SAML Single Sign-on Access to Web Store
With the SAML Single Sign-on (SSO) feature, you can set up SAML SSO website access so that users who have logged in to an external identity provider (IdP) can click a link to go directly to a NetSuite web store. Users do not need to log in separately to the web store, because authentication from the same third-party identity provider (IdP) is used for login to both the external application and the web store. A user who accesses a web store using SAML SSO is directed to a landing page that you specify as part of SAML setup in NetSuite. SAML SSO access is supported for SuiteCommerce and SiteBuilder web stores.
Before you attempt to set up SAML access to your web store, you should read the complete documentation for using SAML SSO in NetSuite. See SAML Single Sign-on.
Any SAML 2.0-compliant application can serve as the IdP for SAML access to NetSuite web stores. You can use the same IdP for both web site access and NetSuite application access, or you can define different IdPs for each purpose.
For more information about SAML SSO for web store, see the following:
SAML SSO Restrictions for Web Store
The following restrictions apply to the SAML SSO service provider-initiated flow (SP-initiated flow):
-
The SP-initiated flow is supported only for websites on custom domains, not on netsuite.com.
-
You cannot use both SAML Single Sign-on and OIDC Single Sign-on for the same website. You must choose one single sign-on method.
-
A website must be fully protected to use the SP-initiated flow. To protect your website, you must do the following:
-
On the Set Up Web Site form, on the Web Presence subtab, in the Web Site section, check the Advanced Site Customization box.
-
Go to Commerce > Websites > Website List and edit the web store record. On the Shopping subtab, in the Registration Page section, check the Password-Protect Entire Site box.
-
For more information about the SP-initiated flow, see Interactions with NetSuite Using SAML.
SAML does not have to be set as a primary authentication method for use with web stores. You should check the Primary Authentication Method box, if you want your users to be redirected to the external IdP login page.
SAML SSO Setup for Web Store
The first step for SAML SSO setup is to ensure that the SAML SSO feature is enabled in your NetSuite account. Go to Setup > Company > Enable Features, and click the SuiteCloud tab. In the Manage Authentication section, check the SAML Single Sign-on box to enable SAML SSO. For more information, see Complete Preliminary Steps in NetSuite for SAML SSO.
To set up SAML Single Sign-on for a web store, go to the SAML subtab of the SSO subtab of the Web Site Set Up page in your NetSuite account. Most fields on the SAML subtab of the SSO subtab of the Web Site Setup page are the same as those on the SAML Setup page for the NetSuite application. For more information, see Complete the SAML Setup Page.
You can set up SAML for different web stores by completing the SAML subtab of the Web Site Setup page for each web store. You can use the same IdP for multiple web sites. You also have the option of defining different IdPs for each web site if needed.
You must use a unique value for the entityID parameter in metadata file for each web site.
SAML SSO Configuration for Web Stores
In the NetSuite Configuration section on the SAML subtab:
-
Configure NetSuite for SAML SSO with your identity provider (IdP) and set up your IdP in NetSuite. You must provide information from the NetSuite Service Provider Metadata file in NetSuite to your IdP. Follow the instructions provided by your IdP. For more information, see Configure NetSuite with Your Identity Provider.
Note:The site ID (SAML attribute = site) and account ID (SAML attribute = account) parameters are required. See Site Attribute.
-
Enter the URL for a page that users should be redirected to when they log out of your web store to the Logout Landing Page field.
Note:Both IdP–initiated and SP-initiated SAML Single Logout (SLO) are supported for web stores.
-
The Landing Page After Login field is optional and specific to SAML setup for web stores. By default, your site home page is the landing page for SAML users, but you can specify the URL for a different landing page in this field.
If you decide to configure a value for the field and have the secure Single Domain for Web Store and Checkout domain configured, the value of the Landing Page After Login field must be a secured URL.
Important:The value of the Landing Page After Login field is not taken into account in the SP-initiated flow.
-
If you have previously used the SAML Single Sign-on feature for a web store before, the Primary Authentication Method box is checked by default. This box is not checked by default for new web stores. If the Primary Authentication Method box is cleared, SAML users click a link to access NetSuite. If no active NetSuite session exists, users are redirected to the NetSuite login page.
If the Primary Authentication Method box is checked, users can be redirected to the external IdP login page. The site must be password protected and located on the secure Single Domain.
Users will be redirected to the IdP login page upon session timeout.
Note:If the Primary Authentication box is checked, and a user clicks a link containing the c or compid URL parameter, or the account-specific domain URL, the user is redirected to the external IdP login page. The originally requested URL is passed as a RelayState parameter, in accordance with the SAML 2.0 specification. Then, the IdP can direct the user back to the correct NetSuite resource after authentication. If there is a live session for the IdP, the user is redirected back to the NetSuite resource without an additional request for their for credentials.
In the Set Up Identity Provider section on the SAML subtab, you must either upload your IdP’s metadata file into NetSuite, or provide the URL where that file is located. See Set Up Your Identity Provider (IdP) in NetSuite for more information.
After you have set up an identity provider, you can click the links to view the Current Identity Provider Metadata, or to Delete IDP Configuration, if necessary.