These docs are for setting up SAML SSO for users on our original user model.
Single sign-on (SSO) allows a computer user to log in to multiple systems via a single portal. If you're a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.
To find the New Relic SSO settings page: from the user menu, click Account settings, then click Security and authentication, then click Single sign-on.
If you don't see this UI, review the requirements.
For how to optimally set up SAML SSO, see the instructions and tips below.
Providers supported by New Relic
Users on our original user model can find a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic user menu, select Account settings > Security and authentication > Single sign-on. If you don't see that UI, it may be because you're on our newer user model: in that case, you'll use a different method to set up SAML SSO.
SAML service providers that we support for users on our original user model include:
To learn how to get Google SSO for your original user model users, watch this short video (approx. 3:10 minutes).
SAML information in New Relic account
To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible on the New Relic SSO settings UI page:
Metadata URL: Contains multiple pieces of information in a single XML message
SAML version: 2.0
Assertion consumer URL: The endpoint to New Relic SSO (for example, https://rpm.newrelic.com/accounts/ACCOUNTID/sso/saml/finalize)
Consumer binding: Transmission method is HTTP-POST
NameID format: Email address
Attributes: None required
Entity ID: Account URL (default of rpm.newrelic.com)
New Relic SAML implementation
For SAML providers and service providers (like New Relic) to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO. This will be useful if you're verifying that a specific SAML provider will be able to work with New Relic or if you're troubleshooting implementation problems.
SSO considerations
New Relic functions and preferences
Scope of user credentials (IdP)
Should be all users.
Type of connection
Must be both IdP initiated and SP initiated.
Expected SAML profile
New Relic uses a POST binding for SP-initiated requests.
Expected NameID value format
Must be email address.
Sensitive info exchanged in SAML assertion?
No, only the email address is sent.
Session management and logout
Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.
Plan for users who no longer need access
Typically manual deletion by the account Owner or Administrator.
Clock synchronization
Ensure the SAML identity provider clocks are maintained by NTP.
SAML SSO features and procedures
Here are some important procedures for managing SAML SSO for users on our original user model:
If your organization is on Pro or Enterprise edition, you can request to have your domain name(s) placed on our allow list, which will streamline the SAML SSO enablement process. When your users' email address has a domain that matches the domain you've claimed, New Relic automatically adds them as Active users and retains their current user type.
Benefits of claiming your domain include:
Makes it easier for your admins because they won't have to adjust your users' user type.
Makes it easier for your users to get started using New Relic because they don't need to confirm their user record via email.
Maintains security when adding users outside of your organization.
After obtaining your SAML identity provider certificate, which should be a PEM encoded x509 certificate, and URL, the account Owner can set up, test, and enable the single sign-on (SSO) configuration in New Relic. No other role on the account may edit the SSO configuration on the account.
Tip
Access to this feature depends on your subscription level. If your account is set up under a customer partnership, access to this feature will also depend on the settings for that partnership subscription level.
Requirements
For requirements, including which New Relic users this feature applies to, see Requirements.
Parent and child accounts
If your account has child accounts, typically you will set up the SSO configuration on the parent account level only. The child account users will still be able to log in through SSO because they will inherit the parent account's SAML SSO configuration. If you need to configure multiple accounts with separate SAML identities (for example, with partnership accounts), use the custom entity ID feature.
Configure SSO
To help ensure security and account for network time and clock skews, configure your SAML identity provider's validation responses to the shortest time period that is practical (for example, five minutes). New Relic allows a maximum of thirty minutes.
Go to: user menu > Account settings > Security and authentication > Single sign-on.
From the SAML single sign-on page, review your New Relic SAML service provider details.
To upload your SAML identity provider certificate, select Choose file, then follow standard procedures to select and save the file.
Specify the Remote login URL that your users will use for single sign-on.
If your organization's SAML integration provides a redirect URL for logout, copy and paste in (or type) the Logout landing URL; otherwise leave blank.
Save your changes.
Tip
If your organization does not use a specific redirect URL, New Relic provides a logout landing page by default.
Test SSO
After you correctly configure and save your SSO settings, the Test page automatically appears. After each test, New Relic returns you to the SAML SSO page with diagnostic results.
To go back and change your configuration settings, select 1 CONFIGURE.
Enable SSO
When testing successfully completes, a link appears that you can use on your company's landing page for easy single sign-on with New Relic. Unless you've claimed your domain with New Relic, your users cannot sign in until they complete the email confirmation that New Relic sends automatically. After your users select the link in their confirmation email, they can sign in securely with your organization's assigned user name and password. From there they can select any application they are authorized to use, including New Relic.
Caution
If you disable SAML SSO, New Relic automatically flags all of your Pending users as Active. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as Pending, and they will need to confirm their account access by email.
Add a logout URL for session timeouts
New Relic's Session configuration feature requires a logout URL for SAML SSO-enabled accounts. If you have already configured, tested, and enabled SAML SSO without a logout URL, New Relic automatically prompts the account Admin to notify the account Owner. In addition, if you are the account Owner, New Relic automatically provides a link from Session configuration to go directly to SAML single sign-on and add a logout URL.
Important
The logout URL cannot contain newrelic.com anywhere in the URL.
The Session configuration feature also includes the option to select an automatic timeout for SAML-authenticated browser sessions to be re-authenticated.
