Set session timeouts

Owner or Admins

The Session Configuration feature allows you to set limits on idle time before your users' browser sessions automatically expire. A message appears three minutes before the system logs them out. Users then need to sign back in to continue. For accounts configured with SAML Single Sign On (SSO), an additional option is available to set how often the users' browser sessions are re-authenticated.

Users and restricted users can view the time period for automatic timeout, but they cannot change it. To view the timeout value: From the New Relic menu bar, select (account) > Account settings > Authentication > Session configuration.

Access to this feature depends on your subscription level.

Features

The Session Configuration feature provides an additional level of security to ensure that unattended browsers will automatically time out. Session values are automatically stored in the session cookie. Additional features include:

Feature Notes
Easy setup Admins use the slide bar in New Relic's user interface to select predefined time periods. Default is two weeks.
Coordination with sign-in option If users select the option to Keep me signed in on New Relic's sign-in page, New Relic prompts three minutes before the Session Configuration expiration setting.
Separate options available by role Admins can choose for Restricted User sessions to never time out even if they select a session timeout setting. This is useful, for example, when you use a Restricted User login for demos.
Automatic inheritance for sub-accounts By default, sub-accounts inherit the same session configuration as their master account.
Most restrictive by default If users have multiple accounts, the most restrictive setting applies, regardless of which account the user currently is using.
Integration with SAML SSO logout URL If the account's SAML SSO configuration does not include a logout URL, New Relic includes a link from Session configuration for the Owner to set it up. If the Admin is not also the Owner, a message about the SAML SSO logout URL requirement appears.
Additional re-authentication setting for SAML SSO In addition to the session timeout option, Admins can select the time (15 minutes to 2 weeks, or never) for how often a SAML-authenticated browser session must be re-authenticated.

Select the session timeout value

The process for selecting the session timeout value is the same for both SAML and non-SAML configurations. For additional SAML configuration options, see SAML SSO browser reauthentication.

To select a predefined period for session timeouts with SAML SSO accounts, the account Owner must have previously identified the logout URL in the SAML SSO configuration settings. If this has not been set up, the account Admin can view the session timeout slide bar but not change it.

If the Admin is also the account Owner, the Session Configuration includes a link to go directly to New Relic's SAML SSO Configuration and identify the logout URL. For more information, see Setting up SSO.

To select a predefined period for session timeouts:

screen session timeout.png
(selected account) > Account settings > Authentication > Session configuration: New Relic Admins can select a time period for users' idle browser sessions to expire automatically. Admins can also select the option for restricted user sessions to never time out
  1. From the New Relic menu bar, select (selected account) > Account settings > Authentication > Session configuration.
  2. Use the slide bar to select a time period for idle sessions to expire and log out automatically.
  3. Optional: Select the checkbox option if you don't want restricted users' browser sessions to expire.
  4. Select Save my changes.

Changes take effect immediately.

Select the SAML SSO browser reauthentication

To select a predefined period for SAML-authenticated browser sessions to be re-authenticated:

  1. From the New Relic menu bar, select (selected account) > Account settings > Authentication > Session configuration.
  2. Use the SAML re-authentication time slide bar to select a time period for New Relic to check the browser session.
  3. Select Save my changes.
screen session timeout yes url.png
(selected account) > Account settings > Authentication > Session configuration: Here is an example of a SAML SSO account that has a predefined logout URL. The account Admin (and Owner) can change both the Session idle timeout slide bar and the SAML re-authentication time slide bar.

SAML timeout experience

If you are logged out due to a session idle timeout on an account configured for SAML, you will be sent to the New Relic login page. Because your account is configured for SAML, you do not have a direct New Relic login. To be redirected to your SAML provider for reathentication:

  1. Enter your email address in the Email field.
  2. Leave the Password field blank.
  3. Click the Sign In button.

You will then be redirected to your SAML provider. Once reauthorized, you will then be returned to the New Relic website.

New Relic login.jpg

New Relic > Login: If you are timed out under SAML authentication, you will be sent to the New Relic login page. Enter your email address without entering a password to be redirected to your SAML provider for authnetication.

For more help

Additional documentation resources include:

  • Setting up SSO (configuring, testing, and enabling SAML SSO, including the automatic logout URL)
  • Creating sub-accounts (procedures to add and maintain sub-accounts, users, and applications)

If you need additional help, get support at support.newrelic.com.