Single Sign On (SSO) allows a computer user to log in to multiple systems via a single portal. If you are a New Relic account Owner setting up SSO integration for your organization, you must obtain a SAML certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.
- These docs apply for managing users on our original user model. For SSO for users on New Relic One user model, see Authentication domains.
- Access to this feature depends on your subscription level.
- Owner user role required
For a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select (account dropdown) > Account settings > Security and authentication > Single sign on.
- Active Directory Federation Services (ADFS)
- Azure AD (Microsoft Azure Active Directory)
- Ping Identity
- Generic support for SSO systems that use SAML 2.0
To integrate with an SAML provider, the provider will need information from you about your New Relic account. Most of the information you will need is visible in your New Relic account on the Single Sign On page, such as:
- Metadata URL: Contains multiple pieces of information in a single XML message
- SAML version: 2.0
- Assertion consumer URL: The endpoint to New Relic SSO (for example,
- Consumer binding: Transmission method is HTTP-POST
- NameID format: Email address
- Attributes: None required
- Entity ID: Account URL (default of
For SAML providers and service providers like New Relic to be able to work together, their processes must align in certain ways. Here are some aspects of how New Relic implements SSO integration. This will be useful if you are verifying that a specific SAML provider will be able to work with New Relic or if you are troubleshooting implementation problems.
New Relic functions and preferences
Scope of user credentials (IdP)
Should be all users.
Type of connection
Must be both IdP initiated and SP initiated.
Expected SAML profile
New Relic uses a POST binding for SP-initiated requests.
Expected NameID value format
Must be email address.
Sensitive info exchanged in SAML assertion?
No, only the email address is sent.
Session management and logout
Does your organization use a redirect URL for logout? If not, New Relic can provide a logout landing page.
Plan for users who no longer need access
Typically manual deletion by the account Owner or Administrator.
Ensure the SAML identity provider clocks are maintained by NTP.