New Relic lets you set up automated user management (AUM), which allows you to import, update, and deactivate your New Relic users from an identity provider, like Azure AD, Okta, or OneLogin.
Before reading the benefits of automated user management, we recommend reading Get started with SAML SSO and SCIM.
Benefits of enabling automated user management include:
- Time and cost efficiency: When you make changes in your identity provider, such as creating, updating, and removing users, these changes are automatically reflected in New Relic. By being able to manage a large set of users from your identity provider, it reduces the workload of your admins who'd otherwise need to do a significant amount of work in New Relic to accomplish the same thing.
- Increased productivity: By having a more automatic way to set up users and groups, they're enabled and ready to use New Relic more quickly.
- Enhanced security: SCIM is an industry standard protocol for maintaining groups of users.
- Use of this feature requires SAML SSO, so once your users are added to New Relic, they can log in using your identity provider.
- Popular identity providers Azure AD, Okta, and OneLogin have dedicated New Relic apps, improving ease of enablement.
Requirements and recommendations:
- Requires Pro or Enterprise edition.
- Supports SAML 2.0 standard for single sign on (SSO).
- Supports SCIM 2.0 standard.
- User model-related requirements:
- This feature requires you to be on our New Relic One user model and creates users on that model. If you're on our original user model (or otherwise can't implement this feature), talk to your New Relic account representative.
- Configuration requires that a user have the Authentication domain manager and the Organization manager role (users in the default group Admin have these).
- There are three identity providers that have a New Relic app: Azure AD, Okta, and OneLogin. For other identity providers, you can use our SCIM API.
- Before enabling this, it helps to first set up user groups in your identity provider service and think about which New Relic roles and accounts those groups will have access to.
For an explanation of how your identity provider groups map over to New Relic groups, see Group and role mapping.
To use automated user management to import users from your identity provider:
- It's important to first review the requirements.
- In the authentication domain UI, create a new authentication domain.
- If you use Azure AD, Okta, or OneLogin, use the applicable guide: Azure AD | Okta | OneLogin.
- If you don't use one of the above services, you'll need to:
- Use the authentication domain UI to enable SCIM as the source of users.
- Use our SCIM API to integrate with your identity provider service. See the SCIM API tutorial for all the steps involved.
- Highly recommended: Set a time zone for your users in your identity provider. How you do this will vary by identity provider. If not set in your identity provider, our UI shows UTC time zone dates/times. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (for example, "America/Los_Angeles").
If you have issues, contact your account representative.
After being provisioned, your users can click on the New Relic SCIM/SSO application tile in their identity provider to be logged into New Relic.
To learn more about New Relic's roles and capabilities, see Standard roles.