New Relic lets you set up automated user management (AUM), which allows you to import, update, and deactivate your New Relic users via SCIM provisioning from your identity provider (for example, Azure AD, Okta, or OneLogin).
Benefits
Before reading the benefits of automated user management, we recommend reading Get started with SAML SSO and SCIM.
Benefits of enabling automated user management include:
- Time and cost efficiency: When you make changes in your identity provider, such as creating, updating, and removing users, these changes are automatically reflected in New Relic. By being able to manage a large set of users from your identity provider, it reduces the workload of your admins who'd otherwise need to do a significant amount of work in New Relic to accomplish the same thing.
- Increased productivity: By having a more automatic way to set up users and groups, your users are more quickly enabled and ready to use New Relic.
- Enhanced security: SCIM is an industry standard protocol for maintaining groups of users.
- Use of this feature requires SAML SSO, so once your users are added to New Relic, they can log in using your identity provider.
- Popular identity providers Azure AD, Okta, and OneLogin have dedicated New Relic apps, improving ease of enablement.
Requirements and limitations
Please review before enabling automated user management:
- Requires Pro or Enterprise edition.
- Once an authentication domain is set to SCIM, you must use SCIM to manage your groups and users, and you can't manage them via our UI. Once an authentication domain is set to SCIM, it can't be changed to a non-SCIM setting.
- We support the SCIM 2.0 standard. Three identity providers have a New Relic app: Azure AD, Okta, and OneLogin. If you have another identity provider, use our SCIM API.
- Ping Identity's PingOne is not supported because it doesn't allow provisioning of groups.
- Single sign-on (SSO): we support the SAML 2.0 standard.
- Permissions-related requirements:
- You must be on our newer user model. This feature creates users on that model.
- You must have a user type of core user or full platform user and be in a group with the Authentication domain admin setting.
- Before enabling, you should set up user groups in your identity provider service and think about which New Relic roles and accounts those groups will have access to.
- Some identity providers have a
suspended
state for users. We don't support that. A user in that state won't be visible or manageable from our UI, but will still be billable and will still have access to their user API key.
Set up automated user management
For an explanation of how your identity provider groups map over to New Relic groups, see How your groups map over.
To use automated user management to import users from your identity provider:
Recommended: first review the requirements.
In the authentication domain UI, create a new authentication domain. Assuming you want both SCIM and SAML SSO, enable both of those for the authentication domain. You'll do more configuring of those settings later but for now just create .
If you use Azure AD, Okta, or OneLogin, use the applicable guide: Azure AD | Okta | OneLogin.
If you don't use one of the above services, you'll need to:
- Use the authentication domain UI to enable SCIM as the source of users.
- Use our SCIM API to integrate with your identity provider service. See the SCIM API tutorial for all the steps involved.
Recommended: Set a time zone in your identity provider. How this is done depends on the service you use. If you don't set a time zone, our UI uses UTC time zone (specified in IANA format, also known as the "Olson" format: for example, "America/Los_Angeles"). Your users also have an option to override your settings and set their own time zone.
If you have issues, contact your account representative.
After being provisioned, your users can click on the New Relic SCIM/SSO application tile in their identity provider to be logged into New Relic.
To learn more about New Relic's roles and permissions, see Standard roles.