• EnglishEspañol日本語한국어Português
  • Log inStart now

SAML SSO for original user model

For an overview of our SAML SSO and SCIM docs, first read Introduction to SAML SSO and SCIM.

These docs are for setting up SAML SSO for users on our original user model.

Single sign-on (SSO) allows a computer user to log in to multiple systems via a single portal. If you're a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.

Requirements

Requirements include:

SSO settings UI page

To find the New Relic SSO settings page: from the user menu, click Account settings, then click Security and authentication, then click Single sign-on.

If you don't see this UI, review the requirements.

For how to optimally set up SAML SSO, see the instructions and tips below.

Providers supported by New Relic

Users on our original user model can find a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic user menu, select Account settings > Security and authentication > Single sign-on. If you don't see that UI, it may be because you're on our newer user model: in that case, you'll use a different method to set up SAML SSO.

SAML service providers that we support for users on our original user model include:

To learn how to get Google SSO for your original user model users, watch this short video (approx. 3:10 minutes).

SAML information in New Relic account

To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible on the New Relic SSO settings UI page:

  • Metadata URL: Contains multiple pieces of information in a single XML message
  • SAML version: 2.0
  • Assertion consumer URL: The endpoint to New Relic SSO (for example, https://rpm.newrelic.com/accounts/ACCOUNTID/sso/saml/finalize)
  • Consumer binding: Transmission method is HTTP-POST
  • NameID format: Email address
  • Attributes: None required
  • Entity ID: Account URL (default of rpm.newrelic.com)

New Relic SAML implementation

For SAML providers and service providers (like New Relic) to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO. This will be useful if you're verifying that a specific SAML provider will be able to work with New Relic or if you're troubleshooting implementation problems.

SSO considerations

New Relic functions and preferences

Scope of user credentials (IdP)

Should be all users.

Type of connection

Must be both IdP initiated and SP initiated.

Expected SAML profile

New Relic uses a POST binding for SP-initiated requests.

Expected NameID value format

Must be email address.

Sensitive info exchanged in SAML assertion?

No, only the email address is sent.

Session management and logout

Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.

Plan for users who no longer need access

Typically manual deletion by the account Owner or Administrator.

Clock synchronization

Ensure the SAML identity provider clocks are maintained by NTP.

SAML SSO features and procedures

Here are some important procedures for managing SAML SSO for users on our original user model:

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.