SCIM support for automated user management

New Relic has a System for Cross-domain Identity Management (SCIM) service provider to easily manage the users in your New Relic account. If your identity provider supports SCIM, it can be configured to send SCIM requests to New Relic, automatically provisioning your groups and users. When you add a new user or remove a user from your identity provider, those same actions will be performed in your New Relic account.

SCIM service provider

New Relic’s SCIM service provider follows the SCIM 2.0 API as described in RFCs 7643 and 7644. You do not need to implement all aspects of the SCIM 2.0 specification to integrate your user information with New Relic. In fact, the New Relic service provider itself does not implement all aspects of the specification. This document describes the features from the specification available for an integration with New Relic.

Authentication

Authentication is done using a bearer token. Your New Relic account representative will give you the bearer token to use as part of the setup process, or can provide a new one if your existing token is lost.

The New Relic service provider supports the following SCIM resources: Group , User , Service provider config , Resource type and Schema. Bulk and Search are not supported. For more information on how the RFC describes the resource endpoints, see RFC 7644 SCIM Protocol Specification.

New Relic uses a subset of the available fields in the SCIM core schema. Other SCIM fields are ignored if they are included in incoming requests. The fields used by New Relic are:

Group:

SCIM Field Name Description

displayName

Required. ​Name of the group.

members

List of users in the group.

User:

SCIM Field Name Description

externalId

Unique identifier for the user used by your system.

userName

Required. Unique identifier for the user within New Relic’s system. Use the user’s email address.

name.familyName

Last name of the user.

name.givenName

First name of the user.

emails or emails.value

Required. Email address of the user.

timezone

Required. Time zone of the user in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles").

active

Required. Boolean indicating whether or not the user should be active or inactive within New Relic.

members

List of groups to which the user belongs.

Supported actions

SCIM provides several options for manipulating groups and users. The New Relic service provider supports the following options.

When configuring, be aware that:

  • Only simple filtering is supported. The eq operator may be used with a basic filter expression. For example, “displayName eq "Example Group 1”. Other operators are not supported.
  • PUT updates do not require that all fields be included. Fields that are not included will not be changed. When doing a PUT, if a required field already has the appropriate value, it is not necessary to include the field.

Supported actions are:

Create group

Example request:

POST /Groups

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "displayName": "Example Group 1",
  "members": []
}

Example response:

201 Created

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "id": "d0652232-b14f-434d-9c6f-36de7e1ab010",
  "displayName": "Example Group 1",
  "meta": {
    "resourceType": "Group",
    "created": "2019-11-08T21:33:13.055Z",
    "lastModified": "2019-11-08T21:33:13.055Z"
  },
  "members": []
}
Get group

Example request:

GET /Groups/YOUR_GROUP_ID

Example response:

200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "id": "d0652232-b14f-434d-9c6f-36de7e1ab010",
  "displayName": "Example Group 1",
  "meta": {
    "resourceType": "Group",
    "created": "2019-11-08T21:33:13.055Z",
    "lastModified": "2019-11-08T21:33:13.055Z"
  },
  "members": []
}
Get group by query

Example request:

GET /Groups?filter=displayName eq "Example Group 1"

Example response:

200 OK

{
  "totalResults": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "Resources": [{
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:Group"
    ],
    "id": "d0652232-b14f-434d-9c6f-36de7e1ab010",
    "displayName": "Example Group 1",
    "meta": {
      "resourceType": "Group",
      "created": "2019-11-08T21:33:13.055Z",
      "lastModified": "2019-11-08T21:33:13.055Z"
    },
    "members": []
  }]
}
Update group with PUT

In the request, include the fields that you want to change. If you include the members field, the group’s users will be adjusted to match the contents of the members field. Example request:

PUT /Groups/YOUR_GROUP_ID

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "displayName": "Example Group 1a"
}

Example response:

200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:Group"
  ],
  "id": "d0652232-b14f-434d-9c6f-36de7e1ab010",
  "displayName": "Example Group 1a",
  "meta": {
    "resourceType": "Group",
    "created": "2019-11-08T21:33:13.055Z",
    "lastModified": "2019-11-08T22:47:14.019Z"
  },
  "members": []
}
Update group with PATCH (Non-member fields)

Example request:

PATCH /Groups/YOUR_GROUP_ID

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [{
    "op": "Replace",
    "path": "displayName",
    "value": "Example Group 1b"
  }]
}

Example response:

204 No Content
Update group with PATCH (Add members)

Example request:

PATCH /Groups/YOUR_GROUP_ID

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [{
    "op": "Add",
    "path": "members",
    "value": [{
      "value": "f0cbc276-16c9-4d1a-abc0-1856b0c74224"
    }]
  }]
}

Example response:

204 No Content
Update group with PATCH (Remove members)

Example request:

