Enable SAML in Multiple NetSuite Account Types

The following procedures do not contain all the details for setting up and configuring SAML. For more details on each step, see the following topics:

• Complete Preliminary Steps in NetSuite for SAML SSO

• Configure NetSuite with Your Identity Provider

• Complete the SAML Setup Page

Share SAML IdP Metadata in Multiple NetSuite Accounts

You must complete a special procedure if you want to add a new account to the existing SAML configuration and share the same IdP metadata with this new account.

Important:

Completing this procedure is only required if you want to add a new account that shares the same configuration with your current accounts. Multiple accounts can share the same IdP if the metadata files are identical.

For example, perhaps you currently use the same SAML metadata for your production and sandbox accounts. You decide you want to purchase another sandbox account and want to use the same SAML metadata in that new account. Or perhaps you want to set up SAML in your Release Preview account. You have two options for setting up SAML and sharing SAML metadata with additional NetSuite accounts.

• You should follow the procedure for the preferred option, see Redefine the IdP Configuration.

• However, if the preferred option is not feasible for your situation, see Upload an existing IdP metadata file to All New Accounts.

Important:

Ensure you are not sending the account attribute. Using the account attribute locks users in a single account, unable to switch between multiple accounts that trust the same IdP.

If you previously set up your IdP configuration with the account attribute, you must update your IdP configuration. For more information, see Configure NetSuite with Your Identity Provider.

If you do not follow one of the following procedures, you will encounter an error message if you only attempt to upload and save a metadata configuration file obtained from your IdP.

Redefine the IdP Configuration

This is the preferred approach for sharing the same SAML configuration in multiple NetSuite accounts.

To redefine the IdP configuration:

1. In a role with the Setup SAML Single Sign-on permission, or in an Administrator role, log in to a NetSuite account where the IdP metadata is shared.

2. Go to Setup > Integration > Manage Authentication > SAML Single Sign-on. Note the value in the read-only Entity ID field.

3. On the SAML Setup page under Actions, click Delete IdP Configuration. For more information, see Remove the Current IdP Metadata.

   Note:

   Make a list of all accounts from which you delete the IdP configuration file, meaning accounts that share the same Entity ID value.

4. Repeat steps 1-3 for each account that shares the same IdP configuration file.

5. Log in to the website of your IdP.

6. Locate the IdP metadata configuration file for the NetSuite application.

7. Copy the URL for this file or download the IdP metadata file from your IdP.

   Important:

   You must use this same file in the future when you add new accounts to your SAML configuration. If anything changes in the IdP metadata file, the IdP configuration must be redefined. Uploading an IdP metadata file containing any differences will generate a SAML Metadata Warning error message in the UI.

8. Refer to the list of accounts from which you deleted the IdP metadata. Log in to each account and go to Setup > Integration > Manage Authentication > SAML Single Sign-on. Either upload the IdP metadata file or point to the location (the URL) of the file from your IdP.

   Note:

   See Update the IdP Configuration File and Change Your IdP for NetSuite if you need more information about these options.

9. Log in to any new accounts you want to configure with the same IdP metadata and go to Setup > Integration > Manage Authentication > SAML Single Sign-on. Either upload the IdP metadata file or point to the location (the URL) of the file from your IdP

Upload an existing IdP metadata file to All New Accounts

If the preceding approach is not feasible in your situation, use the following option.

To upload an existing IdP metadata file (stored in NetSuite) to all new accounts:

1. In a role with the Setup SAML Single Sign-on permission, or in an Administrator role, log in to a NetSuite account where a SAML SSO is configured. (You should log in to your production account for this step.)

2. Go to Setup > Integration > Manage Authentication > SAML Single Sign-on.

3. Download the current IdP metadata file stored in NetSuite. In the Current Identity Provider section, righ-click the Current Identity Provider Metadata link, and do a Save Link As.

4. In a role with the Setup SAML Single Sign-on permission, or in an Administrator role, log in to the new account you want to configure for SAML access.

5. Upload the IdP metadata file you downloaded in Step 3.

   Important:

   Repeat this procedure (starting with Step 4) for all of the new NetSuite accounts in which you want to share the same SAML configuration.

Related Topics

• SAML Single Sign-on
• Complete Preliminary Steps in NetSuite for SAML SSO
• Configure NetSuite with Your Identity Provider
• Complete the SAML Setup Page
• Update Identity Provider Information in NetSuite
• IdP Metadata and SAML Attributes
• Interactions with NetSuite Using SAML
• NetSuite SAML Certificate References
• Remove SAML Access to NetSuite
• SAML SSO FAQ
• SAML SSO in Multiple NetSuite Account Types

General Notices