With the SAML Single Sign-on (SSO) feature, you can set up SAML SSO website access so that users who have logged in to an external identity provider (IdP) can click a link to go directly to a NetSuite web store. Users do not need to log in separately to the web store, because authentication from the same third-party identity provider (IdP) is used for login to both the external application and the web store. A user who accesses a web store using SAML SSO is directed to a landing page that you specify as part of SAML setup in NetSuite. SAML SSO access is supported for SuiteCommerce and SiteBuilder web stores.
SAML SSO Restrictions for Web Store
The following restrictions apply to the SAML SSO service provider-initiated flow (SP-initiated flow):
- The SP-initiated flow is supported only for websites on custom domains, not on netsuite.com.
- You cannot use both SAML Single Sign-on and OIDC Single Sign-on for the same website. You must choose one single sign-on method.
- A website must be fully protected to use the SP-initiated flow. To protect your website, you must do the following:
- On the Set Up Web Site form, on the Web Presence subtab, in the Web Site section, check the Advanced Site Customization box.
- Go to Commerce > Websites > Website List and edit the web store record. On the Shopping subtab, in the Registration Page section, check the Password-Protect Entire Site box.
SAML SSO Setup for Web Store
The first step for SAML SSO setup is to ensure that the SAML SSO feature is enabled in your NetSuite account. Go to Setup > Company > Enable Features, and click the SuiteCloud tab. In the Manage Authentication section, check the SAML Single Sign-on box to enable SAML SSO.
To set up SAML Single Sign-on for a web store, go to the SAML subtab of the SSO subtab of the Web Site Set Up page in your NetSuite account. Most fields on the SAML subtab of the SSO subtab of the Web Site Setup page are the same as those on the SAML Setup page for the NetSuite application.
You can set up SAML for different web stores by completing the SAML subtab of the Web Site Setup page for each web store. You can use the same IdP for multiple web sites. You also have the option of defining different IdPs for each web site if needed.
SAML SSO Configuration for Web Stores
In the NetSuite Configuration section on the SAML subtab:
Configure NetSuite for SAML SSO with your identity provider (IdP) and set up your IdP in NetSuite. You must provide information from the NetSuite Service Provider Metadata file in NetSuite to your IdP. Follow the instructions provided by your IdP. For more information, see Configure NetSuite with Your Identity Provider.
Note
The site ID (SAML attribute = site) and account ID (SAML attribute = account) parameters are required. See Site Attribute.
Enter the URL for a page that users should be redirected to when they log out of your web store to the Logout Landing Page field.
Note
Both IdP–initiated and SP-initiated SAML Single Logout (SLO) are supported for web stores.
The Landing Page After Login field is optional and specific to SAML setup for web stores. By default, your site home page is the landing page for SAML users, but you can specify the URL for a different landing page in this field.
If you decide to configure a value for the field and have the secure Single Domain for Web Store and Checkout domain configured, the value of the Landing Page After Login field must be a secured URL.
Important
The value of the Landing Page After Login field is not taken into account in the SP-initiated flow.
If you have previously used the SAML Single Sign-on feature for a web store before, the Primary Authentication Method box is checked by default. This box is not checked by default for new web stores. If the Primary Authentication Method box is cleared, SAML users click a link to access NetSuite. If no active NetSuite session exists, users are redirected to the NetSuite login page.
If the Primary Authentication Method box is checked, users can be redirected to the external IdP login page. The site must be password protected and located on the secure Single Domain.
Users will be redirected to the IdP login page upon session timeout.