When the SAML Single Sign-on feature is enabled, the SAML Setup page is available at Setup > Integration > SAML Single Sign-on, to administrators and to users with the Set Up SAML Single Sign-on permission. (For details about SAML Single Sign-on permissions, see Add SAML Single Sign-on Permissions to Roles.)
The URL link to the NetSuite Service Provider Metadata field in the following screenshot is obscured, because the URL varies depending on the account type and your data center location.
As of May 2020, the default value for the location is set to the NetSuite system domain. You do not have to change the configuration if we move your account to a different data center location, or if you configure SAML SSO in multiple accounts in various data center locations.
For details about completing the SAML Setup page, see:
To enable SAML access to a website (as opposed to the NetSuite application), you need to complete the SAML subtab of the Web Site Setup page. See SAML Single Sign-on Access to Web Store.
Defining the NetSuite Configuration for SAML
To support SAML single sign-on access to NetSuite, you must define the following on the SAML Setup page:
Logout Landing Page
Logout Landing Page – after logging in to NetSuite through SAML single sign-on, this is the URL for a page that users should be redirected to when they log out of NetSuite. An IdP Single Logout page can be specified for Single Logout to work.
This solution is not part of the SAML 2.0 standard. There is no guarantee that this will work.
Primary Authentication Method
The Primary Authentication Method is optional.
By default, the Primary Authentication Method box is not checked. If SAML users click a link to access NetSuite when no active NetSuite session exists, they are redirected to the NetSuite login page. This redirect might cause issues for users who do not know their NetSuite credentials.
If you check the Primary Authentication Method box, users can be redirected to the external IdP login page. This redirect is available if:
the user has already been logged in, the redirect occurs based on previous experience with NetSuite.
the access link includes the NetSuite account ID set as the c or compid URL parameter or as an account-specific domain, formatted like the following:
https://system.netsuite.com/app/center/card.nl?c=<ACCOUNTID> or https://<accountID>.app.netsuite.com/app/center/card.nlNote:
If the Primary Authentication box is checked, and a user clicks a link containing the c or compid URL parameter or the account-specific domain URL, the user is redirected to the external IdP login page. The originally requested URL will be passed as a RelayState parameter, in accordance with the SAML 2.0 specification. This means that the IdP can direct the user back to the correct NetSuite resource after authentication. If there is a live session for the IdP, the user will be directed back to the NetSuite resource without being asked for credentials.
Users will be redirected to the IdP login page upon session timeouts.
Set Up Your Identity Provider (IdP) in NetSuite
SAML single sign-on access to NetSuite requires that you specify an XML file that defines the identity provider to be used for authentication and includes required metadata for this identity provider. The format of this file must be aligned with SAML v2.0 specifications.
On the SAML Setup page, the IdP metadata file can be specified by entering a URL or by uploading the metadata XML file. This is the information you gathered when you were setting up NetSuite with your IdP.
You must do one of the following:
Choose Indicate IDP metadata URL and enter the location URL of the metadata file.
Or, choose the Upload IDP metadata File option and browse to locate the file.
If you need to make changes to the IdP configuration, see Update Identity Provider Information in NetSuite.
- SAML Single Sign-on
- Complete Preliminary Steps in NetSuite for SAML SSO
- Configure NetSuite with Your Identity Provider
- Update Identity Provider Information in NetSuite
- IdP Metadata and SAML Attributes
- Interactions with NetSuite Using SAML
- SAML SSO in Multiple NetSuite Account Types
- NetSuite SAML Certificate References
- Remove SAML Access to NetSuite
- SAML SSO FAQ