS Url
    4. Name ID format - EmailAddress
    5. Application username - Okta username SAML Settings
    6. Click Next. Click Next Button
  8. Step 3 (Feedback)
    1. Are you a customer or partner - I’m an Okta customer adding an internal app
    2. App type - This is an internal app that we have created
    3. Click Finish. Step 3 (Feedback)
  9. Click the View Setup Instructions button. Click View Setup Instructions Okta SAML Parameters
    1. Copy the Okta Identity Provider Single Sign-On URL and paste it in the PagerTree SSO Url Field.
    2. Copy the Okta Identity Provider Issuer and paste it in the PagerTree Entity ID field.
    3. Copy the Okta X.509 Certificate and paste it in the PagerTree X.509 Certificate field.
  10. Your PagerTree SSO configuration should look like this PagerTree SSO Settings for Okta
  11. In Okta, assign users by clicking the Assignments tab. Click Assignments Tab
  12. Click Assign -> Assign to Groups. Click Assignments Tab
  13. Assign the appropriate groups, by clicking the Assign button, who should have access to PagerTree. Assign Groups
  14. Click Done.

OneLogin

  1. Go to your Admin Dashboard.
  2. From the navigation go to Apps.
  3. Click the ADD APP button. Click Add App
  4. On the Find Applications page:
    1. Search “OneLogin SAML
    2. Click the OneLogin SAML Test (IdP) w/ NameID (unspecified) Search OneLogin SAML
  5. On the Configuration page:
    1. Display Name - PagerTree
    2. Rectangular Icon - icon
    3. Square Icon - icon
    4. Click SAVE. Application Settings
  6. Click the Configuration Tab.
    1. SAML Consumer Url - paste the PagerTree ACS Url
    2. SAML Audience - paste the PagerTree ACS Url
    3. ACS URL Validator - paste the PagerTree ACS Url Application Details
  7. Click the SSO Tab.
    1. SAML Signature Algorithm - SHA-256
    2. Copy the SAML 2.0 Endpoint (HTTP) and paste it in the PagerTree SSO Url.
    3. Copy the Issuer URL and paste it in the PagerTree Entity ID. SSO Details
  8. In OneLogin, click SAVE. Click Save Button
  9. In OneLogin, navigate back to the SSO Tab.
    1. Under the X.509 Certificate section, click View Details. Click View Details
    2. Copy the OneLogin X.509 Certificate and paste it into the PagerTree X.509 Certificate field.
  10. Your PagerTree SSO configuration should look like this PagerTree SSO Settings for OneLogin

Ping Identity (PingOne)

  1. Go to your Admin Dashboard.
  2. From the navigation go to Applications.
  3. Click Add Application -> New SAML Application. Add SAML Application
  4. Step 1 (Application Details):
    1. Application Name - PagerTree
    2. Application Description - On-Call. Simplified.
    3. Category - Productivity
    4. Graphics - icon Application Details
  5. Step 2 (Application Configuration):
    1. Assertion Consumer Service (ACS) - paste the PagerTree ACS Url
    2. Entity ID - paste the PagerTree ACS Url
    3. Click Continue to Next Step. Application Configuration
  6. Step 3 (SSO Attribute Mapping):
    1. Click Save & Publish.
  7. Step 4 (Review Settings):
    1. Copy the PingOne Initiate Single Sign-On (SSO) URL and paste it into the PagerTree SSO Url field.
    2. Copy the PingOne Single Sign-On (SSO) Relay State and paste it into the PagerTree Entity ID.
    3. Download the PingOne Signing Certificate. Open in a text editor. Copy and paste the contents into the PagerTree X.509 Certificate field. Review Settings Copy X.509 Certificate
    4. Click Finish.
    1. Your PagerTree SSO configuration should look like this PagerTree SSO Settings for Ping Identity

SAML 2.0

SAML is an XML standard for exchanging authentication data between parties. Using the SAML model PagerTree acts as the Service Provider (SP).

Requirements

PagerTree requires the SSO Url, Entity ID, and X.509 Certificate be provided.

  • SSO Url - The Url where users of your organization can login to the IdP application
  • Entity ID - The issuer
  • X.509 Certificate - Used for assertion verification (Public/Private Key)

SAML Attributes

Additionally your provider might have options for application details. You can use the following:

  • Version - 2.0
  • Assertion Consumer URL (ACS) - https://api.pagertree.com/public/saml/consume?sid=<account_id>
  • NameIDPolicy - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Encryption - false