This article applies to:
Organizations that have enabled SAML Single Sign On (SAML SSO) for accessing their NetSuite instance and use the following CloudExtend Apps:
ExtendInsights for Excel NetSuite
ExtendSync for Outlook NetSuite
The CloudExtend Apps above use NetSuite's native 3-Step Authorization login flow.
👉 For more detail on the CloudExtend Login Flow, see the login prerequisites article.
CloudExtend Apps are designed to work seamlessly with SAML Single On as long as NetSuite and the IDP are configured correctly.
We've created this troubleshooting article which can be used to ensure that your organization is aware of issues we have run into when something is misconfigured and the steps required to fix the issue(s).
Common Symptom
Users encountering SAML issues may also see:
“A problem occurred while trying to reach this add-in”
during login or while loading the app.
Prerequisites (Before Troubleshooting)
Ensure the NetSuite role used with CloudExtend has the following permissions:
SOAP Web Services
User Access Tokens
SAML Single Sign On
Additionally:
Confirm SAML Single Sign-On is configured as the Primary Authentication Method
Path: Setup → Integration → SAML Single Sign On
If any of the above is missing, CloudExtend authentication via SSO will fail.
Additional Troubleshooting Scenarios
1. Your organization disabled SAML SSO, but users still see SAML-related errors
Your organization previously enabled SAML Single Sign On and subsequently disabled it and users receive an error stating SAML Single Sign On is not enabled in your account.
Even if SAML has been disabled in NetSuite, NetSuite may still attempt to use the old IDP configuration.
Fix
Delete the existing IdP configuration:
Setup → Integration → SAML Single Sign-On → Actions → Delete IDP Configuration
Once removed, NetSuite will no longer attempt to authenticate using previous SAML settings.
2. Unable to log in using a non-SAML role (e.g., Admin role)
NetSuite does not allow an Admin role to log in via SAML.
👉 See the NetSuite Admin login workaround article for steps on logging in without SSO.
3. SAML Enabled, but the user is still prompted for NetSuite credentials
This typically means there is an issue with IDP claim rules or SAML configuration.
👉 Refer to the Prompted for Credentials with SAML Enabled article for instructions.
4. Your organization is using Microsoft Active Directory Federation Server (ADFS)
If your Identity Provider is Active Directory Federation Server (ADFS), NetSuite requires additional claim rule configuration.
👉 Review NetSuite’s ADFS documentation and update your ADFS claim rules accordingly.
Additional note
If users receive “A problem occurred while trying to reach this add-in” when loading the app:
Ensure your firewall allows the ExtendSync add-in
If you use ADFS, confirm your claim rules are configured per NetSuite’s documentation
If you are not using ADFS, try restarting the computer
5. User can select a NetSuite role, but receives “Invalid Login Attempt”
This typically means the user’s role is missing required permissions or integrations are disabled.
Check:
Role has User Access Tokens enabled (see prerequisites)
CloudExtend Integrations are Enabled
Setup → Integration → Manage Integrations
Locate your CloudExtend integration
Ensure Status = Enabled
6. Users are unable to authenticate via SAML
User doesn’t have SAML Single Sign-on permission. (FULL permission level for SAML Single Sign-on permission is required, see prerequisites above).
Check if the SuiteAnalytics Connect permission is enabled for the role. Roles with this permission granted are restricted by NetSuite from logging in via SAML SSO.
Your IDP can be sending out an alias. It must send the email address that matches their NetSuite user account.
Need Help?
If troubleshooting does not resolve the issue:
💬 Start a chat with us (bottom-right of this page)
📧 Email cloudextend-support@celigo.com
Include:
Your NetSuite Account ID
The role you are logging in with
Your IdP provider (Okta, Azure AD, ADFS, etc.)
Screenshots of any error messages