Authentication domain settings: SAML SSO, SCIM, and more

To manage their users, New Relic organizations can configure one or more authentication domains, which control how users are added to a New Relic account, how they’re authenticated, and more.

Requirements

To check if you have access to these features, you can go to the authentication domain settings UI and see if you can configure settings.

Requirements to configure these settings:

• These features are for managing users on the New Relic One user model. For users on our original user model, see Original account management.
• Configuring these settings requires Pro or Enterprise edition.
• To edit these settings, you must be in a group with the Authentication domain manager role.
• SCIM provisioning, also known as automated user management (AUM), requires Enterprise edition.
• SAML SSO requires Pro or Enterprise edition. SAML support includes:
  • Active Directory Federation Services (ADFS)
  • Auth0
  • Azure AD (Microsoft Azure Active Directory)
  • Okta
  • OneLogin
  • Ping Identity
  • Salesforce
  • Generic support for SSO systems that use SAML 2.0

What is an authentication domain?

An "authentication domain" is a grouping of New Relic users governed by the same user management settings, like how they're provisioned (added and updated), how they're authenticated (logged in), session settings, and how user upgrades are managed.

When someone creates a New Relic account, the default authentication settings are:

• Users are manually added to New Relic
• Users manually log in using their email and password

Those default settings would be under one "authentication domain." Another authentication domain might be set up like this:

• Users are added and managed from an identity provider using SCIM provisioning
• Users are logged in using SAML single sign-on (SSO) from an identity provider

When you add users to New Relic, they’re added to a specific authentication domain. Typically organizations have either one or two authentication domains: one for the manual, default methods and one for the methods associated with an identity provider.

Create and configure an authentication domain

If you meet the requirements, you can add and manage authentication domains.

To view and configure authentication domains: from the account dropdown, click Organization and access, and then click Authentication domains.

If you have existing domains, they'll be on the left. Note that most organizations will have, at most, two or three domains: one with the manual, default settings and one or two for the identity provider-associated settings.

To create a new domain from the authentication domain UI page, click Create new. For more about the configuration options, keep reading.

Source of users: Manual versus SCIM (AUM)

From the authentication domain UI, you can set one of two options for how users are added to New Relic:

• Manual: This means that your users are added manually to New Relic from the User management UI.
• SCIM: Our automated user management (AUM) feature allows you to use SCIM provisioning to import and manage users from your identity provider. For instructions, see Automated user management.

Note that once you enable SCIM for an authentication domain, you can't turn it off. This means that if you later want SCIM disabled for that domain, you must instead create a new one.

Authentication

The authentication method is the way in which New Relic users log in to New Relic. All users in an authentication domain have a single authentication method. There are two authentication options:

• Username/password: Your users log in via email and password.
• SAML SSO: Your users log in via SAML single sign-on (SSO) via your identity provider. To learn how to set that up, keep reading.

Set up SAML SSO authentication

Before enabling SAML SSO using the instructions below, here are some things to understand and consider:

• For an introduction to our SAML SSO and SCIM offerings, please read Get started with SSO and SCIM.
• We recommend reviewing the SAML SSO requirements.
• Note that your SSO-enabled users won't receive email verification notifications from New Relic because the login and password information is handled by your identity provider.
• Consult your identity provider docs because they may have New Relic-specific instructions.

1. If you're setting up SCIM provisioning:

   • If you use Azure, Okta, or OneLogin, follow these procedures first: Azure | OneLogin | Okta.
   • If you use a different identity provider, follow the SAML procedures below and use our SCIM API to enable SCIM.

2. If you only want to enable SAML SSO and not SCIM, and if you use Azure, Okta, or OneLogin, follow these instructions for configuring the relevant app:

   Azure app

   Azure AD provides an application gallery, which includes various integrations for Azure AD, including the ones that New Relic offers. Add the New Relic SCIM/SSO application to your list of applications.

   1. Go to the Azure Active Directory admin center, and sign in if necessary. aad.portal.azure.com/
   2. Click on All services in the left hand menu.
   3. In the main pane, click on Enterprise applications.
   4. Click on +New application.
   5. Find our SCIM/SSO application by entering New Relic in the name search box, and click on the application New Relic by organization (not New Relic by account).
   6. Click on Add.

