Setting Up Single Sign-on for NetSuite
Single Sign-on (SSO) is a session and user authentication service that allows users to use one set of login credentials to access multiple applications. To use SSO for the NetSuite Content and Experience, administrators must configure NetSuite in Oracle IDCS or IAM using a Security Assertion Markup Language (SAML) application. Perform the following to set up SSO for NetSuite:
|
Step |
Related Help Topic |
|---|---|
|
1. Enable the required feature, add the required permissions, and obtain the service provider metadata. |
|
|
2. Create a SAML application |
|
|
3. Configure SAML Single Sign-on. |
|
|
4. Log in to NetSuite using SSO. |
For more information, see SAML Single Sign-on.
Prerequisites for Setting Up SSO
Required Feature
Using the Administrator role, enable the SAML Single Sign-on feature.
To enable SAML Single Sign-on, go to Setup > Company > Setup Tasks > Enable Features. Click the SuiteCloud subtab, then check the SAML Single Sign-on box. Agree to the SuiteCloud Terms of Service when prompted. Click Save.
By enabling the SAML Single Sign-on feature, you allow users to access and use your NetSuite account directly from a third-party service that may not have the same authentication and security features as NetSuite. This feature also extends NetSuite administration of user access to the administrators of the identity management system. You need to ensure that NetSuite account use through SAML meets all of your security, regulatory, and other compliance obligations, including Payment Card Industry (PCI) Data Security Standards.
Required Permissions
The following table shows the permission levels required to set up or use SAML Single Sign-on.
|
Purpose |
Permission |
Subtab |
Permission Level |
|---|---|---|---|
|
For setting up SAML Single Sign-on |
Set Up SAML Single Sign-on |
Setup |
Full |
|
For using SAML Single Sign-on |
SAML Single Sign-on |
Setup |
Full |
Users with the Administrator role must also be assigned a custom role with the required permissions.
As needed, administrators can customize an existing role or create a new one and then assign permission to the user. See Customizing or Creating NetSuite Roles.
Obtaining Service Provider Metadata
Administrators, or any role with the Set Up SAML Single Sign-on permission assigned, must first obtain the entity ID and assertion consumer service URL of NetSuite. These values are required when creating a new SAML application in the Oracle IDCS console and IAM.
To obtain the service provider metadata:
-
Go to Setup > Integration > SAML Single Sign-on.
-
Click the link in the NetSuite Service Provider Metadata field.
-
Take note of the values of the elements shown in the table below.
Note:The URLs provided are examples. You must refer to the NetSuite Service Provider Metadata file in your account for the values to be used in setting up SSO.
Element
Attribute
Sample value
EntityDescriptor
entityID
http://www.netsuite.com/sp
SingleLogoutService
Location
https:
//system.na3.netsuite.com/saml2/slopost ResponseLocation
https:
//system.na3.netsuite.com/saml2/slopost AssertionConsumerService (Default)
Location
https://system.netsuite.com/saml2/acs
Creating a SAML Application in Oracle IDCS
A SAML application allows a user to use one set of login credentials to access applications that support SAML for SSO, such as NetSuite.
Before creating a new application, make sure that the administrator account used to log in to Oracle IDCS is assigned the Application Administrator role. For more information about setting up administrator roles, see the following:
To create a SAML application in Oracle IDCS:
-
Log in to the Oracle IDCS console.
-
Expand the Navigation Drawer then click Applications.
-
Click Add.
-
On the Add Application page, click SAML Application.
-
Under App Details, in the Name field, enter a name for your SAML application.
-
Click Next.
-
Under General:
Note:Refer to Obtaining Service Provider Metadata for information about retrieving the values required for Entity ID and Assertion Consumer URL fields.
-
In the Entity ID field, enter the entity ID.
-
In the Assertion Consumer URL field, enter the assertion consumer service URL.
-
In the NameID Format field, select Email address.
-
In the NameID Value field, select Primary Email.
-
-
Under Advanced Settings:
Note:Refer to Obtaining Service Provider Metadata for information about retrieving the values required for Single Logout URL and Logout Response URL fields.
-
In the Single Logout URL field, enter the value of the Location attribute of the SingleLogoutService element.
-
In the Logout Response URL field, enter the value of the ResponseLocation attribute of the SingleLogoutService element.
-
-
Click Finish.
-
Click Activate to activate the SAML application.
-
Go to the SSO Configuration subtab.
-
Click Download Identity Provider Meta Data.
Important:The XML file you download is required when configuring SAML Single Sign-on in NetSuite.
-
Go to the Users subtab.
-
Click Assign. Select the users that must have access to NetSuite.
Note:Selected users must enter the same email address when logging in to NetSuite using SSO. Make sure that the users are assigned the required permissions. For more information, see the following:
-
Click OK.
For more information about creating a new application, see Add a SAML Application.
Configuring SAML Single Sign-on
Administrators, or any role with the Set Up SAML Single Sign-on permission assigned, must configure the SAML Single Sign-on in NetSuite so users can enter their Oracle IDCS or IAM login credentials to access NetSuite. Ready the Identity Provider Meta Data XML file you downloaded from the SAML application created in Oracle IDCS.
For guidelines in setting up SAML Single Sign-on, see Complete the SAML Setup Page.
To configure SAML Single Sign-on:
-
Go to Setup > Integration > SAML Single Sign-on.
-
In the Logout Landing Page field, enter https://system.netsuite.com.
This field must contain the URL for a page that users should be redirected to when they log out of NetSuite.
-
Check the Primary Authentication Method box.
Warning:If this box is clear, users will not be redirected to Oracle IDCS for authentication.
For more information about this field, see Primary Authentication Method.
-
In the Update Identity Provider field group, choose Upload IDP Metadata File. Click Browse to upload the XML file you downloaded from your SAML application.
-
Click Submit.
Logging In to NetSuite Using SSO
When you have completed the setup instructions, you can log in to NetSuite using Oracle IDCS or IAM credentials.
If you are using Apple Safari, you must first modify your browser's privacy settings before accessing Oracle Content documents using SSO. Refer to Change Privacy preferences in Safari on Mac for instructions.
The following boxes must be clear:
-
Prevent cross-site tracking box
-
Block all cookies box
To log in to NetSuite using SSO:
-
Go to
system.netsuite.com/app/center/card.nl?c=<accountID>.To retrieve your Account ID, go to Setup > Company > Setup Tasks > Company Information. Use the value in the Account ID field.
-
Log in using your Oracle IDCS or IAM credentials.
Your email address must be listed under the Users subtab of the SAML application created in Oracle IDCS or IAM. For more information, see Creating a SAML Application in Oracle IDCS. For IAM users, see Adding a SAML Application under Adding Applications.
Logged in users are automatically redirected to their NetSuite home page.
Additional Information
Related Topics
- NetSuite Content and Experience Setup Guide
- Managing Users, Groups, and Access
- Required Settings in Oracle Content
- Prerequisites for Installing the NetSuite Content and Experience SuiteApp
- Installing the NetSuite Content and Experience SuiteApp
- Setting Up Authentication and Authorization
- Configuring the NetSuite Content and Experience SuiteApp for a NetSuite Record