SuiteSignOn Sequence Diagram and Connection Details

Warning:

As of March 1, 2021, the dc and env parameters in the Outbound SSO HTTP call is no longer supported. You must start using the systemDomain and webservicesDomain parameters instead. For more information, see step 3 in SuiteSignOn Connection Details section.

The Outbound Single Sign-on (SuiteSignOn) feature is scheduled for end of support in 2025.1. You should update your integrations to use NetSuite as OIDC Provider, as soon as possible.

As of 2024.1, support for the SuiteSignOn feature ends for non-production accounts, such as sandbox accounts.

See the following sections for information about SuiteSignOn.

• SuiteSignOn Sequence Diagram

• SuiteSignOn Connection Details

SuiteSignOn Sequence Diagram

The following sequence diagram illustrates the interaction between NetSuite and an external application during a SuiteSignOn connection.

• Steps 1 and 2 occur in the NetSuite user interface.

• Steps 3-6 represent the handshake, meaning the calls required to verify the user and display the application in the NetSuite user interface.

• Steps 8-9 represent optional SOAP web services calls, used if the application provider wants to enable data transfer from the external application to NetSuite.

  A detailed description of each step follows the sequence diagram.

SuiteSignOn Connection Details

See the following detailed steps for each action shown in the preceding SuiteSignOn connection sequence diagram.

1. User logs in to NetSuite, initiating a NetSuite session.

2. User clicks on one of the following in the NetSuite user interface:

   • A subtab that provides SuiteSignOn access

   • A page displaying a portlet that provides SuiteSignOn access

   • A link for a Suitelet that provides SuiteSignOn access

   • An action button that results in the execution of a user event script that provides SuiteSignOn access

3. Outbound single sign-on request - NetSuite generates and sends a token to the external application as the value for the oauth_token URL parameter. This outbound HTTP call also includes: Send the verify request to the domain specified by the value of the systemDomain parameter. Send the web services request to the domain specified by the value of the webservicesDomain parameter. If any data fields were previously defined as required context for the connection, NetSuite sends values for these fields at the same time.

   • A systemDomain URL parameter

   • A webservicesDomain URL parameter for the optional web services calls

   Send the verify request to the domain specified by the value of the systemDomain parameter.

   Send the web services request to the domain specified by the value of the webservicesDomain parameter.

   Warning:

   The outbound HTTP call still includes a dc and an env URL parameters, but you should not use them. Using the hard-coded mapping between the dc parameter and the URL might cause problems when your account is moved to a different data center that is missing in your mapping.

4. Verify request - The external application sends back to NetSuite the token, the consumer key, and the signature , along with other information such as the timestamp and nonce, to verify the user.

   The consumer key is a unique identifier for the application provider, generated by NetSuite when the application provider sets up a SuiteSignOn connection. The signature is computed from the shared secret, the password defined by the application provider during this setup, based on the OAuth 1.0 standard. For information about computing the signature, see Generate the Signature for the OAuth Header for Outbound SSO. See also the OAuth 1.0 Protocol, RFC 5849.

5. Verify response - NetSuite responds to the verification, sending any user identification information that was previously defined as necessary for the connection, in XML format. This information will be used by external application to identify the NetSuite user. For details about combinations of fields that should be used to identify users, see Choosing User Identification Fields for SuiteSignOn.

6. Outbound single sign-on response - The external application sends the HTML for the landing page, and the page appears. Or, if there is a problem, an error is returned instead.

   Important:

   These steps may or may not occur, depending on the situation:

   • For user event script connection points, step 6 is omitted.

   • Steps 7 and 8 are optional. If a SOAP web services request is sent (step 8) then NetSuite sends a SOAP web services response (step 9).

7. The user makes changes in the external application page displayed in NetSuite, then saves them.

8. SOAP web services request - The external application sends a SOAP web services request, that includes the token and shared secret along with other verification data, to NetSuite.

9. SOAP web services response - NetSuite sends a SOAP web services response to the external application, and either the changes are saved to NetSuite, or an error is returned. SOAP web services uses the same role that was used to log in to NetSuite.

Note:

Be aware of the following:

• The token that NetSuite generates is good for the length of the UI session, or for 20 minutes of inactivity.

• If a user repeats step 2 multiple times during a single session, steps 4-5 can be skipped (at the discretion of the third-party client) after the first time.

• If the user logs out of NetSuite and logs back in, or switches roles, when the user clicks on the connection point, a new token is generated.

Related Topics

• Outbound Single Sign-on (SuiteSignOn)
• SuiteSignOn Overview
• Understanding SuiteSignOn
• SuiteSignOn Required Features
• Setting Up SuiteSignOn Integration
• Creating SuiteSignOn Records
• Creating SuiteSignOn Connection Points
• Editing SuiteSignOn Records
• Creating a SuiteSignOn Bundle
• Making SuiteSignOn Integrations Available to Users
• SuiteSignOn Definitions, Parameters, and Code Samples
• Troubleshooting SuiteSignOn (Outbound SSO)

General Notices