This article applies to:
- organizations that have enabled SAML Single Sign On (SAML SSO) for accessing their NetSuite instance and use the following CloudExtend Apps
- CloudExtend Excel for NetSuite
- CloudExtend Outlook for NetSuite
The CloudExtend Apps above use NetSuite's native login flow available with NetSuite 2019.2. For more on the login flow see this article. CloudExtend Apps are designed to work seamlessly with SAML Single On as long as NetSuite and the IDP are configured correctly. We've created this troubleshooting article which can be used to ensure that your organization is aware of issues we have run into when something is misconfigured and the steps required to fix the issue(s).
Before troubleshooting ensure that the following permissions are enabled in the roles your users will use with CloudExtend.
- SOAP Web Services
- User Access Tokens
- SAML Single Sign On
Be sure that SAML Single Sign On is set as the primary authentication method (Setup->Integration-> SAML Single Sign On)
Your organization is using Microsoft Active Directory Federation Server (ADFS)
- NetSuite has additional settings that need to be configured as claim rules and has created this article. Please review this article and adjust your claim rules as needed.
- In some cases users may also have trouble loading the add-in and receive a message 'A problem occurred while trying to reach this add-in. In such a case the user should ensure their firewall is allowing the add-in. If they are using ADFS they may also need to adjust their claim rules per the above article.
User is able to select role in NetSuite but will receive an error “Invalid Login Attempt”
- Check that the user role has the 'User Access Tokens' permission granted (see prerequisites at the top of this article)
- Check that the CloudExtend integrations are enabled (some admins block integrations from being enabled by default). Setup->Integration-Manage Integrations. Find the appropriate CloudExtend App and ensure the status is set to 'enabled'.
Admins are unable to login via SAML
NetSuite does not allow an Admin role to login with SAML.
- We recommend that you create a role that closely mirrors your admin role, enable the prerequisite permissions (at the top of this article), and use that role with CloudExtend.
Users are unable to authenticate
- User doesn’t have SAML Single Sign-on permission. (FULL permission level for SAML Single Sign-on permission is required, see prerequisites above).
- Check if the 'SuiteAnalytics Connect' permission is enabled for the role. Roles with this permission granted are restricted by NetSuite from logging in via SAML SSO.
- Your IDP can be sending out an alias. It must send the email address that matches their NetSuite user account
Users want to login with non SAML roles
Users that have SAML and non SAML roles can log in with a non SAML role by choosing 'Login with your NetSuite password during the login flow (see screenshot below). Note that non SAML roles that require two factor authentication (such as Admin) are not supported.
Your organization previously enabled SAML Single Sign On and subsequently disabled it and users receive an error stating SAML Single Sign On is not enabled in your account
Even if your org has disabled SAML Single Sign On the NetSuite login flow may still attempt to use your previous SSO configuration to login you in due to the fact the your IDP configuration still exists. Delete the IDP configuration by navigating to Setup > Integration > SAML Single Sign-on, click on Actions, and then Delete IDP Configuration.
Use the 'Troubleshoot SSO URL' (screenshot below) and enter the URL you would use to access NetSuite from via your IDP, ie find the link you click on to login to NetSuite via the UI.
- paste this link into the window that opens when you click on 'Troubleshoot SSO URL'
- This will login you into the NetSuite UI. Once logged in close the window that opened
- After a few seconds you will be able to login from CloudExtend again. The previous steps may have helped clear a NetSuite cache and you may be able to login via SAML at this point.