Setting Up Single Sign-on for NetSuite

Single Sign-on (SSO) is a session and user authentication service that allows users to use one set of login credentials to access multiple applications. To use SSO for the NetSuite Content and Experience, administrators must configure NetSuite in Oracle IDCS using a Security Assertion Markup Language (SAML) application. Perform the following to set up SSO for NetSuite:

  1. Enable the required feature, add the required permissions, and obtain the service provider metadata. See Prerequisites for Setting Up SSO.

  2. Create a SAML application using the Oracle IDCS console. See Creating a SAML Application in Oracle IDCS.

  3. Configure SAML Single Sign-on to use Oracle IDCS. See Configuring SAML Single Sign-on.

  4. Log in to NetSuite using SSO. See Logging In to NetSuite Using SSO.

For more information, see SAML Single Sign-on.

Prerequisites for Setting Up SSO

Required Feature

Using the Administrator role, enable the SAML Single Sign-on feature.

To enable SAML Single Sign-on, go to Setup > Company > Setup Tasks > Enable Features. Click the SuiteCloud subtab, then check the SAML Single Sign-on box. Agree to the SuiteCloud Terms of Service when prompted. Click Save.

Warning:

By enabling the SAML Single Sign-on feature, you allow users to access and use your NetSuite account directly from a third-party service that may not have the same authentication and security features as NetSuite. This feature also extends NetSuite administration of user access to the administrators of the identity management system. You need to ensure that NetSuite account use through SAML meets all of your security, regulatory, and other compliance obligations, including Payment Card Industry (PCI) Data Security Standards.

Required Permissions

The following table shows the permission levels required to set up or use SAML Single Sign-on.

Purpose

Permission

Subtab

Permission Level

For setting up SAML Single Sign-on

Set Up SAML Single Sign-on

Setup

Full

For using SAML Single Sign-on

SAML Single Sign-on

Setup

Full

Important:

Users with the Administrator role must also be assigned a custom role with the required permissions.

As needed, administrators can customize an existing role or create a new one and then assign permission to the user. See Customizing or Creating NetSuite Roles.

Obtaining Service Provider Metadata

Administrators, or any role with the Set Up SAML Single Sign-on permission assigned, must first obtain the entity ID and assertion consumer service URL of NetSuite. These values are required when creating a new SAML application in the Oracle IDCS console.

To obtain the service provider metadata:

  1. Go to Setup > Integration > SAML Single Sign-on.

  2. Click the link in the NetSuite Service Provider Metadata field.

  3. Take note of the values of the elements shown in the table below.

    Note:

    The URLs provided are examples. You must refer to the NetSuite Service Provider Metadata file in your account for the values to be used in setting up SSO.

    Element

    Attribute

    Sample value

    EntityDescriptor

    entityID

    http://www.netsuite.com/sp

    SingleLogoutService

    Location

    https://system.na3.netsuite.com/saml2/slopost

    ResponseLocation

    https://system.na3.netsuite.com/saml2/slopost

    AssertionConsumerService (Default)

    Location

    https://system.netsuite.com/saml2/acs

Creating a SAML Application in Oracle IDCS

A SAML application allows a user to use one set of login credentials to access applications that support SAML for SSO, such as NetSuite.

Before creating a new application, make sure that the administrator account used to log in to Oracle IDCS is assigned the Application Administrator role. For more information on setting up administrator roles, see the following:

To create a SAML application in Oracle IDCS:

  1. Log in to the Oracle IDCS console.

  2. Expand the Navigation Drawer then click Applications.

  3. Click Add.

  4. On the Add Application page, click SAML Application.

  5. Under App Details, in the Name field, enter a name for your SAML application.

  6. Click Next.

  7. Under General:

    Note:

    Refer to Obtaining Service Provider Metadata for information on retrieving the values required for Entity ID and Assertion Consumer URL fields.

    • In the Entity ID field, enter the entity ID.

    • In the Assertion Consumer URL field, enter the assertion consumer service URL.

    • In the NameID Format field, select Email address.

    • In the NameID Value field, select Primary Email.

  8. Under Advanced Settings:

    Note:

    Refer to Obtaining Service Provider Metadata for information on retrieving the values required for Single Logout URL and Logout Response URL fields.

    • In the Single Logout URL field, enter the value of the Location attribute of the SingleLogoutService element.

    • In the Logout Response URL field, enter the value of the ResponseLocation attribute of the SingleLogoutService element.

  9. Click Finish.

  10. Click Activate to activate the SAML application.

  11. Go to the SSO Configuration subtab.

  12. Click Download Identity Provider Meta Data.

    Important:

    The XML file you download is required when configuring SAML Single Sign-on in NetSuite.

  13. Go to the Users subtab.

  14. Click Assign. Select the users that must have access to NetSuite.

    Note:

    Selected users must enter the same email address when logging in to NetSuite using SSO. Make sure that the users are assigned the required permissions. For more information, see the following:

  15. Click OK.

For more information on creating a new application, see Add a SAML Application.

Configuring SAML Single Sign-on

Administrators, or any role with the Set Up SAML Single Sign-on permission assigned, must configure the SAML Single Sign-on in NetSuite so users can enter their Oracle IDCS login credentials to access NetSuite. Ready the Identity Provider Meta Data XML file you downloaded from the SAML application created in Oracle IDCS.

For guidelines in setting up SAML Single Sign-on, see Complete the SAML Setup Page.

To configure SAML Single Sign-on:

  1. Go to Setup > Integration > SAML Single Sign-on.

  2. In the Logout Landing Page field, enter https://system.netsuite.com.

    This field must contain the URL for a page that users should be redirected to when they log out of NetSuite.

  3. Check the Primary Authentication Method box.

    Warning:

    If this box is clear, users will not be redirected to Oracle IDCS for authentication.

    For more information about this field, see Primary Authentication Method.

  4. In the Update Identity Provider field group, choose Upload IDP Metadata File. Click Browse to upload the XML file you downloaded from your SAML application.

  5. Click Submit.

Logging In to NetSuite Using SSO

When you have completed the setup instructions, you can log in to NetSuite using Oracle IDCS credentials.

Important:

If you are using Apple Safari, you must first modify your browser's privacy settings before accessing Oracle Content documents using SSO. Refer to Change Privacy preferences in Safari on Mac for instructions.

The following boxes must be clear:

  • Prevent cross-site tracking box

  • Block all cookies box

To log in to NetSuite using SSO:

  1. Go to system.netsuite.com/app/center/card.nl?c=<accountID>.

    To retrieve your Account ID, go to Setup > Company > Setup Tasks > Company Information. Use the value in the Account ID field.

  2. Log in using your Oracle IDCS credentials.

    Your email address must be listed under the Users subtab of the SAML application created in Oracle IDCS. For more information, see Creating a SAML Application in Oracle IDCS.

    Logged in users are automatically redirected to their NetSuite home page.

Additional Information

Customizing or Creating NetSuite Roles
SAML Single Sign-on
Complete the SAML Setup Page
Primary Authentication Method

Related Topics

NetSuite Content and Experience Setup Guide
Using Oracle Identity Cloud Service to Manage Users, Groups, and Access
Required Settings in Oracle Content
Prerequisites for Installing the NetSuite Content and Experience SuiteApp
Installing the NetSuite Content and Experience SuiteApp
Setting Up Authentication and Authorization
Configuring the NetSuite Content and Experience SuiteApp for a NetSuite Record

General Notices