Authentication domain settings: SAML SSO, SCIM, and more

To manage their users, New Relic organizations can configure one or more authentication domains, which control how users are added to a New Relic account, how they’re authenticated, and more.

What is an authentication domain?

An "authentication domain" is a grouping of New Relic users governed by the same user management settings, like how they're provisioned (added and updated), how they're authenticated (logged in), session settings, and how user upgrades are managed.

When someone creates a New Relic account, the default authentication settings are:

• Users are manually added to New Relic
• Users manually log in using their email and password

Those default settings would be under one "authentication domain." Another authentication domain might be set up like this:

• Users are added and managed from an identity provider using SCIM provisioning
• Users are logged in using SAML single sign-on (SSO) from an identity provider

When you add users to New Relic, they’re added to a specific authentication domain. Typically organizations have either one or two authentication domains: one for the manual, default methods and one for the methods associated with an identity provider. Learn more in this short video (4:26 minutes):

Requirements

Authentication domains are for managing users on the New Relic One user model. If your users are on our original user model, see Original accounts.

Requirements to manage authentication domains:

• Your organization must be either Pro or Enterprise edition to have editable authentication domains.
• To view or edit authentication domains, a user must:
  • Have a user type of core user or full platform user.
  • Be in a group with the Authentication domain manager role.
• SCIM provisioning, also known as automated user management, requires Pro or Enterprise edition. Learn more about requirements.
• SAML SSO requires Pro or Enterprise edition. Our SAML SSO support includes:
  • Active Directory Federation Services (ADFS)
  • Auth0
  • Azure AD (Microsoft Azure Active Directory)
  • Okta
  • OneLogin
  • Ping Identity
  • Salesforce
  • Generic support for SSO systems that use SAML 2.0

Create and configure an authentication domain

If you meet the requirements, you can add and manage authentication domains.

To view and configure authentication domains: from the account dropdown, go to Administration > Organization and access > Authentication domains.

If you have existing domains, they'll be on the left. Note that most organizations will have, at most, two or three domains: one with the manual, default settings and one or two for the identity provider-associated settings.

To create a new domain from the authentication domain UI page, click Create new. For more about the configuration options, keep reading.

Source of users: manual provisioning versus SCIM provisioning

From the authentication domain UI, you can set one of two options for how users are added to New Relic:

• Manual: This means that your users are added manually to New Relic from the User management UI.
• SCIM: Our automated user management feature allows you to use SCIM provisioning to import and manage users from your identity provider.

Notes on these settings:

• You can't toggle Source of users. This means if you want to change this for an authentication domain that's already been set up, you'll need to create a new one.
• When you first enable SCIM, the bearer token is generated and only shown once. If you need to view a bearer token later, the only way to do this is to generate a new one, which will invalidate the old one and any integrations using the old token.

For how to set up SCIM, see Automated user management.

Authentication: username/password versus SAML SSO

The authentication method is the way in which New Relic users log in to New Relic. All users in an authentication domain have a single authentication method. There are two authentication options:

• Username/password: Your users log in via email and password.
• SAML SSO: Your users log in via SAML single sign-on (SSO) via your identity provider. To learn how to set that up, keep reading.

Set up SAML SSO authentication

Before enabling SAML SSO using the instructions below, here are some things to understand and consider:

• Consider reading an introduction to getting started with SSO and SCIM.
• Consider reviewing the SAML SSO requirements.
• Consider watching a video on how to set up SAML SSO.
• Note that your SSO-enabled users won't receive email verification notifications from New Relic because the login and password information is handled by your identity provider.
• Consult your identity provider service's docs because they may have New Relic-specific instructions.

1. If you're setting up SCIM provisioning:

   • If you use Azure, Okta, or OneLogin, follow these procedures first: Azure | OneLogin | Okta.
   • If you use a different identity provider, follow the SAML procedures below and use our SCIM API to enable SCIM.

2. If you only want to enable SAML SSO and not SCIM, and if you use Azure, Okta, or OneLogin, follow these instructions for configuring the relevant app:

   Azure app

   Azure AD provides an application gallery, which includes various integrations for Azure AD, including the ones that New Relic offers. Add the New Relic SCIM/SSO application to your list of applications.

