So, you’re ready to enable SSO on your New Relic account? Have you tested your configuration in a sandbox and in the account itself? Have you added all users to the IDP side and the New Relic side? Is the account owner ready to click “enable”? In short, are you totally prepared to change the authentication pathway for all users on your account?
I forgot to ask you about one of the MOST important steps: Domain Whitelisting
Now you’re probably wondering: why is whitelisting a domain on the account before enabling SSO so important? Let me count the ways…
If a domain is whitelisted on the account when SSO is enabled, users with that domain will remain in an “Active” state on the account, which means:
- Their Admin API keys remain intact.
- They do not need to confirm their email address via a SAML/SSO confirmation email.
- There is little to no interruption in their experience of using New Relic.
If a domain is not whitelisted, users are flipped to a “Pending” state, which means their account and its views are deleted and then recreated. Essentially, all users become brand new . API keys are deleted, which means everything in the account that’s linked to those API keys becomes “orphaned”.
Moreover, if no domain is whitelisted, all users will need to activate their email address by clicking the activation link in a SAML/SSO confirmation email. This link is only valid for two hours after the email is sent, so it can be difficult to get all users on an account to click the link within the specified time window.
You do have the option to whitelist a domain after enabling SSO on the account–– and any “Pending” users will immediately flip to “Active”–– but their former Admin API keys will be irrecoverable.
Have I convinced you yet?
If you’d like to move forward with whitelisting a domain on your account, we require the owner of the account in question to respond with “enable” to specified legal verbiage. This legalese verifies that you understand the security implications of bypassing the email verification process, and you approve the action.
Please open a support ticket if you’d like to move forward with adding a whitelisted domain to your New Relic account. Doing so helps make the switch to an SSO authentication pathway a smooth experience.