The SAML Single Sign-on (SSO) feature lets you set up SAML SSO web site access so that users who have logged in to an external application using SAML can click a link to go directly to a NetSuite web store. Users do not need to log in separately to the web store, because authentication from the same third-party identity provider (IdP) is used for login to both the external application and the web store. A user who accesses a web store using SAML SSO is directed to a landing page that you specify as part of SAML setup in NetSuite. SAML SSO access is supported for Commerce and SiteBuilder web stores.
Before you attempt to set up SAML access to your web store, read and understand the complete documentation for using SAML SSO in NetSuite. See the help topic SAML Single Sign-on.
Any SAML 2.0-compliant application can serve as the IdP for SAML access to NetSuite web stores. You can use the same IdP for both web site access and NetSuite application access, or you can define different IdPs for each purpose.
For more information about SAML SSO for web store, see the following:
SAML SSO Restrictions for Web Store
The following restrictions apply to the SAML SSO Service Provider-Initiated Flow:
The SAML Single Sign-On Service Provider-Initiated Flow is supported only for websites on custom domains, not on netsuite.com.
You cannot use both SAML Single Sign-on and OIDC Single Sign-on for the same website. You must choose one single sign-on method.
All users must use the same type of credentials, either login in using the website login form or OP login form.
A website must be fully protected to use the SAML Single Sign-On Service Provider-Initiated Flow. To protect your website, you must do the following:
On the Set Up Web Site, on the Web Presence subtab, in the Web Site section, check the Advanced Site Customization box.
Go to Setup > Site Builder > Set Up Web Site. On the Shopping subtab, in the Registration Page section, check the Password-Protect Entire Site box.
For more information about SP-initiated flow, see the help topic Interactions with NetSuite Using SAML.
SAML does not have to be set as a primary authentication method for use with web stores.
SAML SSO Setup for Web Store
Before you begin with the setup, ensure that the SAML SSO feature is enabled in your NetSuite account. Go to Setup > Company > Enable Features, and click the SuiteCloud tab. Under the Manage Authentication section, check the SAML Single Sign-on box to enable SAML SSO. See the help topic Complete Preliminary Steps in NetSuite for SAML SSO for more information.
To set up SAML Single Sign-on for a web store, go to the SAML subtab of the SSO subtab of the Web Site Set Up page in your NetSuite account. Most fields on the SAML subtab of the SSO subtab of the Web Site Setup page are the same as those on the SAML Setup page for the NetSuite application. For more information, see the help topic Complete the SAML Setup Page.
If the Multiple Web Sites feature is enabled, you can set up SAML for different web stores by completing the SAML subtab of the Web Site Setup page for each web store. You can use the same IdP for multiple web sites. You also have the option of defining different IdPs for each web site if needed.
SAML SSO Configuration for Web Stores
In the NetSuite Configuration section on the SAML subtab:
Configure NetSuite for SAML SSO with your identity provider (IdP) and set up your IdP in NetSuite. You must provide information from the NetSuite Service Provider Metadata file in NetSuite to your IdP. Follow the instructions provided by your IdP. For more information, see the help topic Configure NetSuite with Your Identity Provider.
The parameters site ID (SAML attribute = site ) and account ID (SAML attribute = account) are required. See the help topic Site Attribute.
Logout Landing Page enter the URL for a page that users should be redirected to when they log out of your web store.
Neither IdP–initiated nor SP-initiated SAML Single Logout (SLO) functionality is supported for web stores.
The following solution is not part of the SAML 2.0 standard. If SP-initiated SLO is desired, and if your IdP supports this functionality, you could enter the Single Logout Service URL of your IdP in the Logout Landing Page field. There is no guarantee that this will work.
The Landing Page After Login field is specific to SAML setup for web stores. By default, your site home page is the landing page for SAML users, but you can specify the URL for a different landing page in this field. The field cannot be used with SP-initiated flow.
If you decide to configure the RelayState parameter, the value in the Landing Page After Login field is no longer taken into account.
Make sure that values of either RelayState parameter or the Landing Page After Login field are valid URLs.
In the Set Up Identity Provider section on the SAML subtab, you must either upload your IdP’s metadata file into NetSuite, or provide the URL where that file is located. See the help topic Set Up Your Identity Provider (IdP) in NetSuite for more information.
After you completed set up of an identity provider, you can click the links to view the Current Identity Provider Metadata, or to Delete IDP Configuration, if necessary.