• /
  • Log in

OneLogin SCIM/SSO application configuration

Our automated user management (AUM) allows allows you to import and configure your New Relic users from your identity provider via SCIM. This guide provides OneLogin-specific details on how to configure the New Relic OneLogin SCIM/SSO application.


Before using this guide, read our AUM requirements.

Add SCIM/SSO application

Add the New Relic SCIM/SSO application to your OneLogin applications.

  1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
  2. From the OneLogin home page, click on Administration.
  3. From the OneLogin Administration page, choose the Applications menu.
  4. From the OneLogin Applications page, click on Add App.
  5. In the search field on the OneLogin Find Applications page, enter "New Relic by Organization" and then click on the application when it shows in the search results.
  6. From the Add New Relic by Organization page, click on Save.

Set up authentication domain

In New Relic's authentication domain UI, set up a new domain with SCIM enabled. You will use values from this UI in later steps.

Configure SCIM/SSO application

Configuration for the New Relic SCIM/SSO application is split across several forms. This section describes the different forms that need to be configured.

From the New Relic by organization application page, fill in the following forms:

Step 1. Fill in the configuration form

In the left pane, select Configuration and complete the following:

  1. Take the authentication domain ID and SCIM bearer token values from New Relic's authentication domain UI and input them into the appropriate app fields.
  2. Leave the API Connection disabled until all the configuration described in the following sections is completed. After completing all the configuration, enable the connection.

Step 2. Fill in the rules form

Configure the user groups to send to New Relic using rules. OneLogin provides this documentation which describes how to use rules to provision groups for users.

Decide what type of groups to send along with your users to New Relic. If your organization is using Active Directory or LDAP, you might choose to use security groups to define your users capabilities at New Relic. Another reasonable group choice is OneLogin role.

On the New Relic side, your user's groups define their capabilities. The groups that are sent with users will be mapped to New Relic capability groups.

Note that at the moment, there is no way to delete a group from the OneLogin side. This is a known limitation from OneLogin. Removing or changing rules does not delete groups already sent to New Relic. If you wish to no longer use a group, removing all the users from the group will prevent it from being used at New Relic.

Step 3. Fill in the Parameters form

In the left pane, select Parameters and complete the following:

  1. Click Groups field.

    Screenshot of the OneLogin Parameter form showing which fields to configure.

  2. Check Include in User Provisioning.

    Screenshot showing the OneLogin Parameter details page.

  3. Click Save.

Step 4. Fill in the provisioning form

In the left pane, select Provisioning and complete the following:

Screen capture showing the OneLogin Provisioning page.

  1. Check Enable provisioning.

  2. Under Require admin approval before this action is performed, uncheck these options:

    • Create user
    • Delete user
    • Update user


    If you do not uncheck these options, SCIM provisioning requests will not be sent until an administrator approves them.

  3. Set When users are deleted in OneLogin, or the user's app access is removed, perform the below action to Delete.

  4. Set When user accounts are suspended in OneLogin, perform the following action to Suspend.

Step 5. Save your changes

After you complete the above forms, click Save. Then, return to the Configuration form and enable the API connection.

Assign users

After New Relic SCIM/SSO application configuration is finished and New Relic side configuration is finished, you can begin to assign users to the application.

Assign the New Relic SCIM/SSO application to a user.

  1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
  2. From the OneLogin home page, click Administration.
  3. From the OneLogin Administration page, choose the Users menu Users item.
  4. From the OneLogin Users page, click the user you want to assign the application to.
  5. From the user's page, click Applications.
  6. From the user's application page, click the plus sign and select the "New Relic by Organization" application.
  7. From the Edit New Relic by Organization login for user page, enter the user's time zone in IANA Time Zone database format (also known as the Olson time zone database format) and click Save.
  8. If you're using Roles to define your New Relic capability groups, from the user's application page, click the proper role(s) for the user and then click Save User.

OneLogin provisions users in near real time so almost the moment you save the user in OneLogin, the user should be ready to use at New Relic.

What's next?

When you're done importing users, here are some potential next steps:

  • Users created via your identity provider start out as full users. If your organization is on New Relic One pricing, these users are billable. To convert users to free basic users, use the User management UI.
  • After adding users, you'll want to grant them access to specific New Relic accounts, specific groups, and specific roles. To learn how to do this, see Manage users.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.