• Log inStart now

Authentication domain settings: SAML SSO, SCIM, and more


This doc is for managing users on our newer user model. For managing users on our original user model, see Original users.

To manage their users, New Relic organizations can configure one or more authentication domains, which control how users are added to a New Relic account, how they’re authenticated, and more.

What is an authentication domain?

An "authentication domain" is a grouping of New Relic users governed by the same user management settings, like how they're provisioned (added and updated), how they're authenticated (logged in), session settings, and how user upgrades are managed.

When someone creates a New Relic account, the default authentication settings are:

  • Users are manually added to New Relic
  • Users manually log in using their email and password

Those default settings would be under one "authentication domain." Another authentication domain might be set up like this:

  • Users are added and managed from an identity provider using SCIM provisioning
  • Users are logged in using SAML single sign-on (SSO) from an identity provider

When you add users to New Relic, they’re added to a specific authentication domain. Typically organizations have either one or two authentication domains: one for the manual, default methods and one for the methods associated with an identity provider. Learn more in this short video (4:26 minutes):


Authentication domains are for managing users on our newer user model. If your users are on our original user model, see Original accounts.

Requirements to manage authentication domains:

Create and configure an authentication domain

If you meet the requirements, you can add and manage authentication domains.

To view and configure authentication domains: from the account dropdown, go to Administration > Access management > Authentication domains.

If you have existing domains, they'll be on the left. Note that most organizations will have, at most, two or three domains: one with the manual, default settings and one or two for the identity provider-associated settings.

To create a new domain from the authentication domain UI page, click Create new. For more about the configuration options, keep reading.

Source of users: manual provisioning versus SCIM provisioning


For an introduction to our SAML SSO and SCIM offerings, please read Get started with SSO and SCIM.

From the authentication domain UI, you can set one of two options for how users are added to New Relic:

  • Manual: This means that your users are added manually to New Relic from the User management UI.
  • SCIM: Our automated user management feature allows you to use SCIM provisioning to import and manage users from your identity provider.

Notes on these settings:

  • You can't toggle Source of users. This means if you want to change this for an authentication domain that's already been set up, you'll need to create a new one.
  • When you first enable SCIM, the bearer token is generated and only shown once. If you need to view a bearer token later, the only way to do this is to generate a new one, which will invalidate the old one and any integrations using the old token.

For how to set up SCIM, see Automated user management.

Authentication: username/password versus SAML SSO

The authentication method is the way in which New Relic users log in to New Relic. All users in an authentication domain have a single authentication method. There are two authentication options:

  • Username/password: Your users log in via email and password.
  • SAML SSO: Your users log in via SAML single sign-on (SSO) via your identity provider. To learn how to set that up, keep reading.

Set up SAML SSO authentication

Before enabling SAML SSO using the instructions below, here are some things to understand and consider:

  1. If you're setting up SCIM provisioning:

    • If you use Azure, Okta, or OneLogin, follow these procedures first: Azure | OneLogin | Okta.
    • If you use a different identity provider, follow the SAML procedures below and use our SCIM API to enable SCIM.
  2. If you only want to enable SAML SSO and not SCIM, and if you use Azure, Okta, or OneLogin, follow these instructions for configuring the relevant app:

    • If you're implementing SAML using a different identity provider not mentioned above, you'll need to attempt to integrate using the SAML instructions below. Note that your identity provider must use the SAML 2.0 protocol, and must require signed SAML assertions.
  3. Next, you'll go to our authentication domain UI. From the account dropdown, click Access management, and then click Authentication domains. If you don't already have one, create a new domain to be used for your SAML-authenticating users.

  4. Under Authentication, click Configure. Under Method of authenticating users, select SAML SSO.

  5. If you're using the Okta, OneLogin, or Azure AD app, you can skip this step. Under Provided by New Relic, we have some New Relic-specific information. You'll need to place these in the relevant fields in your identity provider service. If you're not sure where they go, consult your identity provider docs.

  6. Under Provided by you, input the Source of SAML metadata. This URL is supplied by your identity provider and may be called something else. It should conform to SAML V2.0 metadata standards. If your identity provider doesn't support dynamic configuration, you can do this by using Upload a certificate. This should be a PEM encoded x509 certificate.

  7. Under Provided by you, set the SSO target URL supplied by your identity provider. You can find this by going to the Source of SAML metadata and finding the POST binding URL. It looks like: https://newrelic.oktapreview.com/app/newreliclr/1234567890abcdefghij/sso/saml.

  8. If your identity provider has a redirect URL for logout, enter it in the Logout redirect URL; otherwise, leave it blank.

  9. If you’re using an identity provider app, you’ll need to input the authentication domain ID in the app. That ID is found at the top of New Relic’s authentication domain UI page.

  10. Optional: In New Relic’s authentication domain UI, you can adjust other settings, like browser session length and user upgrade method. You can adjust these settings at any time.

  11. If you're enabling SAML only, you'll need to create groups. (If you enabled SCIM, you've already completed this step.) Groups are what give your users access to New Relic accounts. Without being assigned to groups, your users are provisioned in New Relic but have no access to accounts or roles. To learn how to do this:

  1. Okta only: Return to Okta's New Relic app and, from the Add New Relic by organization page, uncheck the two Application visibility "Do not display..." checkboxes and click on Done.

To verify it's been set up correctly, see if your users can log in to New Relic via your identity provider and ensure they have access to their accounts.

Session duration and timeout

In the authentication domain UI, under Management, you can control some other settings for the users in that domain, including:

  • Length of time users can remain logged in.
  • Amount of idle time before a user's session expires.
  • User upgrade requests

Manage user type and upgrade requests

In the authentication domain UI, under Management, you can control how your users' user type is managed. This includes how the user type can be edited and how upgrade requests are handled.

There are two main settings:

  • Manage user type in New Relic: This is the default option. It allows you to manage your users' user type from New Relic.
  • Manage user type with SCIM: Enabling this means that you can no longer manage user type from New Relic. You'd only be able to change and manage it from your identity provider.

More on these two options:

For more about user type, see User type.

Note that if you're on our original user model, upgrades work differently.

Copyright © 2022 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.