To manage their users, New Relic organizations can configure one or more authentication domains, which control how users are added to a New Relic account, how they’re authenticated, and more.
To check if you have access to these features, you can go to the authentication domain settings UI and see if you can configure settings.
Requirements to configure these settings:
- These features are for managing users on the New Relic One user model. For users on our original user model, see Original account management.
- Configuring these settings requires Pro or Enterprise edition.
- To edit these settings, you must be in a group with the Authentication domain manager role.
- SCIM provisioning, also known as automated user management requires Pro or Enterprise edition.
- SAML SSO requires Pro or Enterprise edition. SAML support includes:
An "authentication domain" is a grouping of New Relic users governed by the same user management settings, like how they're provisioned (added and updated), how they're authenticated (logged in), session settings, and how user upgrades are managed.
When someone creates a New Relic account, the default authentication settings are:
- Users are manually added to New Relic
- Users manually log in using their email and password
Those default settings would be under one "authentication domain." Another authentication domain might be set up like this:
- Users are added and managed from an identity provider using SCIM provisioning
- Users are logged in using SAML single sign-on (SSO) from an identity provider
When you add users to New Relic, they’re added to a specific authentication domain. Typically organizations have either one or two authentication domains: one for the manual, default methods and one for the methods associated with an identity provider. Learn more in this short video (4:26 minutes):
If you meet the requirements, you can add and manage authentication domains.
To view and configure authentication domains: from the account dropdown, go to Administration > Organization and access > Authentication domains.
If you have existing domains, they'll be on the left. Note that most organizations will have, at most, two or three domains: one with the manual, default settings and one or two for the identity provider-associated settings.
To create a new domain from the authentication domain UI page, click Create new. For more about the configuration options, keep reading.
For an introduction to our SAML SSO and SCIM offerings, please read Get started with SSO and SCIM.
From the authentication domain UI, you can set one of two options for how users are added to New Relic:
- Manual: This means that your users are added manually to New Relic from the User management UI.
- SCIM: Our automated user management feature allows you to use SCIM provisioning to import and manage users from your identity provider.
Notes on these settings:
- You can't toggle Source of users. This means if you want to change this for an authentication domain that's already been set up, you'll need to create a new one.
- When you first enable SCIM, the bearer token is generated and only shown once. If you need to view a bearer token later, the only way to do this is to generate a new one, which will invalidate the old one and any integrations using the old token.
For how to set up SCIM, see Automated user management.
The authentication method is the way in which New Relic users log in to New Relic. All users in an authentication domain have a single authentication method. There are two authentication options:
- Username/password: Your users log in via email and password.
- SAML SSO: Your users log in via SAML single sign-on (SSO) via your identity provider. To learn how to set that up, keep reading.
Before enabling SAML SSO using the instructions below, here are some things to understand and consider:
- Consider reading an introduction to getting started with SSO and SCIM.
- Consider reviewing the SAML SSO requirements.
- Consider watching a video on how to set up SAML SSO.
- Note that your SSO-enabled users won't receive email verification notifications from New Relic because the login and password information is handled by your identity provider.
- Consult your identity provider service's docs because they may have New Relic-specific instructions.
If you're setting up SCIM provisioning:
If you only want to enable SAML SSO and not SCIM, and if you use Azure, Okta, or OneLogin, follow these instructions for configuring the relevant app:
- If you're implementing SAML using a different identity provider not mentioned above, you'll need to attempt to integrate using the SAML instructions below. Note that your identity provider must use the SAML 2.0 protocol, and must require signed SAML assertions.
Next, you'll go to our authentication domain UI. From the account dropdown, click Organization and access, and then click Authentication domains. If you don't already have one, create a new domain to be used for your SAML-authenticating users.
Under Authentication, click Configure. Under Method of authenticating users, select SAML SSO.
If you're using the Okta, OneLogin, or Azure AD app, you can skip this step. Under Provided by New Relic, we have some New Relic-specific information. You'll need to place these in the relevant fields in your identity provider service. If you're not sure where they go, consult your identity provider docs.
Under Provided by you, input the Source of SAML metadata. This URL is supplied by your identity provider and may be called something else. It should conform to SAML V2.0 metadata standards. If your identity provider doesn't support dynamic configuration, you can do this by using Upload a certificate. This should be a PEM encoded x509 certificate.
Under Provided by you, set the SSO target URL supplied by your identity provider. You can find this by going to the Source of SAML metadata and finding the POST binding URL. It looks like:
If your identity provider has a redirect URL for logout, enter it in the Logout redirect URL; otherwise, leave it blank.
If you’re using an identity provider app, you’ll need to input the authentication domain ID in the app. That ID is found at the top of New Relic’s authentication domain UI page.
Optional: In New Relic’s authentication domain UI, you can adjust other settings, like browser session length and user upgrade method. You can adjust these settings at any time.
If you're enabling SAML only, you need to create groups and assign access grants in New Relic. (If you enabled SCIM, you've already completed this step.) Access grants are what give your users access to New Relic accounts. Without access grants, your users are provisioned in New Relic but have no account access. To learn how to do this:
- Okta only: Return to Okta's New Relic app and, from the Add New Relic by organization page, uncheck the two Application visibility "Do not display..." checkboxes and click on Done.
To verify it's been set up correctly, see if your users can log in to New Relic via your identity provider and ensure they have access to their accounts.
In the authentication domain UI, under Management, you can control some other settings for the users in that domain, including:
- Length of time users can remain logged in.
- Amount of idle time before a user's session expires.
- User upgrade requests
There are two main settings:
- Manage user type in New Relic: This is the default option. It allows you to manage your users' user type from New Relic.
- Manage user type with SCIM: Enabling this means that you can no longer manage user type from New Relic. You'd only be able to change and manage it from your identity provider.
More on these two options:
For more about user type, see User type.
Note that if you're on our original user model, upgrades work differently.