Configure NetSuite with Your Identity Provider

It is not possible to provide detailed instructions for configuring NetSuite as a service provider (SP) with your identity provider (IdP). However, see the following procedure for basic guidance on what must be accomplished to set up SAML access to NetSuite with your IdP. The exact steps will vary, depending on your IdP. The procedure will also vary depending on whether the NetSuite application is already configured by your IdP, or if you must create the NetSuite application yourself with your IdP.

Note:

Your IdP could be a web application or an on-premises solution. The NetSuite application could already be included in their list of SP applications. The IdP might have a setup wizard or a manual to guide you through the process.

To configure SAML with your IdP:

1. Go to your IdP website or an on-premises administration console, and follow the application setup instructions from your IdP.

   Note:

   You must create a new SP application for NetSuite. Refer to your IdP’s documentation for directions on how to do this.

2. Provide the NetSuite Service Provider Metadata to your IdP by one of the following methods:

   1. Upload the NetSuite SP metadata file, or:

   2. Paste the URL for the NetSuite SP metadata file in the appropriate field with your IdP, or:

   3. Manually configure SAML on the IdP side by copying information from specific fields in the NetSuite Service Provider Metadata file to the IdP.

      If you need instructions because you must manually upload a certificate file, see Extract an Encryption Certificate or Signing Certificate from the SP Metadata File.

      Your IdP (website or on-premises console)	From the NetSuite Service Provider Metadata file
      SP Entity ID	Always refer to the NetSuite Service Provider Metadata file in your account. Copy the SP entityID from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page your account. The SP entityID is shown in the first line of the file.
      Assertion Consumer Service	Always refer to the NetSuite Service Provider Metadata file in your account. Copy the URL from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page in your account. Important: As of May 2020, the default Assertion Consumer Service refers to the NetSuite system domain: https://system.netsuite.com/saml2/acs. You do not have to change the configuration if we move your account to a different data center location, or if you configure SAML SSO in multiple accounts in various data center locations.
      Single Logout Service	Always refer to the NetSuite Service Provider Metadata file in your account. Copy the URL from the NetSuite Service Provider metadata file you downloaded from the SAML Setup page in your account. Important: Use only the value on the first line of the list: https://system.netsuite.com/saml2/slopost Ensure you use a POST binding.

3. Your IdP also has an IdP metadata configuration file. You must copy the URL for this file, or download the IdP metadata file. (Later, you must either enter the URL or upload the file into NetSuite on the SAML Setup page.)

4. With your IdP, you must assign (or provision) the NetSuite application to the SAML users in your account.

In many cases, the previous steps take care of all the information you need to provide to the IdP. For more information about signing assertions, encryption, and SAML attributes, see IdP Metadata and SAML Attributes.

Related Topics

• SAML Single Sign-on
• Complete Preliminary Steps in NetSuite for SAML SSO
• Complete the SAML Setup Page
• Update Identity Provider Information in NetSuite
• IdP Metadata and SAML Attributes
• Interactions with NetSuite Using SAML
• SAML SSO in Multiple NetSuite Account Types
• NetSuite SAML Certificate References
• Remove SAML Access to NetSuite
• SAML SSO FAQ

General Notices