SAML Attribute Statements

See the following sections for more information about SAML attributes.

Account Attribute
Role Attribute
Site Attribute
NameID and Email Attributes
Supported NameID Formats

Account Attribute

The account attribute is your NetSuite account ID. If you do not know your NetSuite account ID, a user with an Administrator role can go to Setup > Company > Company Information to view the Account ID field. The account attribute is optional, unless:

If you are sending the role attribute, then account is required.
If you are sending the site attribute, then account is required.
If users need access to both their non-customer center and customer center SAML roles, then account is required.

Important:

If you send the account attribute, users are locked into a single company account, and will not be able to switch between multiple accounts that trust the same IdP.

Role Attribute

Users can't switch roles when they're logged in to a website. With the role attribute, you can set which SAML role gets used for login. The role you set in the assertion acts as the default role for the account.

You can pass the role attribute with the SAML assertion as an extra attribute. If you send the role attribute, the assertion also needs to include the account attribute.

Site Attribute

Setting the site attribute (the site ID) is required for web store access. If you are sending the site attribute, you must also set the account attribute.

Note:

When the site attribute is provided, the user is directed to the web store with the corresponding site id. It is not possible to route the SAML login to either the NetSuite account or to a web store based on the role in which the user logs in to the IdP.

The NetSuite system automatically generates and assigns IDs as the sites are created. If you do not know the site ID:

For a Site Builder site, an administrator or a user with the Set Up Company permission can go to Commerce > Websites > Preview Website. The site ID is the n parameter at the end of the URL.

The URL is in the following format:

http://shopping.<DataCenterID>.netsuite.com/s.nl?c=<accountID>&n=<siteID>.

For example, if your account was hosted in the US East data center, and your account ID was 123456, the URL for a Site Builder site would be:

http://shopping.na1.netsuite.com/s.nl?c=123456&n=1.
For a Suite Commerce Advanced site, an administrator or a user with the Set Up Company permission can go to Commerce > Websites > Website List. Click Edit for the required website. In the browser address bar, the site ID is the value of the ID parameter in the URL.

The URL is in the following format:

https://<accountID>.app.netsuite.com/app/site/setup/siteadmin.nl?id=<siteID>&sitetype=ADVANCED&e=T.

For example, if your account ID was 123456, and the site ID was 3, the URL for a Suite Commerce Advanced site would be:

https://123456.app.netsuite.com/app/site/setup/siteadmin.nl?id=3&sitetype=ADVANCED&e=T.

NameID and Email Attributes

The user email is required. It must be provided either as the value in the NameID attribute or the email attribute.

Note:

If you use both the NameID and email attributes, their values have to match—unless you're using the transient format. If NetSuite gets a SAML Assertion with a transient NameID, it also needs an email attribute statement with the user's email address. The values in the transient NameID tag and the email attribute statement do not have to match.

Supported NameID Formats

The following formats are supported for the NameID attribute:

emailAddress
transient
unspecified

Important:

No matter which of these formats you choose to use, the NameID value must contain an email address.

The SAML Response Example illustrates the use of the emailAddress format for NameID.

The following line indicates use of the unspecified format: <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jsmith@example.com</saml2:NameID>.