   1. Go to the Azure Active Directory admin center, and sign in if necessary. aad.portal.azure.com/
   2. Click on All services in the left hand menu.
   3. In the main pane, click on Enterprise applications.
   4. Click on +New application.
   5. Find our SCIM/SSO application by entering New Relic in the name search box, and click on the application New Relic by organization (not New Relic by account).
   6. Click on Add.

   Okta app

   Add the New Relic SCIM/SSO application to your Okta applications.

   1. Go to okta.com/ and sign in with an account that has administrator permissions.
   2. From the Okta home page, click on Admin.
   3. From the Okta admin Dashboard, choose the Applications page. Click Add Application.
   4. In the search field on the Okta Add applications page, enter "New Relic by organization" (not "New Relic by account") and then click on the application when it shows in the search results.
   5. From the New Relic by Organization page, click on Add.
   6. From the Add New Relic by Organization page, check the two Application visibility "Do not display..." checkboxes and click on Done. We will make the application visible later after configuration is complete and provisioning has begun.

   OneLogin app

   Add the New Relic SCIM/SSO application to your OneLogin applications.

   1. Go to the OneLogin web site and sign in with an account that has administrator permissions.
   2. From the OneLogin home page, click on Administration.
   3. From the OneLogin Administration page, choose the Applications menu.
   4. From the OneLogin Applications page, click on Add app.
   5. In the search field on the OneLogin Find Applications page, enter "New Relic by organization" (not "New Relic by account") and then click on the application when it shows in the search results.
   6. From the Add New Relic by organization page, click on Save.
   • If you're implementing SAML using a different identity provider not mentioned above, you'll need to attempt to integrate using the SAML instructions below. Note that your identity provider must use the SAML 2.0 protocol, and must require signed SAML assertions.

3. Next, you'll go to our authentication domain UI. From the account dropdown, click Organization and access, and then click Authentication domains. If you don't already have one, create a new domain to be used for your SAML-authenticating users.

4. Under Authentication, click Configure. Under Method of authenticating users, select SAML SSO.

5. If you're using the Okta, OneLogin, or Azure AD app, you can skip this step. Under Provided by New Relic, we have some New Relic-specific information. You'll need to place these in the relevant fields in your identity provider service. If you're not sure where they go, consult your identity provider docs.

6. Under Provided by you, input the Source of SAML metadata. This URL is supplied by your identity provider and may be called something else. It should conform to SAML V2.0 metadata standards. If your identity provider doesn't support dynamic configuration, you can do this by using Upload a certificate. This should be a PEM encoded x509 certificate.

7. Under Provided by you, set the SSO target URL supplied by your identity provider. You can find this by going to the Source of SAML metadata and finding the POST binding URL. It looks like: https://newrelic.oktapreview.com/app/newreliclr/1234567890abcdefghij/sso/saml.

8. If your identity provider has a redirect URL for logout, enter it in the Logout redirect URL; otherwise, leave it blank.

9. If you’re using an identity provider app, you’ll need to input the authentication domain ID in the app. That ID is found at the top of New Relic’s authentication domain UI page.

10. Optional: In New Relic’s authentication domain UI, you can adjust other settings, like browser session length and user upgrade method. You can adjust these settings at any time.

11. If you're enabling SAML only, you need to create groups and assign access grants in New Relic. (If you enabled SCIM, you've already completed this step.) Access grants are what give your users access to New Relic accounts. Without access grants, your users are provisioned in New Relic but have no account access. To learn how to do this:

• Learn how access grants work
• Read the access grant tutorial.

12. Okta only: Return to Okta's New Relic app and, from the Add New Relic by organization page, uncheck the two Application visibility "Do not display..." checkboxes and click on Done.

To verify it's been set up correctly, see if your users can log in to New Relic via your identity provider and ensure they have access to their accounts.

Session duration and timeout

In the authentication domain UI, under Management, you can control some other settings for the users in that domain, including:

• Length of time users can remain logged in.
• Amount of idle time before a user's session expires.
• User upgrade requests

Manage user type and upgrade requests

In the authentication domain UI, under Management, you can control how your users' user type is managed. This includes how the user type can be edited and how upgrade requests are handled.

There are two main settings:

• Manage user type in New Relic: This is the default option. It allows you to manage your users' user type from New Relic.
• Manage user type with SCIM: Enabling this means that you can no longer manage user type from New Relic. You'd only be able to change and manage it from your identity provider.

More on these two options:

For more about user type, see User type.

Note that if you're on our original user model, upgrades work differently.