External Application HTTP Verify Call

Upon receipt of the NetSuite HTTP outbound call, the external application must issue an HTTP verify call. The following is an example of this call.

Note:

You should use HMAC-SHA256, as it is the most secure signature option. You can also use HMAC-SHA1. PLAINTEXT is supported.

          GET /app/common/integration/ssoapplistener.nl HTTP/1.0
Host: <accountID>.app.netsuite.com
Authorization: OAuth oauth_consumer_key="6OtBtQV4nmEOQKpw", oauth_token="05016d16126a7a6c554656421e242310060807051b17ee54e6d26986d8aa", oauth_nonce="kPeHzQpN6bZXsWu5w2nm", oauth_timestamp="1490706743", oauth_signature_method="HMAC-SHA256", oauth_version="1.0", oauth_signature="vh3C69af9EwXKGbmlDqeA4xiYbtaM1Mq9WH60it4e5Q%3D"

Be aware of the following, as shown in the example of the HTTP verify call:

This call should use the GET method.
This call should point to the NetSuite ssoapplistener.nl URL.
The host domain should be dynamically populated with the account specific domain.
This call should include the authorization header. The entire authorization header, including all of the parameters, must be in a single line. See The OAuth Authorization Header for Outbound SSO for more information.

The OAuth Authorization Header for Outbound SSO

The outbound HTTP Verify call should include the following parameters in the authorization header. The entire header, including all of the parameters, must be in a single line. The CRLF character indicates the end of the header.

Note:

For a description of the OAuth 1.0 protocol and signature validation, see the OAuth 1.0 Protocol, RFC 5849.

Field	Description
oauth_token	The token generated and sent by NetSuite.
oauth_consumer_key	A globally unique identifier for the application provider, generated by NetSuite when the integration is set up on the SuiteSignOn page.
oauth_signature_method	HMAC-SHA256 and HMAC-SHA1 are supported signature methods for ssoapplistener calls. You should use HMAC-SHA256, as it is the most secure signature option. You can also use HMAC-SHA1. PLAINTEXT is supported.
oauth_signature	The signature is computed based on chosen signature method. Refer to the OAuth specification. Go to https://tools.ietf.org/html/rfc5849#section-3.4. See Generate the Signature for the OAuth Header for Outbound SSO for more information. The token secret mentioned in the OAuth 1.0 specification is an empty string, so the hashing key is: `shared_secret + & + ""` The shared secret should be percent-encoded. For more information about percent-encoding, go to https://tools.ietf.org/html/rfc5849#section-3.6. The shared secret is a password used to establish ownership of the consumer key generated by NetSuite. This value is included in the signature passed in your HTTP header, and needs to be referenced in your application verification code. For more information about the shared secret, see Notes about Modifying the Shared Secret.
oauth_timestamp	The number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value must be a positive integer and must be equal to or greater than the timestamp used in previous verify calls.
oauth_nonce	A random number that is unique across verify calls with the same timestamp value.

Field

Description

oauth_token

The token generated and sent by NetSuite.

oauth_consumer_key

A globally unique identifier for the application provider, generated by NetSuite when the integration is set up on the SuiteSignOn page.

oauth_signature_method

HMAC-SHA256 and HMAC-SHA1 are supported signature methods for ssoapplistener calls.

You should use HMAC-SHA256, as it is the most secure signature option.
You can also use HMAC-SHA1.
PLAINTEXT is supported.

oauth_signature

The signature is computed based on chosen signature method. Refer to the OAuth specification. Go to https://tools.ietf.org/html/rfc5849#section-3.4.

See Generate the Signature for the OAuth Header for Outbound SSO for more information.

The token secret mentioned in the OAuth 1.0 specification is an empty string, so the hashing key is:

shared_secret + & + ""

The shared secret should be percent-encoded.

For more information about percent-encoding, go to https://tools.ietf.org/html/rfc5849#section-3.6.

The shared secret is a password used to establish ownership of the consumer key generated by NetSuite. This value is included in the signature passed in your HTTP header, and needs to be referenced in your application verification code. For more information about the shared secret, see Notes about Modifying the Shared Secret.

oauth_timestamp

The number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value must be a positive integer and must be equal to or greater than the timestamp used in previous verify calls.

oauth_nonce

A random number that is unique across verify calls with the same timestamp value.

Generate the Signature for the OAuth Header for Outbound SSO

Some users have difficulty understanding how to construct a signature for the authorization header. This is the header used in the External Application HTTP Verify Call.

For more information about generating the signature, see Troubleshooting SuiteSignOn (Outbound SSO)

The following input parameters for this example:

              $url = "https://<accountID>.app.netsuite.com/app/common/integration/ssoapplistener.nl"
$oauth_consumer_key="6OtBtQV4nmEOQKpw"
$oauth_consumer_secret= "P@ssw0rd 123"; //shared secret 
$oauth_token="030f6c1d1b6b106c6b445655477e72571343502efefc809d"
$oauth_nonce="kPeHzQpN6bZXsWu5w2nm"
$oauth_timestamp="1490706743"
$oauth_signature_method="HMAC-SHA256"
$oauth_version="1.0"

This example uses the PHP OAuth library. For more information, see https://tools.ietf.org/html/rfc5849#section-3.4.1.

To generate the oauth_signature:

Construct a base string for the signature.

                    $baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $oauth_consumer_key,
      'oauth_nonce' => $oauth_nonce,
      'oauth_signature_method' => $oauth_signature_method,
      'oauth_timestamp' => $oauth_timestamp,
      'oauth_token' => $oauth_token,
      'oauth_version' => $oauth_version));

For more information, see Create the Base String Manually in Troubleshooting SuiteSignOn (Outbound SSO).

The signature key is used to sign the base string in the HMAC-SHA algorithm. The key is constructed from the URL-encoded value for the consumer secret, with the ampersand character (&) as the delimiter.
```
                    $key = rawurlencode($oauth_consumer_secret) . "&". ""; 

                  
```

The signature is a base64 encoded value of the HMAC-SHA, where the message is Base String and key is the key from the previous step.

                    $signature = base64_encode(hash_hmac('sha256', $baseString, $key, true)); //or sha1 or plaintext
// signature for this example:   1/3WKQsNRU4/EupyUWMciPRmEHaQEYCL7afJCLmMnd4=

                    Authorization: OAuth oauth_token="030f6c1d1b6b106c6b445655477e72571343502efefc809d", oauth_consumer_key="6OtBtQV4nmEOQKpw", oauth_nonce="kPeHzQpN6bZXsWu5w2nm", oauth_timestamp="1490706743", oauth_signature_method="HMAC-SHA256", oauth_version="1.0", oauth_signature="1%2F3WKQsNRU4%2FEupyUWMciPRmEHaQEYCL7afJCLmMnd4%3D"

The OAuth Authorization Header for Outbound SSO

Generate the Signature for the OAuth Header for Outbound SSO

To generate the oauth_signature:

Related Topics