Automated user provisioning and single-sign on

New Relic lets you set up automated user provisioning, which allows you to create, update, and deactivate your New Relic users from your identity provider, without the separate step of having to use a New Relic UI or API. With this automated provisioning, users can log in to New Relic by simply clicking on the SCIM/SSO application from their identity provider home page.

You can configure a New Relic SCIM/SSO application to connect your organization's users to New Relic and allow single sign-on into New Relic with Azure AD, Okta or OneLogin.

Requirements

Requirements and compatibility:

  • Requires Enterprise tier.
  • User role that allows managing New Relic users.
  • Supports SCIM 2.0 standard.
  • Supports SAML 2.0 standard for single sign on (SSO)

For accounts on original pricing plan

Our automated user management relies on a newer user model that we call the New Relic One user model and is an improvement on our original user model. Learn more about what users are on which user model.

If your account is part of a New Relic organization (group of accounts) that existed before July 30 2020, you likely have users on our original user model. These original users won't be affected by the SCIM/SSO applications and will sign in using their original login method. The user models are different but users will have the same New Relic platform experience once logged in.

1. Getting started

Work with your account representative to configure SCIM and SSO for your organization. Provide your account representative with:

  • Your organization name
  • List of New Relic account IDs to associate with the organization

With this information, your account representative creates an organization record for you in our new system and associates your accounts to the organization.

Your account representative provides you with the following information which you will need to configure the New Relic SCIM/SSO application for your identity provider:

  • Authentication domain ID
  • SCIM bearer token

The SCIM bearer token allows the provisioning of your New Relic users, so please keep the value secure. Your account representative will transfer the SCIM bearer token to you in a secure manner.

2. Configure SCIM/SSO application

Refer to the specific guide to see details about configuring the New Relic SCIM/SSO application for your identity provider:

If you don't use one of these providers, you can also set up SCIM using our APIs.

3. Configure SSO and group capabilities

After configuring the New Relic SCIM/SSO application for your identity provider, provide the following information to your account representative:

SSO issuer URL

The identity provider specific guide will tell you where to find the SSO issuer URL for your identity provider.

Group mapping

On the New Relic side, there are several roles that define New Relic user capabilities. For each of the user groups you send to New Relic, you need to specify the following:

  • Which of the New Relic roles to assign to the user group.
  • The list of account IDs for the accounts to which members of the user group should have access.

For example, if your identity provider has a group called "Normal User" that you use to group your normal users and these users should have access to your accounts with IDs 1000001, 1000002, and 1000003, you might ask your account representative, "Can you please map our identity provider group "Normal user" to the New Relic role "standard_user". Members of that group can access our New Relic accounts with IDs 1000001, 1000002 and 1000003."

4. Assign users

With the above configuration completed, the New Relic SCIM/SSO application is ready to use. Assigning the application to a user will cause the user to be provisioned at New Relic. After being provisioned, the user can click on the New Relic SCIM/SSO application tile on their identity provider home page to be logged into New Relic. Refer to the identity provider specific guide for more details about how to assign the application to a user:

Set a time zone for your users. If not specified, the New Relic UI will show date/times with the UTC time zone. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles"). For details about how to set a time zone for a user, refer to the identity provider's documentation.

For more help

If you need more help, check out these support and learning resources: