Interactions with NetSuite Using SAML
See the following topics for more information about SAML SSO interactions with NetSuite:
SP-initiated and IdP-initiated Flows
There are two single sign-on flows in the SAML 2.0 standard: SP-initiated and IdP-initiated. NetSuite supports both types of flows.
For more information about SAML SSO use with web stores, see SAML Single Sign-on Access to Web Store.
The SP-initiated Flow
To trigger an SP-initiated flow:
-
SAML must be set as a primary authentication method, or:
-
A user should have a browsing history using SAML, and a deep link should be used to trigger the flow.
For more information, see the Primary Authentication Method in Defining the NetSuite Configuration for SAML.
SAMLRequest and RelayState
To initiate the login protocol exchange, the SAMLRequest must be in an SP-initiated flow. RelayState is an optional parameter to preserve and convey state information that is transferred with the SAMLRequest message. For detailed information, refer to the SAML 2.0 specification. Go to https://www.oasis-open.org/standards#samlv2.0.
You can configure the value of the RelayState attribute on the IdP side. However, for security reasons, NetSuite does not support redirects to external pages (other than NetSuite pages) through RelayState attribute in the SAML assertion.
Single Logout (SLO)
NetSuite supports Single Logout (SLO) feature. The following Single Logouts (SLO) are supported:
-
IdP-initiated SLO is supported for the NetSuite UI and Commerce web stores.
-
SP-initiated SLO is supported for the NetSuite UI and Commerce web stores.
Related Topics
- SAML Single Sign-on
- Complete Preliminary Steps in NetSuite for SAML SSO
- Configure NetSuite with Your Identity Provider
- Complete the SAML Setup Page
- Update Identity Provider Information in NetSuite
- IdP Metadata and SAML Attributes
- SAML SSO in Multiple NetSuite Account Types
- NetSuite SAML Certificate References
- Remove SAML Access to NetSuite
- SAML SSO FAQ