Okta SCIM/SSO application configuration

This supplemental guide provides Okta specific details on how to configure the New Relic Okta SCIM/SSO application. This connects your organization's users to New Relic, and allows them to easily use single sign-on into New Relic. This supplemental guide is meant to be used along with the main automated provisioning guide.

Add SCIM/SSO application

Add the New Relic SCIM/SSO application to your Okta applications.

  1. Go to okta.com/ and sign in with an account that has administrator permissions.
  2. From the Okta home page, click on Admin.
  3. From the Okta admin Dashboard, choose the Applications page. Click Add Application.
  4. In the search field on the Okta Add Applications page, enter "New Relic by Organization" and then click on the application when it shows in the search results.
  5. From the New Relic by Organization page, click on Add.
  6. From the Add New Relic by Organization page, check the two Application Visibility "Do not display..." checkboxes and click on Done. We will make the application visible later after configuration is complete and provisioning has begun.

Configure provisioning

Configure the New Relic SCIM/SSO application to automatically provision your users to New Relic.

  1. From the New Relic SCIM/SSO application page, click on the Provisioning tab.
  2. From the Integration form, click on Configure API Integration.
  3. Check the Enable API integration checkbox.
  4. In the API Token field, enter the SCIM Bearer Token provided by your account representative.
  5. Optional: click on Test API Credentials to verify a SCIM connection can be established to New Relic. If a connection can be established, a success message is displayed. If a connection was not established, re-enter the API Token and try the test again.
  6. Click Save. Note that the save process does a test of the API credentials. If a connection is not established to New Relic, the save will fail.
  7. On the newly displayed To App form, click on Edit.
  8. Check the Enable checkbox in the Create Users, Update User Attributes, and Deactivate Users sections.
  9. Click Save.

Assign users and groups

After the New Relic SCIM/SSO application provisioning configuration and the New Relic side SSO configuration is finished, you can assign users to the application.

Assigning users is done using two different tabs on the the New Relic SCIM/SSO application page. We recommend having your New Relic users selected on the Assignments tab and their associated groups selected on the Push Groups tab.

Assignments Tab

  1. From the New Relic SCIM/SSO application page, click on the Assignments tab.
  2. From the Assignments form, click on Assign.
  3. From the pop up menu, click on Assign to Groups.
  4. From the Assign ... to Groups form, click on Assign for the group you wish to assign to the application.
  5. Optional: in the Time zone field, enter the default time zone for members of the group. Members without a time zone configured, will use the group time zone. Time zone affects how date/times are shown in New Relic. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles").
  6. Click on Save and Go Back.
  7. Repeat the steps to add a group until all desired groups have been assigned to the application.
  8. Click Done.

Push Groups Tab

  1. From the New Relic SCIM/SSO application page, click on the Push Groups tab.
  2. From the Push Groups form, click on Push Groups.
  3. From the pop up menu, click on Find groups by name.
  4. From the Push Groups to... form, in the search field enter the first few characters of the name of the group you want to send to New Relic. Leave the Push group memberships immediately checkbox checked.
  5. Click on your group in the pop up search results list.
  6. In the Match result & push action section, No Match found should be displayed, meaning that the group does not yet exist at New Relic. Leave the selector set to Create Group and leave the default name for the group. The intent here is to have a group of the same name created at New Relic.
  7. If this is the last group you wish to send to New Relic, click on Save. Otherwise, if you have more groups to configure, click on Save & Add Another and repeat the steps to add a group.

Additional considerations

In this section we discuss other important things to know when using the New Relic SCIM/SSO application. This section includes tips to work around potential issues that could cause undesired results when integrating between Okta and New Relic.

Moving users between groups

When moving a user between groups, you must manually synchronize the old group's membership with New Relic. This is because Okta does not send a SCIM request to remove a user from a group. So, the admin needs to push the old group's membership to New Relic manually to inform New Relic that the user is no longer a member of the old group.

Here are the steps to manually synchronize a group's membership:

  1. From the New Relic SCIM/SSO application page, click on the Push Groups tab.
  2. From the Push Groups form, open the pick list on the desired group's button under the Push Status column.
  3. From the displayed pick list on the button, click Push now. This causes an immediate synchronization of the group's membership with New Relic.

For more help

Recommendations for learning more: