This article applies to:
- organizations that have enabled SAML Single Sign On (SAML SSO) for accessing their NetSuite instance and use the following CloudExtend Apps
- CloudExtend Excel for NetSuite
- CloudExtend Outlook for NetSuite
The CloudExtend Apps above use NetSuite's native 3-Step Authorization login flow. For more on the login flow see this article. CloudExtend Apps are designed to work seamlessly with SAML Single On as long as NetSuite and the IDP are configured correctly. We've created this troubleshooting article which can be used to ensure that your organization is aware of issues we have run into when something is misconfigured and the steps required to fix the issue(s).
Before troubleshooting ensure that the following permissions are enabled in the roles your users will use with CloudExtend.
- SOAP Web Services
- User Access Tokens
- SAML Single Sign On
Be sure that SAML Single Sign On is set as the primary authentication method (Setup->Integration-> SAML Single Sign On)
Unable to login with a non SAML role such as Admin
NetSuite does not allow an Admin role to login via SAML. See this article with steps to take to login as an Admin.
When SSO is enabled and you are still prompted for your NetSuite credentials
If you have SAML enabled and are still being prompted to enter you credentials see this article with steps to take.
Your organization is using Microsoft Active Directory Federation Server (ADFS)
- NetSuite has additional settings that need to be configured as claim rules and has created this article. Please review this article and adjust your claim rules as needed.
- In some cases users may also have trouble loading the add-in and receive a message 'A problem occurred while trying to reach this add-in. In such a case the user should ensure their firewall is allowing the add-in. If they are using ADFS they may also need to adjust their claim rules per the above article.
User is able to select role in NetSuite but will receive an error “Invalid Login Attempt”
- Check that the user role has the 'User Access Tokens' permission granted (see prerequisites at the top of this article)
- Check that the CloudExtend integrations are enabled (some admins block integrations from being enabled by default). Setup->Integration-Manage Integrations. Find the appropriate CloudExtend App and ensure the status is set to 'enabled'.
Users are unable to authenticate
- User doesn’t have SAML Single Sign-on permission. (FULL permission level for SAML Single Sign-on permission is required, see prerequisites above).
- Check if the 'SuiteAnalytics Connect' permission is enabled for the role. Roles with this permission granted are restricted by NetSuite from logging in via SAML SSO.
- Your IDP can be sending out an alias. It must send the email address that matches their NetSuite user account
Your organization previously enabled SAML Single Sign On and subsequently disabled it and users receive an error stating SAML Single Sign On is not enabled in your account
Even if your org has disabled SAML Single Sign On the NetSuite login flow may still attempt to use your previous SSO configuration to login you in due to the fact the your IDP configuration still exists. Delete the IDP configuration by navigating to Setup > Integration > SAML Single Sign-on, click on Actions, and then Delete IDP Configuration.