New Relic lets you set up automated user provisioning (AUM), which allows you to import, update, and deactivate your New Relic users from your identity provider. Once this automated provisioning is complete, your users can log in to New Relic via their identity provider.
Requirements and impacts:
- Requires Enterprise tier.
- User model-related requirements:
- Supports SAML 2.0 standard for single sign on (SSO).
- Supports SCIM 2.0 standard. Supported identity providers: Okta, Azure AD, OneLogin. For unsupported identity providers, we have a SCIM API.
- Notes on initial enabling of AUM:
- We don't currently support toggling SCIM on or off. If an authentication domain has already been set up with the source of users as Manual, you can't change it to SCIM.
- When first enabled, the bearer token is generated and only shown once. If you need to view a bearer token later, the only way to do this is to generate a new one, and that will invalidate the old one and any integrations using the old token.
For an explanation of how your identity provider groups map over to New Relic groups, see Group and role mapping.
To use automated user management to import users from your identity provider:
- It's important to first review the requirements.
- Use the Organization and access UI to enable SCIM and configure SAML SSO.
- Configure your identity provider using one of our relevant guides:Azure AD | Okta | OneLogin. If you don't use one of those, we also have a SCIM API.
- Note that your users are created in New Relic as full users. If your organization is on New Relic One pricing, these users are billable. To convert users to free basic users, use the User management UI.
- Recommended: Set a time zone in your identity provider. If not specified, our UI shows date/times with the UTC time zone. Time zone is specified in IANA Time Zone database format, also known as the "Olson" time zone database format (e.g., "America/Los_Angeles").
If you have issues, contact your account representative.
After being provisioned, your users can click on the New Relic SCIM/SSO application tile in their identity provider to be logged into New Relic.
To learn more about New Relic's roles and capabilities, see Standard roles.