Configure NetSuite with Your Identity Provider

It is not possible to provide detailed instructions for configuring NetSuite as a service provider (SP) with your identity provider (IdP). Refer to the documentation available from your IdP for configuring SAML access. However, see the following procedure for basic guidance on what must be accomplished to set up SAML access to NetSuite with your IdP. The exact steps will vary, depending on your IdP. The procedure will also vary depending on whether the NetSuite application is already configured by your IdP, or if you must create the NetSuite application yourself with your IdP.

Note:

Your IdP could be a web application or an on-premises solution. The NetSuite application could already be included in their list of SP applications. The IdP might have a setup wizard or a manual to guide you through the process.

To configure SAML with your IdP:

  1. Go to your IdP website or an on-premises administration console, and follow the application setup instructions from your IdP.

    Note:

    You must create a new SP application for NetSuite. Refer to your IdP’s documentation for directions on how to do this.

  2. Provide the NetSuite Service Provider Metadata to your IdP by one of the following methods:

    1. Upload the NetSuite SP metadata file, or:

    2. Paste the URL for the NetSuite SP metadata file in the appropriate field with your IdP, or:

    3. Manually configure SAML on the IdP side by copying information from specific fields in the NetSuite Service Provider Metadata file to the IdP.

      If you need instructions because you must manually upload a certificate file, see Extract an Encryption Certificate or Signing Certificate from the SP Metadata File.

      Your IdP (website or on-premises console)

      From the NetSuite Service Provider Metadata file

      SP Entity ID

      Always refer to the NetSuite Service Provider Metadata file in your account.

      Copy the SP entityID from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page your account.

      The SP entityID is shown in the first line of the file.

      Assertion Consumer Service

      Always refer to the NetSuite Service Provider Metadata file in your account.

      Copy the URL from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page in your account.

      Important:

      As of May 2020, the default Assertion Consumer Service refers to the NetSuite system domain: https://system.netsuite.com/saml2/acs. You do not have to change the configuration if we move your account to a different data center location, or if you configure SAML SSO in multiple accounts in various data center locations.

      Single Logout Service

      Always refer to the NetSuite Service Provider Metadata file in your account.

      Copy the URL from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page in your account.

      Important:

      Use only the value on the first line of the list: https://system.netsuite.com/saml2/slopost

      Ensure you use a POST binding.

  3. Your IdP also has an IdP metadata configuration file. You must copy the URL for this file, or download the IdP metadata file. (Later, you must either enter the URL or upload the file into NetSuite on the SAML Setup page.)

  4. With your IdP, you must assign (or provision) the NetSuite application to the SAML users in your account.

In many cases, the previous steps take care of all the information you need to provide to the IdP. For more information about signing assertions, encryption, and SAML attributes, see IdP Metadata and SAML Attributes.

Related Topics

SAML Single Sign-on
Complete Preliminary Steps in NetSuite for SAML SSO
Complete the SAML Setup Page
Update Identity Provider Information in NetSuite
IdP Metadata and SAML Attributes
Interactions with NetSuite Using SAML
SAML SSO in Multiple NetSuite Account Types
NetSuite SAML Certificate References
Remove SAML Access to NetSuite
SAML SSO FAQ

General Notices