SAML SSO Permission Limitations

SAML Single Sign-on roles and permissions have various limitations that are intended to prevent problems.

No one can log in as an administrator using SAML single sign-on. This limitation makes sure an admin can always log in and fix any issues with the third-party IdP setup or SAML access.

Administrators cannot add SAML Single Sign-on permission to a role that has SuiteAnalytics Connect permission; SAML access is not supported for SuiteAnalytics Connect.

Some limitations make sure the admin is fully responsible for deciding who can access their NetSuite account with SAML Single Sign-on. The admin is choosing to trust the third-party IdP to authenticate and let people into their NetSuite account. That's why these limitations exist:

• If someone logs in to NetSuite with a role that doesn't have SAML Single Sign-on permission, they can't access any roles that do have it. This stops users from switching between SAML and non-SAML roles with different privileges.

• As of 2018.1, it is up to an administrator to decide whether users should be locked in a single account. See Account Attribute for more information. (In previous releases, a user who accessed NetSuite through SAML Single Sign-on could not access any roles that belonged to a different NetSuite account. SAML Single Sign-on access was provided to only a single account.)

Some limitations are intended to ensure there are no conflicts resulting from having two different trust authorities (the third-party IdP and NetSuite) authenticating a single user. After SAML is enabled for certain roles in an account, NetSuite trusts the third-party identity provider. This is the reason behind the following limitations:

• A user who has accessed NetSuite through SAML Single Sign-on cannot access any roles that do not have SAML Single Sign-on permission. This prevents users from switching from a SAML role to a non-SAML role with greater privileges.

• Only one type of inbound single sign-on permission can be assigned to a specific role. If a role has SAML Single Sign-on permission, it cannot have OpenID Connect (OIDC) Single Sign-on permission.

Related Topics

• SAML Single Sign-on
• Configure NetSuite with Your Identity Provider
• Complete the SAML Setup Page
• Update Identity Provider Information in NetSuite
• IdP Metadata and SAML Attributes
• Interactions with NetSuite Using SAML
• SAML SSO in Multiple NetSuite Account Types
• NetSuite SAML Certificate References
• Remove SAML Access to NetSuite
• SAML SSO FAQ
• Add SAML Single Sign-on Permissions to Roles

General Notices