NetSuite

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for NetSuite.

About NetSuite

NetSuite is an online service that enables companies to manage all key business processes in a single system. NetSuite is used to manage inventory, for enterprise resource planning (ERP), track finances, host eCommerce stores, and maintain customer relationship management (CRM) systems. It is a flexible platform that can be applied to a wide variety of business applications.

After integrating NetSuite with Oracle Identity Cloud Service:

  • Users can access NetSuite using their Oracle Identity Cloud Service login credentials.
  • Users can start NetSuite using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the NetSuite app using the Oracle Identity Cloud Service administration console.

What Do You Need?

  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
  • A NetSuite account with authorization rights and a role to configure federated authentication and user provisioning.
  • Make sure that the User Name of each user in NetSuite matches the User Name of the Oracle Identity Cloud Service account.
  • NetSuite bundle ID to install the required integrations and to deploy the role script from a bundle. The integrations are used to manage users through web services and the role script is used to import all the roles from the NetSuite app. The required bundle ID can be obtained from the Oracle administrator.
  • SuiteCloud Plus License to run multiple scheduled scripts and create multiple users simultaneously. For more information, see Enabling Web Services Concurrent Users with SuiteCloud Plus.
  • Identity Provider metadata. You can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata and save the metadata as a .xml file. Use this file later during the NetSuite SAML configuration in the "Configuring SAML in NetSuite" section.

Configuring SSO for NetSuite

Use this section to configure SAML, and to create a role in the NetSuite app.

Configuring SAML in NetSuite

  1. Access NetSuite as an administrator using the URL: https://system.netsuite.com. The NetSuite home page appears.

  2. In the header menu, hover over Setup, point to Integration, and then select SOAP Web Services Preferences. The SOAP Web Services Preferences page appears.

  3. Copy the value given under the ACCOUNT ID field. This is the NetSuite user's Account ID.

Image img1.png displays the Integration and Web Services Preferences options, and the user Account ID highlighted in the Setup Manager page.

**Tip:** Use this account ID value later while enabling provisioning in the "Enabling Provisioning" section.
  1. In the header menu, hover over Setup, point to Company, and then select Enable Features. The Enable Features page appears.

  2. In the submenu, click SuiteCloud, locate the SuiteBundler section, and then ensure that the CREATE BUNDLES WITH SUITEBUNDLER check box is selected.

  3. Locate the SuiteTalk (Web Services) section, and then ensure that the SOAP WEB SERVICES check box is selected to provide user provisioning rights to the administrator.

  4. Locate the Manage Authentication section, select the SAML SINGLE SIGN-ON check box, locate and click Save. The Setup Manager page appears.

  5. In the header menu, hover over the home icon, and select Set Preferences. The Set Preferences page appears.

  6. In the General tab, under the Defaults section, select the SHOW INTERNAL IDS check box, and then click **Save* in the upper-left corner. The NetSuite home page appears.

  7. In the header menu, hover over Setup, point to Integration, and then select SAML Single Sign-on. The SAML Setup page appears.

  8. Under the NetSuite Configuration section, enter the following URL in the LOGOUT LANDING PAGE text box: https://system.netsuite.com.

  9. locate the Set Up Identity Provider section, click the UPLOAD IDP METADATA FILE option, and then upload the identity provider metadata that you obtained earlier in the "What Do You Need?" section.

  10. Click Submit. The Setup Manager page appears.

Creating a role with SAML Single Sign-On permission

  1. On the Setup Manager page, in the header menu, hover over Setup, point to Users/Roles, Manage Roles, and then select New. The Role page appears.

  2. Under the General section, enter your role NAME.

  3. Locate the Permissions section, click the Setup tab, select SAML Single Sign-on from the PERMISSION drop-down list, and then click Add.

  4. Click Save. The Manage Roles page appears.

    Note: Use this role name in the Role attribute field while creating a user for NetSuite app in Oracle Identity Cloud Service. See the "Enabling Provisioning" section. If the user already has a role with SAML Single Sign-on permission, user can use the same role while creating a user.

Configuring SuiteBundler in NetSuite for User Provisioning

Use this section to set up the SuiteBundler to integrate NetSuite with Oracle Identity Cloud Service.

  1. In the header menu, hover over Customization, point to SuiteBundler, and then select Search & Install Bundles from the drop-down list. The Search & Install Bundles page appears.

  2. Enter the bundle ID obtained from the Oracle administrator in the KEYWORDS field, and then click Search. For more information on bundle ID, see the "What Do You Need?" section.

  3. Click the bundle Name from the search results. The Bundle Details page appears.

  4. On the Bundle Details page of the selected bundle, click Install. The Preview Bundle Install page appears.

  5. Click Install Bundle. The Installed Bundles page appears with the bundle ID installed for the user.

    Tip: As the bundle will be in pending status initially, wait for sometime for the bundle to get installed.

