New Relic lets you set up automated user management (AUM), which allows you to import, update, and deactivate your New Relic users from an identity provider, like Azure AD, Okta, or OneLogin. Once this automated provisioning is complete, your users can log in to New Relic via their identity provider.
Before reading the benefits of automated user management, we recommend reading Get started with SAML SSO and SCIM.
Benefits of enabling automated user management include:
- Time and cost efficiency: When you make changes in your identity provider, such as creating, updating, and removing users, these changes are automatically reflected in New Relic. By being able to manage a large set of users from your identity provider, it reduces the workload of your admins who'd otherwise need to do a significant amount of work in New Relic to accomplish the same thing.
- Increased productivity: By having a more automatic way to set up users and groups, they're enabled and ready to use New Relic more quickly.
- Enhanced security: SCIM is an industry standard protocol for maintaining groups of users.
- Use of this feature requires SAML SSO, so once your users are added to New Relic, they can log in using your identity provider.
- Popular identity providers Azure AD, Okta, and OneLogin have dedicated New Relic apps, improving ease of enablement.
Requirements and impacts:
- Requires Enterprise edition.
- User model-related requirements:
- This feature requires you to be on our New Relic One user model and creates users on that model. If you're on our original user model (or otherwise can't seem to implement this feature), talk to your New Relic account representative.
- Configuring AUM requires that a user have the Authentication domain manager and the Organization manager role (users in the default group Admin have these).
- Supports SAML 2.0 standard for single sign on (SSO).
- Supports SCIM 2.0 standard.
- There are three identity providers that have a dedicated New Relic app: Azure AD, Okta, and OneLogin. For other identity providers, you can use our SCIM API.
- Notes on initial enabling of AUM:
- We don't currently support toggling SCIM on or off. If an authentication domain has already been set up with the source of users as Manual, you can't change it to SCIM.
- When first enabled, the bearer token is generated and only shown once. If you need to view a bearer token later, the only way to do this is to generate a new one, and that will invalidate the old one and any integrations using the old token.
For an explanation of how your identity provider groups map over to New Relic groups, see Group and role mapping.
To use automated user management to import users from your identity provider:
- It's important to first review the requirements.
- In the authentication domain UI, create a new authentication domain.
- If you use Azure AD, Okta, or OneLogin, use the applicable guide: Azure AD | Okta | OneLogin.
- If you don't use one of the above services, you'll need to:
- Use the authentication domain UI to enable SCIM as the source of users.
- Use our SCIM API to integrate with your identity provider service. See the SCIM API tutorial for all the steps involved.
- Highly recommended: Set a time zone for your users in your identity provider. How you do this will vary by identity provider. If not set in your identity provider, our UI shows UTC time zone dates/times. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles").
If you have issues, contact your account representative.
After being provisioned, your users can click on the New Relic SCIM/SSO application tile in their identity provider to be logged into New Relic.
To learn more about New Relic's roles and capabilities, see Standard roles.