How to Configure SAML 2.0 for NetSuite


Supported Features

The Okta/NetSuite SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

  1. Sign on to NetSuite with your user credentials.

  2. Go to Setup > Company > Enable Features:


  3. Select SuiteCloud on the Enable Features menu:


  4. Scroll down to the Manage Authentication section.



  6. On the top menu, select Setup > Users/Roles, then click Manage Roles:


  7. The Manage Roles section that contains a list of all the roles assigned in your organization opens. Select Edit for a role for which you want to enable SAML:


  8. Scroll down to the Permissions section, then click Edit:


  9. Select Setup:


  10. Select the dropdown icon to display the list above the empty box. Select SAML Single Sign-on, then select Add:


  11. Select Set Up SAML Single Sign-on, and select Add again:


    You will see both selections listed with the level Full:


  12. Select Save to return to the Manage Roles section.

  13. Repeat steps 7–12 for each role for which you want to enable SAML.

  14. On the main menu at the top of the page select Setup > Integration > SAML Single Sign-on:


  15. The SAML Setup page opens. Enter the following:

    • LOGOUT LANDING PAGE: Copy and paste the following:

      Sign into the Okta Admin dashboard to generate this value.

    • UPLOAD IDP METADATA FILE: Save the following metadata in a file named metadata.xml. Select UPLOAD IDP METADATA FILE, then select Choose File to locate and upload the metadata.xml file you just created.

      Sign into the Okta Admin dashboard to generate this value.
    • Click Submit.


  16. Go to Setup > Company > Company Information:


  17. Make a copy of your NetSuite ACCOUNT ID, marked in red below:


  18. In Okta, select the Sign On tab for the NetSuite SAML app, then click Edit:

    • email SAML attribute: Select the value that will be used as email SAML attribute (either Email or Username).

    • NetSuite Account ID: Enter your NetSuite Account ID you made a copy of in step 16 into the corresponding field.

    • Click Save:


  19. Done!


The following SAML attributes are supported:

SP-initiated SSO

Netsuite supports two methods of using SP-initiated SAML:

  1. By going to https://system.netsuite.com/app/center/card.nl?c=[ACCOUNTID].

  2. By using a deep link to start the SP-initiated flow. For example: https://system.netsuite.com/app/test/test.nl?whence=.

    Note: This second method only works if you are using a browser where you previously had a login session for Netsuite.

SAML SSO in Multiple NetSuite Account Types

The Shared IdP feature in NetSuite 2018.1 introduces the possibility to trust the same IdP from multiple NetSuite accounts.

To use the same IdP in multiple NetSuite account types, do the following:

  1. You need to add only one NetSuite application instance in Okta.

  2. During NetSuite application configuration in Okta, leave NetSuite Account ID field empty:


  3. Configure SAML in all of the NetSuite accounts that you want to use.

  4. Upload the same IdP metadata file (Step 14) in all of the NetSuite accounts that you want to use with SAML.