Configure authentication domains and SSO

New Relic One
user model

This doc is for managing users on the New Relic One user model. For managing users on our original user model, see Original users. Learn about user models.

New Relic organizations can configure authentication domain settings, which pertain to how users are added to your New Relic account and how they’re authenticated.

Requirements

To check if you have access to these features, you can go to the authentication domain settings UI and see if you can configure settings.

Requirements to configure authentication domains:

What is an authentication domain?

An "authentication domain" is a grouping of New Relic users governed by specific settings regarding how users are provisioned (added) and how they are authenticated (logged in).

When someone creates a New Relic account, the default authentication settings are:

  • Users are manually added to New Relic
  • Users manually log in using their username and password

Those default settings would be under one "authentication domain." Pro and Enterprise tier New Relic organizations are able to set up additional authentication domains. For example, another authentication domain might be set up like this:

  • Users are added and managed automatically from an identity provider (for example, Okta or Azure AD)
  • Users are logged in using SAML single sign-on (SSO) from an identity provider

When you add users to New Relic, they’re added within a specific authentication domain. Users in one authentication domain are not available for management when in another domain. Typically organizations will have either one or two authentication domains: one for the manual, default methods and one for the methods tied to their identity provider.

Configurable elements of an authentication domain include:

  • Source of users (managed manually via the UI or managed automatically via identity provider)
  • Authentication method (using manual username/password login or using SSO).
  • Session management (how long a user can stay logged in, how long a browser session can be idle)

Configure authentication domain via UI

If you meet the requirements, you can add and manage authentication domains. To do this:

  • Go to the authentication domains UI. You can do this in one of two ways:
    • From the top navigation, select Apps, select My Organization, and then select Authentication domains.

      OR

    • From the account dropdown, select Organization and access and then select Authentication domains.
  • For information about available options, keep reading.

Source of users

From the authentication domain UI, you can set one of two options for how users are added to New Relic:

  • Manual: this means that your users are added manually to New Relic.
  • SCIM: using SCIM allows you to use our automated user management (AUM) to import users from your identity provider. To learn more about the process, see our AUM docs.

Authentication

There are two authentication options:

  • Username/password: your users log in via standard username and password.
  • SAML SSO: your users log in via SAML single sign-on (SSO) via your identity provider.

To set up SAML SSO from the authentication domain UI:

  1. Under Authentication, click Configure.
  2. Under Method of authenticating users, select SAML SSO.
  3. Under Provided by New Relic, review your New Relic SAML service provider details.
  4. Under Provided by you, set the source of SAML metadata with a URL pointing to your SAML metadata (recommended). This URL is supplied by your identity provider and should conform to SAML V2.0 metadata standards.

    Alternatively, set the source of SAML metadata by selecting Upload a certificate and selecting Choose file. This should be a PEM encoded x509 certificate. A certificate should only be uploaded if your identity provider does not support dynamic configuration.

  5. Under Provided by you, set the SSO target URL supplied by your identity provider.
  6. If your organization's SAML integration provides a redirect URL for logout, enter the Logout redirect URL; otherwise, leave it blank.

Session management

From the authentication domain UI, you can configure some session-related settings, including:

  • How long users remain logged in for
  • The maximum amount of time the browser can remain idle before logout

For more help

If you need more help, check out these support and learning resources: