• /
  • Log in
  • Free account

SAML SSO for original user model

For an overview of our SAML SSO and SCIM docs, first read Introduction to SAML SSO and SCIM.

These docs are for setting up SSO for users on our original user model.

Single Sign On (SSO) allows a computer user to log in to multiple systems via a single portal. If you are a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.


Requirements include:

  • These docs apply for managing users on our original user model. For SSO for users on New Relic One user model, see Authentication domains.
  • Access to this feature requires Pro or Enterprise edition.
  • Owner role required

SSO settings UI page

To find the New Relic SSO settings page: from the account dropdown, click Account settings, then click Security and authentication, then click Single sign on.

If you don't see this UI, review the requirements.

Providers supported by New Relic

For a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select (account dropdown) > Account settings > Security and authentication > Single sign on.

Providers include:

To learn how to get Google SSO authentication connected to your New Relic account, watch this short video (approx. 3:10 minutes).

SAML information in New Relic account

To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible on the New Relic SSO settings UI page:

  • Metadata URL: Contains multiple pieces of information in a single XML message
  • SAML version: 2.0
  • Assertion consumer URL: The endpoint to New Relic SSO (for example, https://rpm.newrelic.com/accounts/ACCOUNTID/sso/saml/finalize)
  • Consumer binding: Transmission method is HTTP-POST
  • NameID format: Email address
  • Attributes: None required
  • Entity ID: Account URL (default of rpm.newrelic.com)

New Relic SAML requirements

For SAML providers and service providers like New Relic to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO integration. This will be useful if you are verifying that a specific SAML provider will be able to work with New Relic or if you are troubleshooting implementation problems.

SSO considerations

New Relic functions and preferences

Scope of user credentials (IdP)

Should be all users.

Type of connection

Must be both IdP initiated and SP initiated.

Expected SAML profile

New Relic uses a POST binding for SP-initiated requests.

Expected NameID value format

Must be email address.

Sensitive info exchanged in SAML assertion?

No, only the email address is sent.

Session management and logout

Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.

Plan for users who no longer need access

Typically manual deletion by the account Owner or Administrator.

Clock synchronization

Ensure the SAML identity provider clocks are maintained by NTP.

More SAML SSO procedures

Here are some important procedures for managing SAML SSO for users on our original user model:

Create issueEdit page
Copyright © 2021 New Relic Inc.