  6. In the header menu, hover over Customization, point to Scripting, and then select Scripts from the drop-down list. The Scripts page appears.

  7. Click View next to the installed bundle ID. The Script page appears with the script details.

  8. Click Deploy Script. The Script Deployment page appears.

  9. Click Save and then make note of the URL value.

    Image img2.png displays the Script Details, and the URL highlighted in the Script Deployment page.

    Tip: Use this URL value later while enabling provisioning in the "Enabling Provisioning" section.

Configuring the NetSuite App in Oracle Identity Cloud Service

Use this section to register and activate NetSuite, and to enable provisioning and synchronization for NetSuite.

Registering and Activating the NetSuite App

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for NetSuite, click Add, and then click Next.

  4. Click Next. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for NetSuite

Use this section to enable provisioning and synchronization for managing user accounts in NetSuite through Oracle Identity Cloud Service.

Enabling Provisioning
  1. On the Provisioning page, select Enable Provisioning.

  2. Use the table to configure connectivity for establishing a connection with NetSuite through Oracle Identity Cloud Service:

    This table lists the parameters that Oracle Identity Cloud Service requires to connect to NetSuite.

    Attribute Value
    Account ID Enter the Account ID that you obtained while performing the steps in the "Configuring SAML in NetSuite" section.
    Email Enter the NetSuite administrator's email address.
    Password Enter the NetSuite administrator's password.
    Role URL Enter the Role URL value in the following format: https://rest.netsuite.com<URL>. This is the URL value that you obtained while performing the steps in the "Configuring SuiteBundler in NetSuite for User Provisioning" section.
  3. Click Test Connectivity to verify the connection with NetSuite. Oracle Identity Cloud Service displays a confirmation message.

  4. To view predefined attribute mappings between the user account fields defined in NetSuite and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and NetSuite Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the NetSuite Account column.

  5. Specify the provisioning operations that you want to enable for NetSuite:

    Note: By default, the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected.

    Create Account: Automatically creates a NetSuite account when NetSuite access is granted to the corresponding user in Oracle Identity Cloud Service.

    Note: Make sure that you enter the same role name that you created in the "Creating a role with SAML Single Sign-On permission" section in the Role attribute field while creating a user for NetSuite app in Oracle Identity Cloud Service.

    Update Account: Automatically updates a NetSuite account when the corresponding user account is edited in Oracle Identity Cloud Service.

    De-activate Account: Automatically deactivates or activates a NetSuite account when the NetSuite access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.

    Delete Account: Automatically removes an account from NetSuite when NetSuite access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization
  1. On the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from NetSuite:

    Note: By default, the User Name option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.

    Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

    User Name: User name of the Oracle Identity Cloud Service user.

  3. To match a NetSuite account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected that represents the username attribute of the NetSuite account. It is recommended not to change this default option.     

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. 

    Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts. 

  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

    After enabling provisioning and synchronization for NetSuite, you can synchronize the existing account details from NetSuite and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

    You can also manage NetSuite accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

  7. From the Synchronization schedule drop-down list, select an option to schedule the synchronization between NetSuite and Oracle Identity Cloud Service. Based on the selection, the synchronization will be scheduled during the specified intervals in Oracle Identity Cloud Service. By default the Never option is selected.

  8. Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP Initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to the NetSuite app. Oracle Identity Cloud Service displays a shortcut to NetSuite under My Apps.

  3. Click NetSuite. The NetSuite home page appears.

  4. In the upper-right corner, confirm that the user that is logged in is the same for both NetSuite and Oracle Identity Cloud Service.

    This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

NetSuite displays the message, "Invalid login attempt"

Cause 1: When the user accounts are synchronized, the user account imported from NetSuite is linked to an incorrect user account in Oracle Identity Cloud Service.

Solution 1: Ensure that the imported user account is linked to the correct user under the NetSuite app in the Oracle Identity Cloud Service. For more information on activating the user account for NetSuite, see the "Enabling Synchronization" section.

Cause 2: The imported user which is initiating SSO is not assigned to a role that has Single Sign-On permission.

Solution 2: Ensure that the user account is assigned to a role that has Single Sign-on permission in NetSuite.

NetSuite displays the message, "User creation failed :Only one request may be made against a session at a time"

Cause: The number of users provisioned in the application exceeds the permissible number of users allowed to be provisioned as per the SuiteCloud Plus license.

Solution: Purchase the required number of SuiteCloud Plus licenses as per the user provisioning requirements.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service NetSuite app and NetSuite is deactivated.

Solution 1:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select NetSuite.
  • In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the NetSuite app using Oracle Identity Cloud Service.

Solution 2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then select NetSuite.
  • In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.