Intro to SAML SSO


Single Sign On (SSO) allows a computer user to log in to multiple systems via a single portal. If you are a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.


Requirements include:

  • These docs apply for managing users on our original user model. (Coming soon: SSO docs for users on the New Relic One user model.)
  • Access to this feature depends on your subscription level.

  • Owner user role required

Providers supported by New Relic

For a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select (account dropdown) > Account settings > Security and authentication > Single sign on.

Providers include:

SAML information in New Relic account

To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible in your New Relic account on the Single Sign On page, such as:

  • Metadata URL: Contains multiple pieces of information in a single XML message
  • SAML version: 2.0
  • Assertion consumer URL: The endpoint to New Relic SSO (for example,
  • Consumer binding: Transmission method is HTTP-POST
  • NameID format: Email address
  • Attributes: None required
  • Entity ID: Account URL (default of

New Relic SAML requirements

For SAML providers and service providers like New Relic to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO integration. This will be useful if you are verifying that a specific SAML provider will be able to work with New Relic or if you are troubleshooting implementation problems.

SSO considerations New Relic functions and preferences
Scope of user credentials (IdP) Should be all users.
Type of connection Must be both IdP initiated and SP initiated.
Expected SAML profile New Relic uses a POST binding for SP-initiated requests.
Expected NameID value format Must be email address.
Sensitive info exchanged in SAML assertion? No, only the email address is sent.
Session management and logout Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.
Plan for users who no longer need access Typically manual deletion by the account Owner or Administrator.
Clock synchronization Ensure the SAML identity provider clocks are maintained by NTP.

For more help

Additional documentation resources include:

  • Security (disclosure and audit, data collection and transmission)
  • Setting up SSO (configuring, testing, and enabling your SAML certificate credentials with New Relic's Single Sign On feature)
  • Adding users to SAML accounts (using New Relic's SSO feature to require users to confirm their account)
  • New Relic Partners and SAML SSO (options available to New Relic Partners for their master and sub-account setups)

If you need more help, check out these support and learning resources: