How to Configure SAML 2.0 for NetSuite


Supported Features

The Okta/NetSuite SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Sign on to NetSuite with your user credentials.

  2. Select Setup > Company > Enable Features:


  3. Select SuiteCloud on the Enable Features menu:


  4. Scroll down to the Manage Authentication section.



  6. On the top menu, select Setup > Users/Roles, then click Manage Roles:


  7. The Manage Roles section that contains a list of all the roles assigned in your organization opens. Select Edit for a role for which you want to enable SAML:


  8. Scroll down to the Permissions section, then click Edit:


  9. Select Setup:


  10. Select the dropdown icon to display the list above the empty box. Select SAML Single Sign-on, then select Add:


  11. Select Set Up SAML Single Sign-on, and select Add again:


    You will see both selections listed with the level Full:


  12. Select Save to return to the Manage Roles section.

  13. Repeat steps 7–12 for each role for which you want to enable SAML.

  14. On the main menu at the top of the page select Setup > Integration > SAML Single Sign-on:


  15. The SAML Setup page opens. Enter the following information:

    • LOGOUT LANDING PAGE: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • UPLOAD IDP METADATA FILE: Save the following metadata in a file named metadata.xml. Select UPLOAD IDP METADATA FILE, then select Choose File to locate and upload the metadata.xml file you just created.

      Sign into the Okta Admin dashboard to generate this value.
    • Select Submit.


  16. Navigate to Setup > Company > Company Information:


  17. Make a copy of your NetSuite Account ID, marked in red below:


  18. In Okta, select the Sign On tab for the NetSuite SAML app, then click Edit:

    • email SAML attribute: Select the value that will be used as email SAML attribute (either Email or Username).

    • NetSuite Account ID: Enter your NetSuite Account ID you made a copy of in step 16 into the corresponding field.

    • Click Save:


  19. Done!


Make sure that you selected the correct value in the Instance Type drop down list under the General application tab in Okta. Using the wrong value will prevent you from authenticating via SAML to NetSuite.

SAML Attributes

The following SAML attributes are supported:

SP-initiated SSO

Netsuite supports two methods of using SP-initiated SAML:

  1. By going to https://system.netsuite.com/app/center/card.nl?c=[ACCOUNTID].

  2. By using a deep link to start the SP-initiated flow. For example: https://system.netsuite.com/app/test/test.nl?whence=.

    Note: This second method only works if you are using a browser where you previously had a login session for Netsuite.

NetSuite SANDBOX Account Types

NOTE: According to the NetSuite 2019.1 Release Notes (note that you need to be logged into your Netsuite account to access the release notes) the sandbox domain (system.sandbox.netsuite.com) will no longer be accessible as of February 28, 2019. Therefore, they have been deprecated in the Okta Netsuite Integration.

There are 3 different SANDBOX account types available in Netsuite:

  1. Sandbox accounts accessed from the NetSuite domain (system.netsuite.com). In this case you’ll need to select Production/Sandbox/Development/Test drives/Release Preview Instance (system.netsuite.com) value from the Instance Type dropdown list.

  2. DEPRECATED Old sandbox accounts that are accessed from the sandbox domain (system.sandbox.netsuite.com).

    For example, if your ACS URL is https://system.sandbox.netsuite.com/saml2/acs, select Old Sandbox Instance value from the Instance Type dropdown list.

  3. DEPRECATED New sandbox accounts that are accessed from the sandbox domain (system.sandbox.netsuite.com).

    For example, if your ACS URL is https://system.sandbox.netsuite.com/saml2/acs/metaAlias/sp-SANDBOX, select New Sandbox Instance from the Instance Type dropdown list.

If you do not know your Netsuite ACS URL value, contact the Netsuite Support team.

SAML SSO in Multiple NetSuite Account Types

The Shared IdP feature in NetSuite 2018.1 introduces the possibility to trust the same IdP from multiple NetSuite accounts.

To use the same IdP in multiple NetSuite account types (for example, your production account and a sandbox that is accessed from the system.netsuite.com domain), complete the following procedure:

  1. You need to add only one NetSuite application instance in Okta.

  2. During NetSuite application configuration in Okta, leave NetSuite Account ID field with an empty value:


  3. Configure SAML in all of the NetSuite accounts that you want to use (production, sandbox, or Release Preview account) with SAML according to this guide.

  4. Upload the same IdP metadata file (Step 14) in all of the NetSuite accounts that you want to use with SAML.

Important: If your sandbox is still accessed from the sandbox domain (system.sandbox.netsuite.com), you cannot use a single SP configuration for all your accounts. A separate SP configuration for sandbox is required in this case.