PATCH /Groups/YOUR_GROUP_ID

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [{
    "op": "Remove",
    "path": "members",
    "value": [{
      "value": "f0cbc276-16c9-4d1a-abc0-1856b0c74224"
    }]
  }]
}

Example response:

204 No Content
Delete group

Example request:

DELETE /Groups/YOUR_GROUP_ID

Example response:

204 No Content
Create user

Example request:

POST /Users

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "externalId": "external-id-1",
  "userName": "example-user-1@test.com",
  "name": {
    "familyName": "User 1",
    "givenName": "Example"
  },
  "emails": [{
    "value": "example-user-1@test.com",
    "primary": true
  }],
  "timezone": "America/Los_Angeles",
  "active": true,
  "members": []
}

Example response:

201 Created

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "f0cbc276-16c9-4d1a-abc0-1856b0c74224",
  "externalId": "external-id-1",
  "userName": "example-user-1@test.com",
  "name": {
    "familyName": "User 1",
    "givenName": "Example"
  },
  "emails": [{
    "value": "example-user-1@test.com",
    "primary": true
  }],
  "timezone": "America/Los_Angeles",
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2019-11-08T22:07:12.477Z",
    "lastModified": "2019-11-08T22:07:12.477Z"
  },
  "members": []
}
Get user

Example request:

GET /Users/YOUR_USER_ID

Example response:

200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "f0cbc276-16c9-4d1a-abc0-1856b0c74224",
  "externalId": "external-id-1",
  "userName": "example-user-1@test.com",
  "name": {
    "familyName": "User 1",
    "givenName": "Example"
  },
  "emails": [{
    "value": "example-user-1@test.com",
    "primary": true
  }],
  "timezone": "America/Los_Angeles",
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2019-11-08T22:07:12.477Z",
    "lastModified": "2019-11-08T22:07:12.477Z"
  },
  "members": []
}
Get user by query

Example request:

GET /Users?filter=externalId eq "external-id-1"

Example response:

200 OK

{
  "totalResults": 1,
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:ListResponse"
  ],
  "Resources": [{
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "id": "f0cbc276-16c9-4d1a-abc0-1856b0c74224",
    "externalId": "external-id-1",
    "userName": "example-user-1@test.com",
    "name": {
      "familyName": "User 1",
      "givenName": "Example"
    },
    "emails": [{
      "value": "example-user-1@test.com",
      "primary": true
    }],
    "timezone": "America/Los_Angeles",
    "active": true,
    "meta": {
      "resourceType": "User",
      "created": "2019-11-08T22:07:12.477Z",
      "lastModified": "2019-11-08T22:07:12.477Z"
    },
    "members": []
  }]
}
Update user with PUT

In the request, include the fields that you want to change. If you include the members field, the user’s groups will be adjusted to match the contents of the members field. Example request:

PUT /Users/YOUR_USER_ID

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "name": {
    "familyName": "User 1A",
    "givenName": "Example"
  }
}

Example response:

200 OK

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "f0cbc276-16c9-4d1a-abc0-1856b0c74224",
  "externalId": "external-id-1",
  "userName": "example-user-1@test.com",
  "name": {
    "familyName": "User 1A",
    "givenName": "Example"
  },
  "emails": [{
    "value": "example-user-1@test.com",
    "primary": true
  }],
  "timezone": "America/Los_Angeles",
  "active": true,
  "meta": {
    "resourceType": "User",
    "created": "2019-11-08T22:07:12.477Z",
    "lastModified": "2019-11-08T22:28:33.552Z"
  },
  "members": []
}
Update user with PATCH

Example request:

PATCH /Users/YOUR_USER_ID

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:PatchOp"
  ],
  "Operations": [{
    "op": "Replace",
    "path": "active",
    "value": "false"
  }]
}

Example response:

204 No Content
Delete user

Example request:

DELETE /Users/YOUR_USER_ID

Example response:

204 No Content

Deviations from the RFC

This section describes areas where the New Relic SCIM service provider deviates from the SCIM protocol RFC 7644. Section numbers refer to RFC section numbers.

Items in this section could change as we work to bring our service provider into full compliance with the RFC.

RFC section name RFC section number Deviation description
Creating Resources 3.3.
  • The meta.location field is not set.
Filtering 3.4.2.2.
  • The only currently supported operator is eq.
  • Field names are case sensitive.
  • String attributes are compared in a case sensitive manner.
  • Prefixing the field name with the schema is not supported. For example, filter=urn:ietf:params:scim:schemas:core:2.0:User:userName eq "johnsmith" will not work.
/Me Authenticated Subject Alias 3.11.
  • GET with the /Me resource returns a 404 Not Found.
Service Provider Configuration Endpoints 4.
  • The service provider feature discovery endpoints do not support filtering.
Bearer Token and Cookie Considerations 7.4.
  • Bearer tokens do not have a set expiration date.

For more help

If you need more help, check out these support and learning resources: