SAML Attribute Statements

See the following sections for more information about SAML attributes.

Account Attribute
Role Attribute
Site Attribute
NameID and Email Attributes
Supported NameID Formats

Account Attribute

The account attribute is your NetSuite account ID. If you do not know your NetSuite account ID, a user with an Administrator role can go to Setup > Company > Company Information to view the Account ID field. The account attribute is optional, unless:

If you are sending the role attribute, then account is required.
If you are sending the site attribute, then account is required.
If users need access to both their non-customer center and customer center SAML roles, then account is required.

Important:

If you send the account attribute, users are locked into a single company account, and will not be able to switch between multiple accounts that trust the same IdP.

Role Attribute

The ability to define a role ID is particularly useful if you have a SuiteCommerce website. It is not possible for a user to switch roles when logged in to a website. With the role attribute, you can define the SAML role to be used for login. The role defined in the assertion is treated as a default role for the account.

The role attribute can be passed along with the SAML assertion as an additional attribute. If the role attribute is sent, the assertion must also include the account attribute.

Site Attribute

Setting the site attribute (the site ID) is required for web store access. If you are sending the site attribute, you must also set the account attribute.

Note:

When the site attribute is provided, the user is directed to the web store with the corresponding site id. It is not possible to route the SAML login to either the NetSuite account or to a web store based on the role in which the user logs in to the IdP.

The NetSuite system automatically generates and assigns IDs as the sites are created. If you do not know the site ID:

For a Site Builder site, an administrator or a user with the Set Up Company permission can go to Commerce > Websites > Preview Website. The site ID is the n parameter at the end of the URL.

The URL is in the following format:

http://shopping.<DataCenterID>.netsuite.com/s.nl?c=<accountID>&n=<siteID>.

For example, if your account was hosted in the US East data center, and your account ID was 123456, the URL for a Site Builder site would be:

http://shopping.na1.netsuite.com/s.nl?c=123456&n=1.
For a Suite Commerce Advanced site, an administrator or a user with the Set Up Company permission can go to Commerce > Websites > Website List. Click Edit for the required website. In the browser address bar, the site ID is the value of the ID parameter in the URL.

The URL is in the following format:

https://<accountID>.app.netsuite.com/app/site/setup/siteadmin.nl?id=<siteID>&sitetype=ADVANCED&e=T.

For example, if your account ID was 123456, and the site ID was 3, the URL for a Suite Commerce Advanced site would be:

https://123456.app.netsuite.com/app/site/setup/siteadmin.nl?id=3&sitetype=ADVANCED&e=T.

NameID and Email Attributes

The user email is required. It must be provided either as the value in the NameID attribute or the email attribute.

Note:

If using both the NameID and the email attributes, the values for these attributes must be identical, unless you are using the transient format. If NetSuite receives a SAML Assertion with a transient NameID, it must also contain an email attribute statement with the user email address. The values in transient NameID tag and email attribute statement do not need to be identical.

Supported NameID Formats

The following formats are supported for the NameID attribute:

emailAddress
transient
unspecified

Important:

No matter which of these formats you choose to use, the NameID value must contain an email address.

The SAML Response Example illustrates the use of the emailAddress format for NameID.

The following line indicates use of the unspecified format: <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jsmith@example.com</saml2:NameID>.