SP-Initiated and IdP-Initiated Flows in NetSuite

TL;DR Opening

This article describes the two types of single sign-on (SSO) flows available in NetSuite using the SAML 2.0 standard: SP-initiated and IdP-initiated flows. Understanding these flows is essential for ensuring secure and efficient user authentication across your NetSuite environment.

What Are SP-Initiated and IdP-Initiated Flows?

NetSuite supports both SP-initiated and IdP-initiated SAML 2.0 flows. These flows facilitate Single Sign-On (SSO) enabling users to access NetSuite resources efficiently without repeated logins.

The SP-Initiated Flow

An SP-initiated flow occurs when a user accesses a link or application that directly prompts for SAML authentication. To effectively initiate this flow:

• SAML must be configured as the primary authentication method.
• Alternatively, users can have previous SAML browsing history, which allows access via a deep link.

For a deeper understanding of setting SAML as the primary authentication method, refer to the relevant documentation.

SAMLRequest and RelayState

When initiating the login protocol for SP-initiated flows, a SAMLRequest must be generated. An optional RelayState parameter can be included to carry state information alongside the SAMLRequest. Notably, for security reasons, NetSuite restricts redirects to external sites via the RelayState parameter. For comprehensive details, consult the SAML 2.0 specification.

IdP-Initiated Flow

In contrast, for an IdP-initiated flow, users are directed to the IdP portal to log in first. The IdP then redirects the user back to NetSuite with SAML assertions automatically, streamlining user access.

SAML SSO Restrictions for Web Store

There are specific restrictions you should be aware of regarding the SP-initiated flow:

• This flow is applicable only for custom domain websites and is not available for netsuite.com.
• You cannot simultaneously implement both SAML and OIDC for the same site.
• Full protection of your website is mandatory for using the SP-initiated flow. Ensure proper configurations on the Web Presence subtab and check the password-protect settings.

Conclusion

Both SP-initiated and IdP-initiated flows offer flexible options for implementing SAML-based SSO in NetSuite. By understanding and configuring these flows correctly, organizations can optimize user experience while maintaining robust security measures.

Who This Affects

• Administrators: Responsible for configuring the SSO settings in NetSuite.
• Developers: Implementing custom solutions or integrations that rely on SSO.
• eCommerce Managers: Ensuring a seamless purchasing experience for web store users.

Key Takeaways

• NetSuite supports both SP-initiated and IdP-initiated SAML flows.
• SP-initiated flows require SAML as the primary authentication method or prior browsing history.
• RelayState should be used cautiously due to security restrictions.
• Ensure your site is fully protected before implementing these SSO flows.

Source: This article is based on Oracle's official NetSuite documentation.