OpenID Connect Permissions
When the OpenID Connect (OIDC) Single Sign-on feature is enabled, the following permissions are available:
-
Set Up OpenID Connect (OIDC) Single Sign-on - permits users other than those with an Administrator role (NetSuite administrators) to view and edit the OpenID Connect (OIDC) Single Sign-on setup page. The Administrator role already has this permission.
Important:This is a highly-privileged permission, therefore two-factor authentication (2FA) is required. Roles with this permission are indicated in the Required 2FA column on the Two-Factor Authentication Roles page. For more information, see Two-Factor Authentication (2FA).
-
OpenID Connect (OIDC) Single Sign-on - requires users to log in to the NetSuite UI using the OpenID Connect (OIDC) Single Sign-on feature. This permission must be explicitly assigned to a role.
Important:Be aware of the following:
-
If a role is designated as Single Sign-on Only, users assigned this permission will not be able to log in to the NetSuite UI from the standard login page with their username and password.
-
Users will receive notifications from NetSuite regarding password expiration. For more information, see Password Expiration Notifications.
See OpenID Connect Permission Limitations for more information.
-
Both OIDC permissions are Setup type permissions that support only a Full permission level.
You can add the OpenID Connect (OIDC) Single Sign-on to an existing role, or you can create a new role.
Permissions are added to roles on the Role record page, available at Setup > Users/Roles > User Management > Manage Roles.
After you assign the OpenID Connect (OIDC) Single Sign-on permission to a role, there's a short delay before users can use that role to log in with OIDC. This delay happens because of caching—the new permission isn't available until the cache times out.
For more information about adding permissions to roles, see Customizing or Creating NetSuite Roles.
OpenID Connect Permission Limitations
OpenID Connect (OIDC) roles and permissions have various limitations that are intended to prevent problems.
No one can log in with an Administrator role using the OpenID Connect (OIDC) Single Sign-on feature. This limitation makes sure an admin can always log in and fix any issues with the OIDC provider (OP) setup or single sign-on access.
You can't add the OpenID Connect (OIDC) Single Sign-on permission to a role that already has SuiteAnalytics Connect permission. OpenID Connect (OIDC) Single Sign-on doesn't work with SuiteAnalytics Connect.
Some limitations ensure the admin is fully responsible for deciding who can access their NetSuite account with OpenID Connect (OIDC) Single Sign-on. The admin is choosing to trust the OP to authenticate users and let them into their NetSuite account.
-
If a role is designated as Single Sign-on Only, users with a role that has OpenID Connect (OIDC) Single Sign-on permission cannot log in directly to the NetSuite user interface using the standard NetSuite login page.
-
A user who has accessed NetSuite through the OpenID Connect (OIDC) Single Sign-on feature cannot access any roles that do not have OpenID Connect Single Sign-on permission.
-
If a role has OpenID Connect (OIDC) Single Sign-on permission, it cannot also have SAML Single Sign-on permission.
Related Topics
- OpenID Connect (OIDC) Single Sign-on
- Register NetSuite with Your OpenID Connect Provider
- Enable the OpenID Connect (OIDC) Single Sign-on Feature in NetSuite
- Configure OpenID Connect (OIDC) in NetSuite
- Customize Roles for OpenID Connect
- Assign the OpenID Connect Single Sign-on Role to Users
- User Access to NetSuite with OpenID Connect
- Remove OpenID Connect Access to NetSuite
- Troubleshoot OIDC
- Authentication Overview