Authentication Overview

NetSuite supports many types of authentication, for use in the NetSuite User Interface (UI) as well as authentication methods for API access to NetSuite. In this section, see:

Authentication in the NetSuite UI

Authentication by entering an email address and a password to log in to the NetSuite UI. See Your User Credentials for information for users.

Topics for administrators include Password Requirements and Policies in NetSuite, NetSuite Login Pages, and Enabling and Creating IP Address Rules.

Two-Factor Authentication (2FA), protects your company from unauthorized access to your data. 2FA provides a free solution that provides both online and offline methods for receiving verification codes.

Important:

NetSuite requires 2FA for all Administrator and other highly privileged roles in all NetSuite accounts. This includes access to production, sandbox, development, and Release Preview accounts.

The Administrator and other highly privileged roles are designated as 2FA authentication required by default, and this requirement cannot be removed. Any standard or customized roles that include highly privileged permissions are indicated in the Mandatory 2FA column on the Two-Factor Authentication Roles page.

For more information, see the following topics:

Single Sign-on (SSO) Overview

SSO is a way to log in to multiple applications with only one account hosted in one place. This makes it easier to access all of your apps without having to remember more usernames and passwords. It also helps keep your information secure by controlling who can access each app.

NetSuite supports the following methods for inbound SSO access to the NetSuite UI:

NetSuite supports two outbound single sign-on methods:

Authentication for API Access to NetSuite

NetSuite offers Token-based Authentication (TBA) and OAuth 2.0, enabling client applications to use a token to access NetSuite through APIs. TBA and OAuth 2.0 eliminate the need for RESTlets and web services integrations to store user credentials. You should not employ user credentials as an authentication method for web services integrations or for RESTlets.

Note:

OAuth 2.0 cannot be used with SOAP web services. For more information, see Authentication Matrix.

For more information, see the following topics:

NetSuite supports two outbound single sign-on authentication methods for integrations:

Device ID authentication is also available in NetSuite. Device ID authentication was developed for use with the SuiteCommerce InStore (SCIS) application. However, you could develop your own applications to use Device ID authentication in NetSuite. See Device ID Authentication. For more information about the SCIS application, see SuiteCommerce InStore (SCIS).

Authentication Matrix

The following table shows the authentication methods supported in NetSuite.

 

NetSuite Application

SuiteCommerce

SOAP web services

REST web services

SuiteScript RESTlets

User Credentials

Supported

Supported

You should not employ user credentials for SOAP web services. Use Token-based Authentication instead. Currently supported, with the exception of 2FA-required roles.

Important:

As of 20.2 endpoint, user credentials are not supported for using with SOAP web services.

Important:

As of January 1, 2021, user credentials are not supported for using with RESTlets.

Token-based Authentication (TBA)

Supported. You should use TBA for SOAP web services authentication.

Supported. You should use TBA or OAuth 2.0 for REST web services authentication.

Supported. You should use TBA or OAuth 2.0 for RESTlet authentication.

OAuth 2.0

Supported. You should use OAuth 2.0 or TBA for REST web services authentication.

Supported. You should use OAuth 2.0 or TBA for RESTlet authentication.

Two-Factor Authentication (2FA)

Supported

2FA is required for highly privileged roles.

SAML 2.0

Supported

Supported

OpenID Connect (OIDC) Single Sign-on

Supported

Supported

Warning:

The NetSuite Inbound SSO feature is deprecated. Migrate your solutions to a different single sign-on feature:

As of 2021.1, any solutions still using the Inbound SSO do not work.

Related Topics

General Notices