Anyone have any experience setting up SAML SSO wit...
# administrationa
abarylak
04/13/2021, 2:13 PMAnyone have any experience setting up SAML SSO with NetSuite? We currently have our users using normal username and password logins and want to move to SAML SSO using Azure. In the documentation is says to use a URL like "https://<accountid>.app.netsuite.com/app/center/card.nl" to get the SP-initiated login to work. However, NS remembers the user's last login method and only presents the username and password screen again. The only ways we have found around this right now is to clear the cookies and cache on your browser, or use IDP-initiated login. Does anyone know if there is any more URL parameters that can be added to force the SP-initiated SSO flow to start?
m
Marc Reicher
04/13/2021, 4:20 PMwhere are you seeing that documentation?
s
Sam-I-Am
04/13/2021, 4:29 PMdid you make sure that SAML only permission have been enabled in the Role permission table (setup tab)?
a
abarylak
04/13/2021, 6:43 PMHere is the suiteanswers post: https://netsuite.custhelp.com/app/answers/detail/a_id/24486/kw/24486
abarylak
04/13/2021, 6:47 PMAs for the SAML Only permission, are you referring to the "Single Sign-On Only" checkbox on the role, or the "SAML Single Sign-on" permission? They can't be used together, and only "SAML Single Sign-on" permission can be used to enforce SAML single sign-on through an IDP. Yes, we have that on a role. I can also log in via IDP-initiated login, however, all our current users are using username and password, so if we give them the account specific URL, then they are still prompted for username and password even after we select "Primary Authentication Method" for SAML single sign-on. We get into a conundrum where a user can't sign into netsuite with SSO without having previously signed in via SSO...
abarylak
04/13/2021, 6:48 PMSo, i'm wondering if anyone has figured out if there was a URL parameter or any way to tell NS to always use SAML SSO if authentication is required
m
Marc Reicher
04/13/2021, 6:59 PMA couple things:
1. I'm not sure if NetSuite actually supports SP initiated login based on that SuiteAnswers post.
2. I tried logging into NetSuite via my IdP and just looked what goes in the Chrome Dev tools. Check out this URL:
<https://system.netsuite.com/app/login/secure/loginrouter.nl?c=${accountId}&lm=APP_ENTERPRISE_SAML&whence=>Marc Reicher
04/13/2021, 9:38 PMdid that work for you @abarylak
a
abarylak
04/14/2021, 3:23 PMSorry, this doesn't seem to notify me of replies. That is interesting, looks like it may work, i'll have to do some more in-depth testing. I tried dev tools but didn't see that URL, so that's great that you found something
abarylak
04/14/2021, 5:14 PM@Marc Reicher, seems like the URL you found does force the login through the IDP much in the same way as the IDP-initiated login. So, this new URL is almost an identical way of logging in as using the full IDP-initiated login. The reason this is not ideal is when the user is already logged into NS (in another tab or window of the current browser), and they use the IDP-initiated login or that new URL, the browser still goes through the entire SAML assertion process which delays the page load. Where in the same situation, if they use the https://<accountid>.app.netsuite.com/app/center/card.nl link, then NS realizes there is an active session and doesn't redirect the user to the IDP or password screen. This is why I'm looking to force the auth through the IDP only IF it is required. I have a case open with NS support on this as well, and they simply say it is working as designed. So, if there is no other way, that's fine as it is mainly a nuisance during initial switch to SSO for the users (and for administrators going forward)
5 Views