Single Sign-On (SSO) Overview
Enable users to access NetSuite using their corporate identity provider credentials.
What is SSO?
Single Sign-On allows users to authenticate once with their identity provider (IdP) and access NetSuite without entering separate credentials.
SSO AUTHENTICATION FLOW
═══════════════════════════════════════════════════════════════════════════════
USER IDENTITY PROVIDER NETSUITE
──── ───────────────── ────────
│ │ │
│ 1. Access NetSuite │ │
│ ────────────────────────────────────────────────────▶ │
│ │ │
│ │ 2. Redirect to IdP │
│ ◀──────────────────────────────────────────────────── │
│ │ │
│ 3. Authenticate │ │
│ ──────────────────────────▶│ │
│ │ │
│ 4. SAML Assertion │ │
│ ◀──────────────────────────│ │
│ │ │
│ 5. Submit Assertion │ │
│ ────────────────────────────────────────────────────▶ │
│ │ │
│ 6. Access Granted │ │
│ ◀──────────────────────────────────────────────────── │
│ │ │
Supported Identity Providers
| Provider | Protocol | Guide |
|---|---|---|
| Microsoft Entra ID (Azure AD) | SAML 2.0 | Setup Guide |
| Google Workspace | SAML 2.0 | Setup Guide |
| Okta | SAML 2.0 | Coming soon |
| OneLogin | SAML 2.0 | Coming soon |
Prerequisites
NetSuite Requirements
| Requirement | Details |
|---|---|
| NetSuite Edition | Any edition with SuiteCloud |
| Role | Administrator or Full Access |
| Feature | SAML Single Sign-on (enabled) |
| User Records | Must have matching email addresses |
Identity Provider Requirements
| Requirement | Details |
|---|---|
| Admin Access | Ability to create enterprise applications |
| User Accounts | Users must exist in IdP |
| Email Match | IdP email must match NetSuite email |
Enable SAML SSO Feature
Before configuring any SSO provider, enable the feature in NetSuite:
Step 1: Enable Feature
- Navigate to Setup > Company > Enable Features
- Go to SuiteCloud subtab
- Check SAML Single Sign-on
- Click Save
Step 2: Access SSO Configuration
- Navigate to Setup > Integration > SAML Single Sign-on
- This is where you'll configure your IdP settings
Key Concepts
SAML 2.0 Terminology
| Term | Description |
|---|---|
| Service Provider (SP) | NetSuite - the application users want to access |
| Identity Provider (IdP) | Entra ID/Google - authenticates the user |
| SAML Assertion | XML document proving user identity |
| Entity ID | Unique identifier for NetSuite instance |
| ACS URL | Where IdP sends the SAML response |
| Metadata | XML describing SP/IdP configuration |
NetSuite SAML Endpoints
| Endpoint | URL Pattern |
|---|---|
| Entity ID | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| ACS URL | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/acs |
| Metadata | https://system.netsuite.com/saml2/sp/{ACCOUNT_ID}/metadata |
Replace {ACCOUNT_ID} with your NetSuite account ID (e.g., 1234567).
User Matching
How NetSuite Matches Users
USER MATCHING FLOW
═══════════════════════════════════════════════════════════════════════════════
IdP User NetSuite User
──────── ─────────────
┌─────────────────────┐ ┌─────────────────────┐
│ │ │ │
│ Email: │ │ Email: │
│ john@company.com │ ─────MATCH─────▶ │ john@company.com │
│ │ │ │
│ Name ID Claim │ │ Employee/Contact │
│ │ │ Record │
└─────────────────────┘ └─────────────────────┘
MATCHING RULES:
1. IdP sends email as Name ID claim
2. NetSuite searches for user with matching email
3. If found → user logs in with their NetSuite roles
4. If not found → login fails (user not provisioned)
Best Practices for User Matching
| Practice | Benefit |
|---|---|
| Use email as Name ID | Consistent matching |
| Sync email addresses | Prevent login failures |
| Provision users first | Users must exist in NetSuite |
| Case-insensitive matching | NetSuite matches case-insensitively |
SSO vs Traditional Login
| Feature | Traditional Login | SSO |
|---|---|---|
| Password management | NetSuite passwords | Corporate IdP |
| Multi-factor auth | NetSuite MFA | IdP MFA |
| Password policies | NetSuite policies | IdP policies |
| Provisioning | Manual | Can automate with SCIM |
| Access revocation | Disable in NetSuite | Disable in IdP |
| User experience | Separate login | Single login |
Security Considerations
Certificate Management
| Aspect | Recommendation |
|---|---|
| Certificate rotation | Plan for annual renewal |
| Algorithm | Use SHA-256 minimum |
| Backup | Keep certificate backups |
| Expiry monitoring | Set reminders before expiry |
Access Control
| Control | Implementation |
|---|---|
| IP restrictions | Can still use NetSuite IP rules |
| Role assignment | Manual or via SCIM |
| Session timeout | Controlled by NetSuite |
| Logging | Audit SSO events |
Troubleshooting Overview
Common Issues
| Issue | Likely Cause | Solution |
|---|---|---|
| User not found | Email mismatch | Verify emails match |
| Invalid signature | Certificate issue | Re-upload IdP certificate |
| Clock skew | Time difference | Sync server clocks |
| ACS URL mismatch | Wrong URL in IdP | Verify ACS URL |
| Not authenticated | IdP session expired | Re-authenticate at IdP |
Where to Check
| Location | What to Look For |
|---|---|
| NetSuite Login Audit | SSO login attempts |
| IdP Audit Logs | Authentication events |
| Browser Developer Tools | SAML response |
| SAML Tracer (browser extension) | Full SAML flow |
Next Steps
Choose your identity provider guide:
- Microsoft Entra ID (Azure AD) - For Microsoft 365 organizations
- Google Workspace - For Google Workspace organizations