For an overview of our SAML SSO and SCIM docs, first read Introduction to SAML SSO and SCIM.
These docs are for setting up SAML SSO for users on our original user model.
Single sign-on (SSO) allows a computer user to log in to multiple systems via a single portal. If you're a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.
- These docs apply for managing users on our original user model. For enabling SSO for users on our newer user model, see Authentication domains.
- Requires Pro or Enterprise edition.
- You must have the Owner role.
To find the New Relic SSO settings page: from the account dropdown, click Account settings, then click Security and authentication, then click Single sign-on.
If you don't see this UI, review the requirements.
For how to optimally set up SAML SSO, see the instructions and tips below.
Users on our original user model can find a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select (account dropdown) > Account settings > Security and authentication > Single sign-on. If you don't see that UI, it may be because you're on our newer user model: in that case, you'll use a different method to set up SAML SSO.
SAML service providers that we support for users on our original user model include:
- Active Directory Federation Services (ADFS)
- Azure AD (Microsoft Azure Active Directory)
- Ping Identity
- Generic support for SSO systems that use SAML 2.0
To learn how to get Google SSO for your original user model users, watch this short video (approx. 3:10 minutes).
To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible on the New Relic SSO settings UI page:
- Metadata URL: Contains multiple pieces of information in a single XML message
- SAML version: 2.0
- Assertion consumer URL: The endpoint to New Relic SSO (for example,
- Consumer binding: Transmission method is HTTP-POST
- NameID format: Email address
- Attributes: None required
- Entity ID: Account URL (default of
For SAML providers and service providers (like New Relic) to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO. This will be useful if you're verifying that a specific SAML provider will be able to work with New Relic or if you're troubleshooting implementation problems.
New Relic functions and preferences
Scope of user credentials (IdP)
Should be all users.
Type of connection
Must be both IdP initiated and SP initiated.
Expected SAML profile
New Relic uses a POST binding for SP-initiated requests.
Expected NameID value format
Must be email address.
Sensitive info exchanged in SAML assertion?
No, only the email address is sent.
Session management and logout
Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.
Plan for users who no longer need access
Typically manual deletion by the account Owner or Administrator.
Ensure the SAML identity provider clocks are maintained by NTP.
Here are some important procedures for managing SAML SSO for users on our original user model: