Okta

How to Configure SAML 2.0 for NetSuite

Contents

Supported Features

The Okta/NetSuite SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Sign on to NetSuite with your user credentials.

  2. Go to Setup > Company > Enable Features:

    netsuite_newa.png

  3. Select SuiteCloud on the Enable Features menu:

    netsuite_newb.png

  4. Scroll down to the Manage Authentication section.

  5. Check SAML SINGLE SIGN-ON:

    netsuite_newc.png

  6. On the top menu, select Setup > Users/Roles, then click Manage Roles:

    netsuite_newd.png

  7. The Manage Roles section that contains a list of all the roles assigned in your organization opens. Select Edit for a role for which you want to enable SAML:

    netsuite_newe.png

  8. Scroll down to the Permissions section, then click Edit:

    netsuite_a.png

  9. Select Setup:

    netsuite_b.png

  10. Select the dropdown icon to display the list above the empty box. Select SAML Single Sign-on, then select Add:

    netsuite_c.png

  11. Only assign the following permission to roles that need the ability to configure the SAML SSO connection (for example, admin roles). Don't assign this permission to standard user roles.

    Select Set Up SAML Single Sign-on, and then select Add again:

    netsuite_d.png

    The granted permissions are listed with the level Full:

    netsuite_newi.png

  12. Select Save to return to the Manage Roles section.

  13. Repeat steps 7–12 for each role for which you want to enable SAML.

  14. On the main menu at the top of the page select Setup > Integration > SAML Single Sign-on:

    netsuite_newj.png

  15. The SAML Setup page opens. Enter the following:

    • LOGOUT LANDING PAGE: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • UPLOAD IDP METADATA FILE: Save the following metadata in a file named metadata.xml. Select UPLOAD IDP METADATA FILE, then select Choose File to locate and upload the metadata.xml file you just created.

      Sign into the Okta Admin dashboard to generate this value.

    • Click Submit.

    netsuite_newk.png

  16. Go to Setup > Company > Company Information:

    netsuite_new_1.png

  17. Make a copy of your NetSuite ACCOUNT ID, marked in red below:

    netsuite_new_2.png

  18. In Okta, select the Sign On tab for the NetSuite SAML app, then click Edit:

    • email SAML attribute: Select the value that will be used as email SAML attribute (either Email or Username).

    • NetSuite Account ID: Enter your NetSuite Account ID you made a copy of in step 16.

    • Click Save:

    netsuite_new_3.png

  19. Done!

Notes

The following SAML attributes are supported:


SP-initiated SSO

Netsuite supports two methods of using SP-initiated SAML:

  1. By going to https://system.netsuite.com/app/center/card.nl?c=[ACCOUNTID].

  2. By using a deep link to start the SP-initiated flow. For example: https://system.netsuite.com/app/test/test.nl?whence=.

    Note: This second method only works if you are using a browser where you previously had a login session for Netsuite.


SAML SSO in Multiple NetSuite Account Types

The Shared IdP feature in NetSuite 2018.1 introduces the possibility to trust the same IdP from multiple NetSuite accounts.

To use the same IdP in multiple NetSuite account types, do the following:

  1. You need to add only one NetSuite application instance in Okta.

  2. During NetSuite application configuration in Okta, leave NetSuite Account ID empty:

    netsuite_new_4.png

  3. Configure SAML in all of the NetSuite accounts that you want to use.

  4. Upload the same IdP metadata file (Step 14) in all of the NetSuite accounts that you want to use with SAML.