SAML SSO FAQ
The following section contains answers to questions about setting up and using SAML SSO with NetSuite. SAML SSO in NetSuite is based on the Security Assertion Markup Language (SAML) v2.0 specifications. See OASIS Security Services (SAML) TC for a link to the SAML specifications. The complete SAML v2.0 OASIS Standard set (PDF format) and schema files are available in a .zip file. See also SAML Single Sign-on for information about setting up SAML in NetSuite.
SAML SSO and Sandbox Accounts
When I access my NetSuite production account through SAML SSO, can I switch roles to access my SAML role in a sandbox account?
It depends on how your SAML is set up, and if the account ID is specified. See SAML SSO in Multiple NetSuite Account Types for more information.
When I access my NetSuite production account through SAML SSO, can I switch roles to access my non–SAML roles in my production or sandbox accounts?
No. It is not possible to access SAML roles and non-SAML roles in the same session.
When I log in to my NetSuite production account in a non-SAML role, can I switch roles to other non–SAML roles in my production or sandbox accounts?
Yes.
Technical Questions about SAML
Is encryption required?
As stated in the NetSuite Service Provider (SP) metadata, encryption is not required. At minimum, it is required only that assertions be signed (WantAssertionsSigned="true"). But an identity provider (IdP) can set a higher level of security using encryption. Refer to the SAML specifications to learn more about the encryption options SAML supports.
What Secure Hash Algorithm (SHA) is supported, SHA1 or SHA256?
The answer to this question is tied to the SAML 2.0 protocol. SAML relies on the XML-Signature Syntax and Processing specification (D. Eastlake and others, XML-Signature Syntax and Processing. World Wide Web Consortium, February 2002.) For more information, see http://www.w3.org/TR/xmldsig-core/. The only supported hashing function in this specification is SHA1. You should use the RSAwithSHA1 signature method.
What bindings are supported?
NetSuite does not support non-secure bindings. All of the bindings require TLS. Our Assertion Consumer Service only accepts the HTTP-POST binding. This is described in the Service Provider Metadata file. To view the NetSuite SP metadata file in your account, see Prepare to Provide NetSuite SP Metadata to Your IdP.
Do all SAML 2.0 messages have authenticity and integrity protection using a digital certificate?
The whole assertion message must be signed by the IDP private key and sent over HTTPS. NetSuite only supports use of the TLS 1.2 protocol for secure communication.
Does the Response for any message that does not have authenticity and integrity protection always indicate failure?
Yes, it does. At a minimum, NetSuite requires that an assertion be signed.
If a message or elements of a message are digitally signed, does the relying party always validate the public key of the digital signature?
Yes, it does.
Are there any revocation checks done against the signature (such as CRL or OCSP)?
There are no automatic checks. The revocation must be done by an administrator, by removing an IDP’s metadata from the NetSuite account settings.
Are all SAML 2.0 messages sent through an HTTP binding using the Transport Layer Security (TLS) protocol?
NetSuite only accepts requests sent through HTTPS (TLS). NetSuite only supports use of the TLS 1.2 protocol for secure communication.
Does the Service Provider process the InResponseTo attribute of the Response to ensure the Response was intended for them and is still fresh?
For the SP-initiated flow, this check is included as per the SAML standard. Both IdP-initiated and SP-initiated flows are supported. See Interactions with NetSuite Using SAML for more information.
Does the Service Provider process the Destination attribute of the Response to ensure the Response was intended for them?
Yes, it does.
Does the Service Provider process the SubjectConfirmationData element to ensure the Assertion was intended for them?
Yes, it does.
Does the Service Provider validate the NotOnOrAfter attribute of the Conditions element to ensure the Assertion is still fresh?
Yes, it does.
Does the Service Provider process the AudienceRestrictions element to ensure the assertion was intended for them?
Yes, it does.
Does the Service Provider process the AuthnContext element to ensure class of Authentication?
Yes, it does.
Related Topics
- SAML Single Sign-on
- Complete Preliminary Steps in NetSuite for SAML SSO
- Configure NetSuite with Your Identity Provider
- Complete the SAML Setup Page
- Update Identity Provider Information in NetSuite
- IdP Metadata and SAML Attributes
- Interactions with NetSuite Using SAML
- SAML SSO in Multiple NetSuite Account Types
- NetSuite SAML Certificate References
- Remove SAML Access to NetSuite