Configuring SAML SSO 2.0 within NetSuite

There are several reasons why an organization would want their NetSuite users to be protected through SAML SSO, or Security Assertion Markup Language Single Sign On. Not only does it allow for a more efficient user experience, as users only need to provide log-in information one time when logging into multiple systems, but this feature also prioritizes security. This authentication process involves three different parties:

Principal/Subject: Typically the user attempting to access the application, which is NetSuite in this case.
Identity Provider (IdP): A service that verifies who a user is, working in synchrony with the SSO. Some examples of this include Microsoft Azure AD, OneLogin, and Okta.
Service Provider: The cloud app or service the user wants to access: NetSuite in this case. The user logs into the SSO, instead of logging into NetSuite directly, and SAML is used to grant access.

Now, how does this process get set up on the NetSuite end? The actual configuration of this for a NetSuite user is fairly straightforward. For the sake of this example, we will be going through steps as if Okta is the IdP we will use.

Enable Necessary Features
1. Using your Administrator role, log in to NetSuite.
2. Navigate to Setup > Company > Enable Features.
3. Select the SuiteCloud subtab.
4. Scroll to the SuiteTalk (Web Services) Section and check “Check SOAP WEB SERVICES”.
5. Scroll to the Manage Authentication Section and check “TOKEN-BASED AUTHENTICATION”.
  1. You may be prompted to read the SuiteCloud Terms of Service page; if so, choose “I Agree” to proceed.
Assign Permissions
1. Navigate to Setup > Users/Roles, then click Manage Roles.
2. Choose the role that you want to be protected through SAML Single Sign On.
3. Click “Edit” on the role.
4. Navigate to the “Setup” subtab under Permissions.
5. Add the permission “SAML Single-Sign On” and make the level “Full”.
6. If you want to configure the role for someone who should have the ability to manage the SAML SSO connection (typically an administrator or manager role):
  1. Add the permission “Set Up SAML Single Sign On” and make the level “Full”.
7. Click Save, and repeat for each role for which you want SAML SSO enabled.
Gather Relevant NetSuite SP Metadata
1. Navigate to Setup > Integration > SAML Single Sign-On.
  1. Navigate to the “Logout Landing Page” and enter the following: “Sign into the Okta Admin dashboard to generate this value.”
  2. Save the following text in a file named “metadata.xml”: “Sign into the Okta Admin dashboard to generate this value.”
  3. Navigate to the “Upload IDP Metadata File”, and upload the file you just created.
2. Click.
3. Submit.
Account ID
1. Navigate to Setup > Company > Company Information.
2. Copy the value for “Account ID”.
Okta Interface
1. Navigate to your Okta portal.
2. Select the “Sign On” tab for the NetSuite SAML App and click “Edit”.
3. Under Advanced Sign-On Settings, make the following changes:
  1. For “Email SAML attribute”: Select the option to be used as email SAML attribute (either Email or Username).
    1. In this case, an attribute is the piece of information about a user that is processed during authentication, so choose if the user is going to be identified by their email or username.
  2. For “NetSuite Account ID”: Enter the NetSuite Account ID you made a copy of.

After these steps are completed, it’s worth mentioning some additional implementation notes that will help users become more knowledgeable about SAML SSO and NetSuite.

Administrator Role:
1. When a user logs into NetSuite through SAML SSO, the Administrator role is not available for them to switch into. A user can only access the Administrator role through the NetSuite log-in screen.
Testing Permissions:
1. Often during UAT, NetSuite consultants will duplicate roles and use these roles for testing to allow themselves to experiment with permissions without ramifications.
2. However, it’s worth noting that if this SAML Single Sign-On permission is not removed, this role will not be accessible via the NetSuite log-in screen.
3. Therefore, for a consultant to use a role for testing, this permission must be removed.

In summary, SAML SSO can be a useful and advantageous tool when it comes to protecting the security of your NetSuite environment, and it can also make sign-in more streamlined and efficient for the users themselves. Furthermore, it offers an intuitive and concise setup process, ensuring that it can be implemented with minimal hassle.