SP-Initiated and IdP-Initiated Flows...

TL;DR Opening

This article describes the two types of single sign-on (SSO) flows available in NetSuite using the SAML 2.0 standard: SP-initiated and IdP-initiated flows. Understanding these flows is essential for ensuring secure and efficient user authentication across your NetSuite environment.

What Are SP-Initiated and IdP-Initiated Flows?

NetSuite supports both SP-initiated and IdP-initiated SAML 2.0 flows. These flows facilitate Single Sign-On (SSO) enabling users to access NetSuite resources efficiently without repeated logins.

The SP-Initiated Flow

An SP-initiated flow occurs when a user accesses a link or application that directly prompts for SAML authentication. To effectively initiate this flow:

SAML must be configured as the primary authentication method.
Alternatively, users can have previous SAML browsing history, which allows access via a deep link.

For a deeper understanding of setting SAML as the primary authentication method, refer to the relevant documentation.

SAMLRequest and RelayState

When initiating the login protocol for SP-initiated flows, a SAMLRequest must be generated. An optional RelayState parameter can be included to carry state information alongside the SAMLRequest. Notably, for security reasons, NetSuite restricts redirects to external sites via the RelayState parameter. For comprehensive details, consult the SAML 2.0 specification.

IdP-Initiated Flow

In contrast, for an IdP-initiated flow, users are directed to the IdP portal to log in first. The IdP then redirects the user back to NetSuite with SAML assertions automatically, streamlining user access.

SAML SSO Restrictions for Web Store

There are specific restrictions you should be aware of regarding the SP-initiated flow:

This flow is applicable only for custom domain websites and is not available for netsuite.com.
You cannot simultaneously implement both SAML and OIDC for the same site.
Full protection of your website is mandatory for using the SP-initiated flow. Ensure proper configurations on the Web Presence subtab and check the password-protect settings.

Conclusion

Both SP-initiated and IdP-initiated flows offer flexible options for implementing SAML-based SSO in NetSuite. By understanding and configuring these flows correctly, organizations can optimize user experience while maintaining robust security measures.

Who This Affects

Administrators: Responsible for configuring the SSO settings in NetSuite.
Developers: Implementing custom solutions or integrations that rely on SSO.
eCommerce Managers: Ensuring a seamless purchasing experience for web store users.

Key Takeaways

NetSuite supports both SP-initiated and IdP-initiated SAML flows.
SP-initiated flows require SAML as the primary authentication method or prior browsing history.
RelayState should be used cautiously due to security restrictions.
Ensure your site is fully protected before implementing these SSO flows.

Frequently Asked Questions (4)

Do I need to configure anything special for SP-initiated SAML flows in NetSuite?

Yes, you need to configure SAML as the primary authentication method or have previous SAML browsing history to initiate an SP-initiated flow. Additionally, ensure that your site is fully protected and check the Web Presence settings.

Can SP-initiated SAML flows be used on netsuite.com domains?

No, SP-initiated SAML flows are applicable only for custom domain websites and not available for netsuite.com.

Is it possible to use both SAML and OIDC on the same NetSuite site concurrently?

No, you cannot implement both SAML and OIDC simultaneously for the same site in NetSuite.

Are there any additional security considerations for using the RelayState parameter in SP-initiated flows?

Yes, for security reasons, NetSuite restricts redirects to external sites via the RelayState parameter when using SP-initiated flows. It's important to use this parameter cautiously.

SP-Initiated and IdP-Initiated Flows in NetSuite