Interactions with NetSuite Using SAML

See the following topics for more information about SAML SSO interactions with NetSuite:

SP-initiated and IdP-initiated Flows

There are two single sign-on flows in the SAML 2.0 standard: SP-initiated and IdP-initiated. NetSuite supports both types of flows.

For more information about SAML SSO use with web stores, see SAML Single Sign-on Access to Web Store.

The SP-initiated Flow

To trigger an SP-initiated flow:

  • SAML must be set as a primary authentication method, or:

  • A user should have a browsing history using SAML, and a deep link should be used to trigger the flow.

For more information, see the Primary Authentication Method in Defining the NetSuite Configuration for SAML.

SAMLRequest and RelayState

To initiate the login protocol exchange, the SAMLRequest must be in an SP-initiated flow. RelayState is an optional parameter to preserve and convey state information that is transferred with the SAMLRequest message. For detailed information, refer to the SAML 2.0 specification. Go to https://www.oasis-open.org/standards#samlv2.0.

You can configure the value of the RelayState attribute on the IdP side. However, for security reasons, NetSuite does not support redirects to external pages (other than NetSuite pages) through RelayState attribute in the SAML assertion.

Single Logout (SLO)

NetSuite supports Single Logout (SLO) feature. The following Single Logouts (SLO) are supported:

  • IdP-initiated SLO is supported for the NetSuite UI and Commerce web stores.

  • SP-initiated SLO is supported for the NetSuite UI and Commerce web stores.

Related Topics

General Notices