SAML SSO Permission Limitations
SAML Single Sign-on roles and permissions have various limitations that are intended to prevent problems.
No user can log in using SAML single sign-on as an administrator. This limitation ensures that an administrator can always log in and resolve any problems that might occur with the third-party IdP setup or SAML access.
Administrators cannot add SAML Single Sign-on permission to a role that has SuiteAnalytics Connect permission. SAML access is not supported for SuiteAnalytics Connect.
Some limitations are intended to ensure that the administrator has absolute responsibility for explicitly deciding who is allowed to access their NetSuite account using SAML Single Sign-on. The administrator is deciding to trust the third-party IdP to authenticate and allow access to their NetSuite account. This is the reason for the following limitations:
-
A user who has accessed NetSuite with a role that does not have SAML Single Sign-on permission cannot access any roles that do have SAML Single Sign-on permission. This prevents users from switching from a SAML role to a non-SAML role with greater privileges.
-
As of 2018.1, it is up to an administrator to decide whether users should be locked in a single account. See Account Attribute for more information. (In previous releases, a user who accessed NetSuite through SAML Single Sign-on could not access any roles that belonged to a different NetSuite account. SAML Single Sign-on access was provided to only a single account.)
Some limitations are intended to ensure there are no conflicts resulting from having two different trust authorities (the third-party IdP and NetSuite) authenticating a single user. After SAML is enabled for certain roles in an account, NetSuite trusts the third-party identity provider. This is the reason behind the following limitations:
-
A user who has accessed NetSuite through SAML Single Sign-on cannot access any roles that do not have SAML Single Sign-on permission. This prevents users from switching from a SAML role to a non-SAML role with greater privileges.
-
Only one type of inbound single sign-on permission can be assigned to a specific role. If a role has SAML Single Sign-on permission, it cannot have OpenID Connect (OIDC) Single Sign-on permission.
Related Topics
- SAML Single Sign-on
- Configure NetSuite with Your Identity Provider
- Complete the SAML Setup Page
- Update Identity Provider Information in NetSuite
- IdP Metadata and SAML Attributes
- Interactions with NetSuite Using SAML
- SAML SSO in Multiple NetSuite Account Types
- NetSuite SAML Certificate References
- Remove SAML Access to NetSuite
- SAML SSO FAQ
- SAML SSO Permissions