After obtaining your SAML identity provider certificate, which should be a PEM encoded x509 certificate, and URL, the account Owner can set up, test, and enable the Single Sign-on (SSO) configuration in New Relic. No other role on the account may edit the SSO configuration on the account.
Access to this feature depends on your subscription level.
Master and sub-accounts
If your account has sub-accounts, typically you will set up the SSO configuration on the master level only. The sub-account users will still be able to log in through SSO because they will inherit the master account's SAML SSO configuration. If you need to configure multiple accounts with separate SAML identities (for example, with partnership accounts), use the custom entity ID feature.
To help ensure security and account for network time and clock skews, configure your SAML identity provider's validation responses to the shortest time period that is practical (for example, five minutes). New Relic allows a maximum of thirty minutes.
To set up your SSO configuration:
- Go to rpm.newrelic.com > (account dropdown) > Account settings > Security and authentication > Single sign on.
- From the SAML Single Sign On page, review your New Relic SAML service provider details.
- To upload your SAML identity provider certificate, select Choose file, then follow standard procedures to select and save the file.
- Specify the Remote login URL that your users will use for single sign on.
- If your organization's SAML integration provides a redirect URL for logout, copy and paste in (or type) the Logout landing URL; otherwise leave blank.
- Save your changes.
If your organization does not use a specific redirect URL, New Relic provides a logout landing page by default.
After you correctly configure and save your SSO settings, the Test page automatically appears. After each test, New Relic returns you to the SAML SSO page with diagnostic results.
To go back and change your configuration settings, select 1 CONFIGURE.
When testing successfully completes, a link appears that you can use on your company's landing page for easy Single Sign On with New Relic. As an additional security measure, users cannot sign in until they complete the email confirmation that New Relic sends automatically.
After your users select the link in their confirmation email, they can sign in securely with your organization's assigned user name and password. From there they can select any application they are authorized to use, including New Relic.
If you disable SAML SSO, New Relic automatically flags all of your Pending users as Active. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as Pending, and they will need to confirm their account access by email.
Add a logout URL for session timeouts
New Relic's Session configuration feature requires a logout URL for SAML SSO-enabled accounts. If you have already configured, tested, and enabled SAML SSO without a logout URL, New Relic automatically prompts the account Admin to notify the account Owner. In addition, if you are the account Owner, New Relic automatically provides a link from Session configuration to go directly to SAML Single Sign On and add a logout URL.
The logout URL cannot contain
newrelic.com anywhere in the URL.
The Session configuration feature also includes the option to select an automatic timeout for SAML-authenticated browser sessions to be re-authenticated.