   Okta app

   Add the New Relic SCIM/SSO application to your Okta applications.

   1. Go to okta.com/ and sign in with an account that has administrator permissions.
   2. From the Okta home page, click on Admin.
   3. From the Okta admin Dashboard, choose the Applications page. Click Add Application.
   4. In the search field on the Okta Add applications page, enter "New Relic by organization" (not "New Relic by account") and then click on the application when it shows in the search results.
   5. From the New Relic by Organization page, click on Add.
   6. From the Add New Relic by Organization page, check the two Application visibility "Do not display..." checkboxes and click on Done. We will make the application visible later after configuration is complete and provisioning has begun.

   OneLogin app

   Add the New Relic SCIM/SSO application to your OneLogin applications.

   1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
   2. From the OneLogin home page, click on Administration.
   3. From the OneLogin Administration page, choose the Applications menu.
   4. From the OneLogin Applications page, click on Add app.
   5. In the search field on the OneLogin Find Applications page, enter "New Relic by organization" (not "New Relic by account") and then click on the application when it shows in the search results.
   6. From the Add New Relic by organization page, click on Save.
   • If you're implementing SAML using a different identity provider not mentioned above, you'll need to attempt to integrate using the SAML instructions below. Note that your identity provider must use the SAML 2.0 protocol, and must require signed SAML assertions.

3. Next, you'll go to our authentication domain UI. From the account dropdown, click Organization and access, and then click Authentication domains. If you don't already have one, create a new domain to be used for your SAML-authenticating users.

4. Under Authentication, click Configure. Under Method of authenticating users, select SAML SSO.

5. If you're using the Okta, OneLogin, or Azure AD app, you can skip this step. Under Provided by New Relic, we have some New Relic-specific information. You'll need to place these in the relevant fields in your identity provider service. If you're not sure where they go, consult your identity provider docs.

6. Under Provided by you, input the Source of SAML metadata. This URL is supplied by your identity provider and may be called something else. It should conform to SAML V2.0 metadata standards. If your identity provider doesn't support dynamic configuration, you can do this by using Upload a certificate. This should be a PEM encoded x509 certificate.

7. Under Provided by you, set the SSO target URL supplied by your identity provider. You can find this by going to the Source of SAML metadata and finding the POST binding URL. It looks like: https://newrelic.oktapreview.com/app/newreliclr/1234567890abcdefghij/sso/saml.

8. If your identity provider has a redirect URL for logout, enter it in the Logout redirect URL; otherwise, leave it blank.

9. If you’re using an identity provider app, you’ll need to input the authentication domain ID in the app. That ID is found at the top of New Relic’s authentication domain UI page.

10. Optional: In New Relic’s authentication domain UI, you can adjust other settings, like browser session length and user upgrade method. You can adjust these settings at any time.

11. If you're enabling SAML only, you need to create groups and assign access grants in New Relic. (If you enabled SCIM, you've already completed this step.) Access grants are what give your users access to New Relic accounts. Without access grants, your users are provisioned in New Relic but have no account access. To learn how to do this:

• Learn how access grants work
• Read the access grant tutorial.

12. Okta only: Return to Okta's New Relic app and, from the Add New Relic by organization page, uncheck the two Application visibility "Do not display..." checkboxes and click on Done.

To verify it's been set up correctly, see if your users can log in to New Relic via your identity provider and ensure they have access to their accounts.

Session duration and timeout

In the authentication domain UI, under Management, you can control some other settings for the users in that domain, including:

• Length of time users can remain logged in.
• Amount of idle time before a user's session expires.
• User upgrade requests

Manage user type

In the authentication domain UI, under Management, you can control how your users' user type is managed. This includes how the user type can be edited and how basic user requests to become full users are handled.

There are two main settings:

• Manage user type in New Relic: This is the default option. It allows you to manage your users' user type from New Relic.
• Manage user type with SCIM: Enabling this means that you can no longer manage user type from New Relic. You'd only be able to change and manage it from your identity provider.

More on these two options:

For more about basic users and full users, see User type.

Note that if you're on our original user model, upgrades work differently.