OneLogin SCIM/SSO application configuration

This supplemental guide provides OneLogin specific details on how to configure the New Relic OneLogin SCIM/SSO application to connect your organization's users to New Relic and allow single sign-on into New Relic. This supplemental guide is meant to be used along with the main automated provisioning guide.

Add SCIM/SSO application

Add the New Relic SCIM/SSO application to your OneLogin applications.

  1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
  2. From the OneLogin home page, click on Administration.
  3. From the OneLogin Administration page, choose the Applications menu.
  4. From the OneLogin Applications page, click on Add App.
  5. In the search field on the OneLogin Find Applications page, enter "New Relic by Organization" and then click on the application when it shows in the search results.
  6. From the Add New Relic by Organization page, click on Save.

Configure SCIM/SSO application

Configuration for the New Relic SCIM/SSO application is split across several forms. This section describes the different forms that need to be configured.

From the New Relic by Organization application page, fill in the following forms:

Step 1. Fill in the Configuration form

In the left pane, select Configuration and complete the following:

  1. Fill in the Authentication Domain ID and SCIM Bearer Token fields with the values provided by your account representative.
  2. Leave the API Connection disabled until all the configuration described in the following sections is completed. After completing all the configuration, enable the connection.

Step 2. Fill in the Rules form

Configure the user groups to send to New Relic using rules. OneLogin provides this documentation which describes how to use rules to provision groups for users.

Decide what type of groups to send along with your users to New Relic. If your organization is using Active Directory or LDAP, you might choose to use security groups to define your users capabilities at New Relic. Another reasonable group choice is OneLogin role.

On the New Relic side, your user's groups define their capabilities. The groups that are sent with users will be mapped to New Relic capability groups.

Note that at the moment, there is no way to delete a group from the OneLogin side. This is a known limitation from OneLogin. Removing or changing rules does not delete groups already sent to New Relic. If you wish to no longer use a group, removing all the users from the group will prevent it from being used at New Relic.

A rule that only uses actions

Here's an example rule configuration does not use any conditions. The conditions are left empty to avoid applying any filtering logic to the users. All users will be sent in this example. If you want to send only a subset of users, you need to specify conditions to select the subset.

Screen capture showing the OneLogin Rules detail page about conditions and actions.

The actions describe where to retrieve the value for the group name and how to parse the value. In this example, we retrieve the group name from the OneLogin role field.

The OneLogin role field only has a single value, but sometimes the source for the group name contains other fields besides group name. In other words, some sources give you a list of fields and values and only one of those fields has the value you want to use. In this case, you can insert a regular expression in with value that matches field to find and extract the value for the group name.

This example uses the entire value of the For each field for the group name.

Step 3. Fill in the Parameters form

In the left pane, select Parameters and complete the following:

  1. Click Groups field.
    Screenshot of the OneLogin Parameter form showing which fields to configure.
  2. Check Include in User Provisioning.
    Screenshot showing the OneLogin Parameter details page.
  3. Click Save.

Step 4. Fill in the Provisioning form

In the left pane, select Provisioning and complete the following:

Screen capture showing the OneLogin Provisioning page.
  1. Check Enable provisioning.
  2. Under Require admin approval before this action is performed, uncheck these options:
    • Create user
    • Delete user
    • Update user

    If you do not uncheck these options, SCIM provisioning requests will not be sent until an administrator approves them.

  3. Set When users are deleted in OneLogin, or the user's app access is removed, perform the below action to Delete.
  4. Set When user accounts are suspended in OneLogin, perform the following action to Suspend.

Step 5. Save your changes

After you complete the above forms, click Save. Then, return to the Configuration form and enable the API connection.

Assign users

After New Relic SCIM/SSO application configuration is finished and New Relic side configuration is finished, you can begin to assign users to the application.

Assign the New Relic SCIM/SSO application to a user.

  1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
  2. From the OneLogin home page, click Administration.
  3. From the OneLogin Administration page, choose the Users menu Users item.
  4. From the OneLogin Users page, click the user you want to assign the application to.
  5. From the user's page, click Applications.
  6. From the user's application page, click the plus sign and select the "New Relic by Organization" application.
  7. From the Edit New Relic by Organization login for user page, enter the user's time zone in IANA Time Zone database format (also known as the Olson time zone database format) and click Save.
  8. If you're using Roles to define your New Relic capability groups, from the user's application page, click the proper role(s) for the user and then click Save User.

OneLogin provisions users in near real time so almost the moment you save the user in OneLogin, the user should be ready to use at New Relic.

For more help

If you need more help, check out these support and learning resources: