At New Relic, we try to make the lives of our users as easy as possible. And that’s why we’re excited to announce the release of our SSO (Single Sign On) integration feature for all our Pro and higher customers. SSO is a mechanism of access control for multiple related, but independent software systems. With it, a user can log in to a system once and gain access to all systems without having to log in again at each system.
SSO simplifies password management, reduces the number of passwords users have to remember, reduces the time spent on re-entering login details, and reduces IT help desk cost related to password management. This new integration is yet another example of how we’re making enterprise class features available to everyone through our easy-to-use SaaS offering.
Why We’ve Implemented SSO Integration
With SSO, New Relic is providing higher security control and seamless access to the New Relic site. New Relic account administrators will be able to better control security, such as by enforcing strong passwords and restricting login via a corporate authentication mechanism. It bypasses login prompts for New Relic users who have already authenticated using a corporate SSO system.
SSO Integration Via SAML
There are a variety of standards one can use to implement SSO. SAML, CAS, Open ID, OAuth, you name it. New Relic uses SAML 2.0 (Security Assertion Markup Language) to implement our SSO integration.
How it Works
There are several SAML profiles. The most popular one that New Relic supports is the Browser/POST profile. You can see a scenario below for an Identity Provider initiated SSO using the Browser/POST profile. The three roles specified in the SAML specification are: Principal (usually a user), Identity Provider (OneLogin in this example) and Service Provider (New Relic in this example).
In this scenario:
1. The user logs into the Identity Provider (such as OneLogin) and is authenticated.
2. The user requests access to a protected Service Provider resource (New Relic site http://rpm.newrelic.com). The Identity Provider’s SSO service returns an HTML form to the browser that contains two hidden parameters (digitally signed assertion and protected target resource URL).
3. The browser automatically posts the HTML form back to the Service Provider (New Relic). The Service Provider receives the assertion.
4. If the assertion is valid, the Service Provider forwards the user to the protected target URL (http://rpm.newrelic.com).
How to Enable SSO Integration
There are a few simple steps you need to do to set up and enable SSO integration for your New Relic account.
1. Login to New Relic as an Admin and go to the SSO configuration page. From the New Relic title bar, select (your account name) > Account Settings > Integrations > Single Sign On.
2. Use the information on the SSO Configuration page to add ‘New Relic’ as a service provider or application in your SSO federation system.
3. Upload the certificate that your Identity Provider signs with and enter the Identity Provider’s remote login URL.
4. Save, test and enable.
New Relic’s Partnership with SaaS Identity Providers
With the availability of SSO integration, we’re happy to announce our new partnerships with SaaS Identity Providers including OneLogin, Okta and Ping Identity. Our SSO integration feature has been tested and is proven to work with these partners’ SSO systems.
Through these partnerships, all OneLogin, Okta and Ping Identity customers get New Relic Standard free of charge to do things like Active Directory integration, multi-factor authentication and more! In addition, New Relic customers can sign up for a free OneLogin account. OneLogin’s Free Plan for New Relic includes SSO and directory sync for an unlimited number of users. Free trials for Okta and Ping Identity are also available.
Additional Support for Other SSO Systems
In addition to the support for the SSO systems mentioned above, New Relic also has generic support for SSO systems that implement the SAML 2.0 standard. Our SSO integration feature has been verified to work with CA SiteMinder® Federation. It should work with other Identity Providers who use SAML 2.0, but it is untested at this time.
The SSO integration is available to any of our New Relic Pro and up subscribers. Due to security reasons, the SSO Configuration UI is only visible to and administrated by the New Relic account owner and/or administrators.
If you’re a New Relic customer at any other level, upgrade to New Relic Pro today to take advantage of this incredibly useful feature.