Tutorial: Integrate Azure AD single sign-on (SSO) with NetSuite
In this tutorial, you'll learn how to integrate NetSuite with Azure Active Directory (Azure AD). When you integrate NetSuite with Azure AD, you can:
- Control in Azure AD who has access to NetSuite.
- Enable your users to be automatically signed in to NetSuite with their Azure AD accounts.
- Manage your accounts in one central location, the Azure portal.
To get started, you need the following items:
- An Azure AD subscription. If you don't have a subscription, you can get a free account.
- A NetSuite single sign-on (SSO)-enabled subscription.
In this tutorial, you configure and test Azure AD SSO in a test environment.
- IDP-initiated SSO.
- JIT (just-in-time) user provisioning.
- NetSuite supports Automated user provisioning.
Because the identifier of this application is a fixed string value, only one instance can be configured in one tenant.
Add NetSuite from the gallery
To configure the integration of NetSuite into Azure AD, add NetSuite from the gallery to your list of managed SaaS apps by doing the following:
- Sign in to the Azure portal with either a work or school account, or a personal Microsoft account.
- In the left pane, select the Azure Active Directory service.
- Go to Enterprise Applications, and then select All Applications.
- To add a new application, select New application.
- In the Add from the gallery section, type NetSuite in the search box.
- In the results pane, select NetSuite, and then add the app. Wait a few seconds while the app is added to your tenant.
Configure and test Azure AD SSO for NetSuite
Configure and test Azure AD SSO with NetSuite by using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in NetSuite.
To configure and test Azure AD SSO with NetSuite, perform the following steps:
- Configure Azure AD SSO to enable your users to use this feature.
- Configure NetSuite SSO to configure the single sign-on settings on the application side.
- Create the NetSuite test user to have a counterpart of user B.Simon in NetSuite that's linked to the Azure AD representation of the user.
- Test SSO to verify that the configuration works.
Configure Azure AD SSO
To enable Azure AD SSO in the Azure portal, do the following:
In the Azure portal, on the NetSuite application integration page, look for the Manage section, and then select Single sign-on.
In the Select a single sign-on method pane, select SAML.
In the Set up Single Sign-On with SAML pane, select the Edit ("pencil") icon next to Basic SAML Configuration.
In the Basic SAML Configuration section, in the Reply URL text box, type the URL:
NetSuite application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
In addition to above, NetSuite application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
Name Source attribute account
The value of the account attribute is not real. You'll update this value, as explained later in this tutorial.
On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Federation Metadata XML and select Download to download the certificate and save it on your computer.
In the Set up NetSuite section, copy the appropriate URL or URLs, depending on your requirement.
Create an Azure AD test user
In this section, you create a test user in the Azure portal called B.Simon.
In the left pane of the Azure portal, select Azure Active Directory > Users > All users.
Select New user at the top of the screen.
In the User properties pane, follow these steps:
a. In the Name box, enter B.Simon.
b. In the User name box, enter the firstname.lastname@example.org (for example, B.Simon@contoso.com).
c. Select the Show password check box, and then write down the value that's displayed in the Password box.
d. Select Create.
Assign the Azure AD test user
In this section, you enable user B.Simon to use Azure single sign-on by granting access to NetSuite.
In the Azure portal, select Enterprise Applications, and then select All applications.
In the applications list, select NetSuite.
In the overview pane, look for the Manage section, and then select the Users and groups link.
Select Add user and then, in the Add Assignment pane, select Users and groups.
In the Users and groups pane, in the Users drop-down list, select B.Simon, and then select the Select button at the bottom of the screen.
If you're expecting any role value in the SAML assertion, do the following:
a. In the Select Role pane, in the drop-down list, select the appropriate role for the user.
b. At the bottom of the screen, select the Select button.
In the Add Assignment pane, select the Assign button.
Configure NetSuite SSO
Open a new tab in your browser, and sign in to your NetSuite company site as an administrator.
In the top navigation bar, select Setup, and then select Company > Enable Features.
In the toolbar at the middle of the page, select SuiteCloud.
Under Manage Authentication, select the SAML Single Sign-on check box to enable the SAML single sign-on option in NetSuite.
In the top navigation bar, select Setup.
In the Setup Tasks list, select Integration.
Under Manage Authentication, select SAML Single Sign-on.
In the SAML Setup pane, under NetSuite Configuration, do the following:
a. Select the Primary Authentication Method check box.
b. Under SAMLV2 Identity Provider Metadata, select Upload IDP Metadata File, and then select Browse to upload the metadata file that you downloaded from the Azure portal.
c. Select Submit.
In the NetSuite top navigation bar, select Setup, and then select Company > Company Information.
b. In the Company Information pane, in the right column, copy the Account ID value.
c. Paste the Account ID that you copied from the NetSuite account into the Attribute Value box in Azure AD.
Before users can perform single sign-on into NetSuite, they must first be assigned the appropriate permissions in NetSuite. To assign these permissions, do the following:
a. In the top navigation bar, select Setup.
b. In the left pane, select Users/Roles, then select Manage Roles.
c. Select New Role.
d. Enter a Name for the new role.
e. Select Save.
f. In the top navigation bar, select Permissions. Then select Setup.
g. Select SAML Single Sign-on, and then select Add.
h. Select Save.
i. In the top navigation bar, select Setup, and then select Setup Manager.
j. In the left pane, select Users/Roles, and then select Manage Users.
k. Select a test user, select Edit, and then select the Access tab.
l. In the Roles pane, assign the appropriate role that you have created.
m. Select Save.
Create the NetSuite test user
In this section, a user called B.Simon is created in NetSuite. NetSuite supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in NetSuite, a new one is created after authentication.
NetSuite also supports automatic user provisioning, you can find more details here on how to configure automatic user provisioning.
In this section, you test your Azure AD single sign-on configuration with following options.
Click on Test this application in Azure portal and you should be automatically signed in to the NetSuite for which you set up the SSO
You can use Microsoft My Apps. When you click the NetSuite tile in the My Apps, you should be automatically signed in to the NetSuite for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.
Once you configure the NetSuite you can enforce session controls, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session controls extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security