Unless you've claimed your domain with New Relic (recommended), your users are not added in New Relic until they complete the email confirmation that is sent automatically upon SAML SSO enablement. This is an additional security measure. Users in the pending state (not yet confirmed) won't receive notifications (such as alert notifications).
For organizations without SAML SSO enabled, the Owner or Admin can add new users without requiring email confirmation.
Requirements
For requirements, including which New Relic users this feature applies to, see Requirements.
Add and confirm users
Follow this process to add and confirm users on our original user model that are authenticating via SAML SSO:
The account's Owner or an Administrator adds new users: Go to: user menu > Account settings > Account > Summary.
Unless you've claimed your domain, your users are marked as Pending and are sent an email confirmation. (Pending users won't receive New Relic product notifications, such as alert notifications.)
Users select the link in the email to confirm their account, which directs them to the SAML provider's login URL.
When users successfully sign into their SAML SSO end point (Auth0, Okta, OneLogin, Ping Identity, Salesforce, etc.), New Relic flags the users as Active.
Caution
If you disable SAML SSO, New Relic automatically flags all of your Pending users as Active. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as Pending, and they'll need to confirm their account access by email.
In the SAML protocol, the entity ID uniquely identifies the service provider (New Relic) to your SAML provider. New Relic's default entity ID is rpm.newrelic.com. This is sufficient if you have only a single SAML-enabled account.
When you configure multiple New Relic accounts with SAML, your SAML provider typically requires each account to have a unique entity ID. If you need to configure multiple accounts with separate SAML identities, use New Relic's custom entity ID feature.
Requirements
For requirements, including which New Relic users this feature applies to, see Requirements.
Select custom entity IDs
New Relic's custom entity ID feature allows you to enable a unique entity ID for each of your accounts. You can then configure SAML SSO for them as a distinct application with your SAML provider. This allows you to centrally control user authentication to each of your accounts independently.
In addition, from the Entity ID row on the Step 1. Configure page, select Use custom entity ID.
Important
You must use the same entity ID to configure the application's setting with your SAML provider. Some SAML providers require you to create a new application configuration when changing the entity ID.
After your SAML SSO login is configured, tested, and enabled, all of your New Relic account users (including the account Owner and Admins) must use your organization's SSO URL to sign in to New Relic. Their email address must match what has been set up in New Relic. Also, their ability to use the SSO URL to access applications other than New Relic will depend on their permissions set in those applications.
Requirements
For requirements, including which New Relic users this feature applies to, see Requirements.
Sign in to New Relic by using your SAML SSO login URL.
Go to: user menu > Account settings > Security and authentication > Single sign-on.
To temporarily turn off the SAML integration with New Relic and update your settings, select Disable SAML login.
Optional: To change your existing SAML certificate, select Choose file. Follow standard procedures to select and save the file, then save.
Optional: To change your existing SSO URLs, copy and paste in (or type) the Remote login URL or Logout landing URL, then save.
Email addresses
Tip
Owner or Admins
Account Owners or Admins must ensure that users' email addresses to sign in to New Relic match their SSO email. Account Owners, Admins and users cannot update email addresses on SAML authenticated accounts.
To update user information for your organization's New Relic account:
Go to: user menu > Account settings > Account > Summary.
From the Users list, select any of the options to add new users, edit existing users' roles, or delete them.
Troubleshoot SSO login
No one using the account, including the Owner and Admins, can sign in to New Relic directly. If you get locked out of SSO and need to disable it or change the configuration, get support at support.newrelic.com.
For requirements, including which New Relic users this feature applies to, see Requirements.
Caution
If you delete your SAML SSO integration with New Relic, you cannot restore it. However, you can follow standard procedures to set up your configuration again.
For users on our original user model, here's how to delete your SAML SSO configuration completely:
Sign in to New Relic by using your SAML SSO login URL.
From the New Relic menu bar, select: user menu > Account settings > Security and authentication > Single sign-on.
Select Delete SAML Configuration.
At the confirmation prompt, select OK.
With partnership accounts, authentication to sign in to New Relic is controlled by the partnership. For accounts where the partnership supports SSO, users may access their New Relic UI without reauthenticating. These Partner accounts could use SAML SSO as an alternative secure method to sign in to the New Relic site.
Other Partner accounts, including Heroku, AppDirect, and Microsoft Azure, do not permit direct login to New Relic. In this situation, SAML integration from the partner's site is not supported by the partner SSO. If you have questions, contact your partner representative at New Relic.
Requirements
For requirements, including which New Relic users this feature applies to, see Requirements.
Example
Your account structure and settings affect whether SAML is available and how it applies to your accounts.
This example shows the hierarchy for New Relic Partner accounts with parent accounts and child accounts.
Here is an example of how accounts and child accounts inherit the SAML SSO configuration.
Account level
SAML SSO configuration
Partnership
The partnership level allows you to control whether accounts under the partnership can have SAML enabled. The partnership account's Owner has certain administrative functions, but a SAML configuration on this account is not inherited by other accounts in the partnership.
Parent accounts
Parent accounts (also referred to as master accounts) have a direct, hierarchical relationship to one or more child accounts. Typically the SAML configuration on a parent account is inherited automatically by all of its child accounts.
Child accounts
Child accounts (also known as sub-accounts) inherit their SAML SSO configuration from their parent account when the parent account has SAML configured. If the parent account does not have SAML configured, each child account may have its own configuration. For more information, see Configuring SAML with multiple accounts.
