PagerDuty Hardening Guide
Incident management platform hardening for PagerDuty including SSO configuration, user provisioning, and access controls
Overview
PagerDuty is a leading incident management platform used by thousands of organizations for on-call management, incident response, and operational intelligence. As a critical tool for incident response and system alerting, PagerDuty security configurations directly impact operational resilience.
Intended Audience
- Security engineers managing incident platforms
- IT administrators configuring PagerDuty
- DevOps/SRE teams securing on-call workflows
- GRC professionals assessing operational security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers PagerDuty security including SAML SSO, user provisioning, role-based access, and account security.
Table of Contents
- Authentication & SSO
- User Management
- Access Controls
- Monitoring & Security
- Compliance Quick Reference
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO to centralize authentication for PagerDuty users.
Rationale
Why This Matters:
- Eliminates need for separate PagerDuty credentials
- Enables on-demand user provisioning
- Simplifies access revocation
Prerequisites
- PagerDuty Professional, Business, or Enterprise plan
- SAML 2.0 compatible IdP
ClickOps Implementation
Step 1: Access SSO Settings
- Navigate to: Account Settings → Single Sign-On
- Click Configure SSO
Step 2: Configure Identity Provider
- PagerDuty supports:
- Microsoft ADFS
- Okta
- OneLogin
- Ping Identity
- SecureAuth
- Create SAML application in IdP
Step 3: Enter IdP Settings
- Enter IdP SSO URL
- Upload IdP certificate
- Configure attribute mappings
Step 4: Test and Enable
- Test SSO authentication
- Verify user provisioning
- Enable SSO for account
Time to Complete: ~1 hour
1.2 Manage SSO Certificate Rotation
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Maintain SAML certificate validity.
Rationale
Why This Matters:
- PagerDuty rotates SAML certificates annually
- Expired certificates break SSO authentication
ClickOps Implementation
Step 1: Monitor Certificate Expiration
- PagerDuty sends communications about rotation
- Note certificate expiration dates
Step 2: Update Certificates
- Download new PagerDuty certificate
- Update IdP configuration
- Test SSO after update
1.3 Configure Account Owner Fallback
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Understand and protect Account Owner fallback access.
ClickOps Implementation
Step 1: Protect Account Owner Credentials
- Account Owners retain email/password login (cannot be disabled)
- Use strong password (20+ characters)
- Store in password vault
Step 2: Document Recovery Procedure
- Account Owner can log in during SSO outage
- Can temporarily enable password login for all users
2. User Management
2.1 Configure User Provisioning
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Configure automatic user provisioning via SSO.
ClickOps Implementation
Step 1: Enable On-Demand Provisioning
- With SSO enabled, users created on first login
- Access granted via IdP assignment
Step 2: Configure SAML Attributes
- Configure IdP to send email, name, role
- Note: Attributes only used at initial creation
- Changes in IdP don’t sync to PagerDuty
2.2 Configure SCIM Provisioning
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Configure SCIM for automated user lifecycle management.
ClickOps Implementation
Step 1: Enable SCIM
- Navigate to: Account Settings → SCIM
- Generate SCIM API token
- Copy SCIM base URL
Step 2: Configure IdP SCIM
- Add PagerDuty SCIM integration
- Enable deprovisioning
3. Access Controls
3.1 Configure Role-Based Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege using PagerDuty roles.
ClickOps Implementation
Step 1: Review Available Roles
- Review role options:
- Account Owner: Full control (1 per account)
- Admin: Account administration
- Manager: Team management
- Responder: Incident response
- Observer: View-only (Business/Enterprise)
- Limited User: Restricted access
Step 2: Assign Appropriate Roles
- Limit Admin to essential personnel (2-3)
- Use Manager for team leads
- Use Responder for on-call engineers
3.2 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect administrator accounts.
ClickOps Implementation
Step 1: Inventory Admin Users
- Navigate to: People → Users
- Filter by Admin role
- Document all administrators
Step 2: Apply Least Privilege
- Reduce admins to minimum (2-3)
- Use Manager role for team administration
4. Monitoring & Security
4.1 Configure Audit Logging
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Monitor administrative and security events.
ClickOps Implementation
Step 1: Access Audit Records
- Navigate to: Account Settings → Audit Records
- Review logged events
Step 2: Export Logs
- Export audit records for analysis
- Integrate with SIEM
5. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | PagerDuty Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/SAML | 1.1 |
| CC6.2 | RBAC | 3.1 |
| CC7.2 | Audit logging | 4.1 |
NIST 800-53 Rev 5 Mapping
| Control | PagerDuty Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| AC-2 | User provisioning | 2.1 |
| AC-6 | Least privilege | 3.1 |
| AU-2 | Audit logging | 4.1 |
Appendix A: Plan Compatibility
| Feature | Free | Professional | Business | Enterprise |
|---|---|---|---|---|
| SSO/SAML | ❌ | ✅ | ✅ | ✅ |
| SCIM | ❌ | ❌ | ✅ | ✅ |
| Teams | ❌ | ❌ | ✅ | ✅ |
| Observer Role | ❌ | ❌ | ✅ | ✅ |
Appendix B: References
Official PagerDuty Documentation:
- Security at PagerDuty
- Support Center
- Single Sign-On (SSO)
- Security Hygiene for Current Cyber Threats
- Okta SSO Configuration
API Documentation:
Compliance Frameworks:
- SOC 2 Type II, ISO 27001, PCI DSS, FedRAMP (compliant offering available) — via PagerDuty Security
Security Incidents:
- August 2025: Attackers exploited a vulnerability in Drift’s OAuth integration with Salesforce (via Salesloft), potentially gaining unauthorized access to PagerDuty’s Salesforce account. No PagerDuty credentials were exposed and no evidence of access to PagerDuty’s core platform or internal systems. — SecurityWeek Report
- April 2024: Vendor compromise at Sisense; PagerDuty reset credentials per CISA guidance as a precaution, but found no impact on PagerDuty or its customers. — PagerDuty Advisory
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, user management, and access controls | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide