This article applies to:
- organizations that have enabled SAML Single Sign On (SAML SSO) for accessing their NetSuite instance and use the following CloudExtend Apps
- CloudExtend Excel for NetSuite
- CloudExtend Outlook for NetSuite
The CloudExtend Apps above use NetSuite's native login flow available with NetSuite 2019.2. For more on the login flow see this article. CloudExtend Apps are designed to work seamlessly with SAML Single On as long as NetSuite and the IDP are configured correctly. We've created this troubleshooting article which can be used to ensure that your organization is aware of issues we have run into when something is misconfigured and the steps required to fix the issue(s).
Before troubleshooting ensure that the following permissions are enabled in the roles your users will use with CloudExtend.
- SOAP Web Services
- User Access Tokens
- SAML Single Sign On
Be sure that SAML Single Sign On is set as the primary authentication method (Setup->Integration-> SAML Single Sign On)
Your organization is using Microsoft Active Directory Federation Server (ADFS)
- NetSuite has additional settings that need to be configured as claim rules and has created this article. Please review this article and adjust your claim rules as needed.
- In some cases users may also have trouble loading the add-in and receive a message 'A problem occurred while trying to reach this add-in. In such a case the user should ensure their firewall is allowing the add-in. If they are using ADFS they may also need to adjust their claim rules per the above article.
- Last, an organization can see this if the Primary Authentication method is not set to SAML. Learn more in this NetSuite article.
User is able to select role in NetSuite but will receive an error “Invalid Login Attempt”
- Check that the user role has the 'User Access Tokens' permission granted (see prerequisites at the top of this article)
- Check that the CloudExtend integrations are enabled (some admins block integrations from being enabled by default). Setup->Integration-Manage Integrations. Find the appropriate CloudExtend App and ensure the status is set to 'enabled'.
Admins are unable to login to authenticate
The NetSuite login flow currently only shows roles that have SAML Single Sign On enabled. NetSuite's login flow only exposes these roles. If you truly need to login to CloudExtend as an Admin we recommend that you create a role that closely mirrors your admin role, enable the prerequisite permissions (at the top of this article), and use that role with CloudExtend.
Users other than Admins are unable to authenticate
- User doesn’t have SAML Single Sign-on permission. (FULL permission level for SAML Single Sign-on permission is required, see prerequisites above).
- Check if the 'SuiteAnalytics Connect' permission is enabled for the role. Roles with this permission granted are restricted by NetSuite from logging in via SAML SSO.
- Your IDP can be sending out an alias. It must send the email address that matches their NetSuite user account
User with multiple roles logs in with SAML SSO and is unable to switch to a different role
- The second role may not have SAML Single Sign-on permission. (A user who has accessed NetSuite through SAML Single Sign-on cannot access any roles that do not have SAML Single Sign-on permission.)
Your organization previously enabled SAML Single Sign On and subsequently disabled it and users receive an error stating SAML Single Sign On is not enabled in your account
Even if your org has disabled SAML Single Sign On the NetSuite login flow may still attempt to use your previous SSO configuration to login you in due to the fact the your IDP configuration still exists. Delete the IDP configuration by navigating to Setup > Integration > SAML Single Sign-on, click on Actions, and then Delete IDP Configuration.