Automated user provisioning and single-sign on

With automated user provisioning, New Relic users can be created, updated, and deactivated all from your identity provider, without the separate step of having to use a New Relic UI or API. With this automated provisioning, users can log in to New Relic by just clicking on the SCIM/SSO application from their identity provider home page.

You can configure a New Relic SCIM/SSO application to connect your organization's users to New Relic and allow single sign-on into New Relic with Azure AD, Okta or OneLogin.

SCIM/SSO, users, and your organization

New Relic supports the SCIM 2.0 standard for automatically provisioning users and the SAML 2.0 standard to allow single-sign on (SSO). By configuring the New Relic SCIM/SSO application for your identity provider, you can automatically send any user permissions changes you make within the identity provider to New Relic.

The New Relic SCIM/SSO applications work with a new type of user record (v2). Your existing New Relic users (v1) will not be affected by the applications. Your existing users will continue to function the same as before, using their current method of login. The users you add using the New Relic SCIM/SSO application will be created in a different place than the existing users. These new users will login using a new SSO URL. The user and login mechanisms are entirely separate between the existing and new systems. While these systems are separate, users will see the same data once logged in.

In the new system, accounts and users are now tied to organizations. This differs from the prior system where users were directly tied to accounts. In the new system, the user's capabilities are determined by the groups to which the user belongs. A user may belong to multiple groups and the user's capabilities will be the union of all the capabilities from the user's groups.

1. Getting started

Work with your account representative to configure SCIM and SSO for your organization. Provide your account representative with:

  • Your organization name
  • List of New Relic account IDs to associate with the organization

With this information, your account representative creates an organization record for you in our new system and associates your accounts to the organization.

Your account representative provides you with the following information which you will need to configure the New Relic SCIM/SSO application for your identity provider:

  • Authentication domain ID
  • SCIM bearer token

The SCIM bearer token allows the provisioning of your users at New Relic, so please keep the value secured. Your account representative will transfer the SCIM bearer token to you in a secure manner.

2. Configure SCIM/SSO application

Refer to the specific guide to see details about configuring the New Relic SCIM/SSO application for your identity provider:

If you don't use one of these providers, you can also set up SCIM using our APIs.

3. Configure SSO and group capabilities

After configuring the New Relic SCIM/SSO application for your identity provider, provide the following information to your account representative:

SSO issuer URL

The identity provider specific guide will tell you where to find the SSO issuer URL for your identity provider.

Group mapping

On the New Relic side, there are five capability groups that define user capabilities. These are:

  1. read_only: Provides read only access to all New Relic products.
  2. standard_user: Provides standard access to all New Relic products. This includes the ability to use the product and change most monitoring configuration but not adjust account-level or more sensitive configuration.
  3. all_product_admin: Provides admin access to all New Relic Products. This includes all functionality with the exception of managing users or subscriptions and billing.
  4. billing_user: Provides access to manage subscriptions and billing.
  5. manage_v1_users: Provides access to manage the v1 users.

For each of the user groups you are sending to New Relic, you to need to specify the following:

  • Which of the New Relic capability groups to assign to the user group.
  • The list of account IDs for the accounts to which members of the user group should have access.

For example, if your identity provider has a group called "Normal User" that you use to group your normal users and these users should have access to your accounts with ids 1000001, 1000002 and 1000003, can tell your account representative:

Can you please map our identity provider group "Normal User" to New Relic group "standard_user". Members of the group can access our New Relic accounts with ids 1000001, 1000002 and 1000003.

4. Assign users

With the above configuration completed, the New Relic SCIM/SSO application is ready to use. Assigning the application to a user will cause the user to be provisioned at New Relic. After being provisioned, the user can click on the New Relic SCIM/SSO application tile on their identity provider home page to be logged into New Relic. Refer to the identity provider specific guide for more details about how to assign the application to a user:

Set a time zone for your users. If not specified, the New Relic UI will show date/times with the UTC time zone. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles"). Refer to the identity provider specific guide for more details about how to set time zone for a user.

For more help

At this time, only users not provisioned with automated user provisioning can file a ticket with New Relic Support. To file a ticket, make sure you are logged in as a V1 user. Please reach out to your account representative if you need assistance using the New Relic SCIM/SSO application.

Recommendations for learning more: