To manage their users, New Relic organizations can configure "authentication domains," which control how users are added to a New Relic account, how they’re authenticated, and more.
To check if you have access to these features, you can go to the authentication domain settings UI and see if you can configure settings.
Requirements to configure these settings:
- These features are for managing users on the New Relic One user model. For users on our original user model, see Original account management.
- Pro tier is required for all options except automated user management, which requires Enterprise tier.
- You must be in a user group that has the Authentication domain manager role.
- SAML support:
An "authentication domain" is a grouping of New Relic users governed by specific settings, like how they are provisioned (added to New Relic), how they are authenticated (logged in), and more.
When someone creates a New Relic account, the default authentication settings are:
- Users are manually added to New Relic
- Users manually log in using their username and password
Those default settings would be under one "authentication domain." Another authentication domain might be set up like this:
- Users are added and managed automatically from an identity provider (like Okta or Azure AD)
- Users are logged in using SAML single sign-on (SSO) from an identity provider
When you add users to New Relic, they’re added within a specific authentication domain. Users in one authentication domain are not available for management when in another domain. Typically organizations will have either one or two authentication domains: one for the manual, default methods and one for the methods tied to their identity provider.
Configurable elements of an authentication domain include:
- Source of users (managed manually via the UI or managed automatically via identity provider)
- Authentication method (using manual username/password login or using SSO).
- Session management (how long a user can stay logged in, how long a browser session can be idle)
For more about the configuration options, keep reading.
Before configuring SCIM, please read our AUM docs.
From the authentication domain UI, you can set one of two options for how users are added to New Relic:
- Manual: this means that your users are added manually to New Relic.
- SCIM: enabling SCIM lets you use our automated user management (AUM) to import/manage users from your identity provider. Please read requirements and impacts before enabling.
The authentication method is the method by which New Relic users log in to New Relic. All users in an authentication domain have a single authentication method. Once a user authenticates with New Relic, they have access to any account they've been granted permissions for.
There are two authentication options:
- Username/password: your users log in via standard username and password.
- SAML SSO: your users log in via SAML single sign-on (SSO) via your identity provider.
How users authenticate to New Relic is independent of how they're added (manually or SCIM). SCIM-added users require SAML SSO but manually-added users may or may not use SAML SSO.
Recommended: first read the requirements.
If you're using Azure, Okta, or OneLogin, your first step is to get and enable the New Relic integration for that service. To do this, follow the "Add SCIM/SSO application" instructions in these docs and then return here for more instructions: Azure | Okta | OneLogin.
If you're using a custom SAML 2.0 integration, note that when configuring SAML manually, we require the option for signed SAML assertions to be enabled.
Next, you'll enable SAML SSO from New Relic's authentication domain UI:
Under Authentication, click Configure.
Under Method of authenticating users, select SAML SSO.
Under Provided by New Relic, review your New Relic SAML service provider details.
Under Provided by you, set the source of SAML metadata with a URL pointing to your SAML metadata (recommended). This URL is supplied by your identity provider and should conform to SAML V2.0 metadata standards.
Alternatively, set the source of SAML metadata by selecting Upload a certificate and selecting Choose file. This should be a PEM encoded x509 certificate. A certificate should only be uploaded if your identity provider does not support dynamic configuration.
Under Provided by you, set the SSO target URL supplied by your identity provider.
If your organization's SAML integration provides a redirect URL for logout, enter the Logout redirect URL; otherwise, leave it blank.
Next, you'll need to give your users access to New Relic. This usually takes the form of creating groups and adding users to groups and accounts.
In the authentication domain UI, you can control several other settings for the users in that domain, including:
- Length of time users can remain logged in.
- Amount of idle time before a users' session expires.
- User access requests: This controls how basic users become full users. You can either allow basic users to self-upgrade or you can require review by admins (users with the Authentication domain manager role). Allowing users to self-upgrade allows them to quickly respond to issues. If Require review is set, admins receive an email when an upgrade request is made, and can manage requests in the User management UI. For more about basic users and full users, see User type. (Note that upgrade works differently for users on our original user model.)
If you need more help, check out these support and learning resources:
- Browse the Explorers Hub to get help from the community and join in discussions.
- Find answers on our sites and learn how to use our support portal.
- Run New Relic Diagnostics, our troubleshooting tool for Linux, Windows, and macOS.
- Review New Relic's data security and licenses documentation.