Set up SSO (original user model)

After obtaining your SAML identity provider certificate, which should be a PEM encoded x509 certificate, and URL, the account Owner can set up, test, and enable the Single Sign-on (SSO) configuration in New Relic. No other role on the account may edit the SSO configuration on the account.

Requirements

For requirements, including which New Relic users this feature applies to, see Requirements.

Parent and child accounts

If your account has child accounts, typically you will set up the SSO configuration on the parent account level only. The child account users will still be able to log in through SSO because they will inherit the parent account's SAML SSO configuration. If you need to configure multiple accounts with separate SAML identities (for example, with partnership accounts), use the custom entity ID feature.

Configure SSO

To help ensure security and account for network time and clock skews, configure your SAML identity provider's validation responses to the shortest time period that is practical (for example, five minutes). New Relic allows a maximum of thirty minutes.

To set up your SSO configuration for users on our original user model:

1. Read about an option to have users bypass SAML SSO if they use domains you own.
2. Go to: account dropdown > Account settings > Security and authentication > Single sign on.
3. From the SAML Single Sign On page, review your New Relic SAML service provider details.
4. To upload your SAML identity provider certificate, select Choose file, then follow standard procedures to select and save the file.
5. Specify the Remote login URL that your users will use for single sign on.
6. If your organization's SAML integration provides a redirect URL for logout, copy and paste in (or type) the Logout landing URL; otherwise leave blank.
7. Save your changes.

Test SSO

After you correctly configure and save your SSO settings, the Test page automatically appears. After each test, New Relic returns you to the SAML SSO page with diagnostic results.

To go back and change your configuration settings, select 1 CONFIGURE.

Enable SSO

When testing successfully completes, a link appears that you can use on your company's landing page for easy Single Sign On with New Relic. As an additional security measure, users cannot sign in until they complete the email confirmation that New Relic sends automatically.

After your users select the link in their confirmation email, they can sign in securely with your organization's assigned user name and password. From there they can select any application they are authorized to use, including New Relic.

Add a logout URL for session timeouts

New Relic's Session configuration feature requires a logout URL for SAML SSO-enabled accounts. If you have already configured, tested, and enabled SAML SSO without a logout URL, New Relic automatically prompts the account Admin to notify the account Owner. In addition, if you are the account Owner, New Relic automatically provides a link from Session configuration to go directly to SAML Single Sign On and add a logout URL.

The Session configuration feature also includes the option to select an automatic timeout for SAML-authenticated browser sessions to be re-authenticated.