Authentication Overview
NetSuite supports many types of authentication, for use in the NetSuite User Interface (UI) as well as authentication methods for API access to NetSuite. In this section, see:
Authentication in the NetSuite UI
Authentication by entering an email address and a password to log in to the NetSuite UI. See Your User Credentials for information for users.
Topics for administrators include Password Requirements and Policies in NetSuite, NetSuite Login Pages, and Enabling and Creating IP Address Rules.
Two-Factor Authentication (2FA), protects your company from unauthorized access to your data. 2FA provides a free solution that provides both online and offline methods for receiving verification codes.
NetSuite requires 2FA for all Administrator and other highly privileged roles in all NetSuite accounts. This includes access to production, sandbox, development, and Release Preview accounts.
The Administrator and other highly privileged roles are designated as 2FA authentication required by default, and this requirement cannot be removed. Any standard or customized roles that include highly privileged permissions are indicated in the Mandatory 2FA column on the Two-Factor Authentication Roles page.
For more information, see the following topics:
Single Sign-on (SSO) Overview
SSO is a way to log in to multiple applications with only one account hosted in one place. This makes it easier to access all of your apps without having to remember more usernames and passwords. It also helps keep your information secure by controlling who can access each app.
NetSuite supports the following methods for inbound SSO access to the NetSuite UI:
-
See OpenID Connect (OIDC) Single Sign-on for inbound SSO from the OIDC Provider (OP) of your choice. See also OpenID Connect (OIDC) Access to Web Store.
-
See SAML Single Sign-on for inbound SSO using authentication from a third party identity provider compliant with SAML v2.0. See also SAML Single Sign-on Access to Web Store.
NetSuite supports two outbound single sign-on methods:
-
See NetSuite as OIDC Provider. You should use NetSuite as OIDC Provider as an authentication method for outbound single-on.
-
See Outbound Single Sign-on (SuiteSignOn). SuiteSignOn access to NetSuite from your web store is supported. For more information, see Outbound Single Sign-on (SuiteSignOn) Access from Your Web Store.
Authentication for API Access to NetSuite
NetSuite offers Token-based Authentication (TBA) and OAuth 2.0, enabling client applications to use a token to access NetSuite through APIs. TBA and OAuth 2.0 eliminate the need for RESTlets and web services integrations to store user credentials. You should not employ user credentials as an authentication method for web services integrations or for RESTlets.
OAuth 2.0 cannot be used with SOAP web services. For more information, see Authentication Matrix.
For more information, see the following topics:
NetSuite supports two outbound single sign-on authentication methods for integrations:
-
See NetSuite as OIDC Provider. The NetSuite as OIDC Provider feature is only supported for RESTlets and REST web services.
-
See Outbound Single Sign-on (SuiteSignOn). SuiteSignOn is only supported for SOAP web services.
Device ID authentication is also available in NetSuite. Device ID authentication was developed for use with the SuiteCommerce InStore (SCIS) application. However, you could develop your own applications to use Device ID authentication in NetSuite. See Device ID Authentication. For more information about the SCIS application, see SuiteCommerce InStore (SCIS).
Authentication Matrix
The following table shows the authentication methods supported in NetSuite.
|
|
NetSuite A |
S |
SOAP web services |
REST web services |
SuiteScript RESTlets |
|---|---|---|---|---|---|
|
User C |
S |
S |
You should not employ user credentials for SOAP web services. Use Token-based Authentication instead. Currently supported, with the exception of 2FA-required roles.
Important:
As of 20.2 endpoint, user credentials are not supported for using with SOAP web services. |
— |
Important:
As of January 1, 2021, user credentials are not supported for using with RESTlets. |
|
Token-based A |
— |
— |
Supported. You should use TBA for SOAP web services authentication. |
Supported. You should use TBA or OAuth 2.0 for REST web services authentication. |
Supported. You should use TBA or OAuth 2.0 for RESTlet authentication. |
|
OAuth 2.0 |
— |
— |
— |
Supported. You should use OAuth 2.0 or TBA for REST web services authentication. |
Supported. You should use OAuth 2.0 or TBA for RESTlet authentication. |
|
Two-Factor A |
S 2FA is r |
— |
— |
— |
— |
|
SAML 2.0 |
S |
S |
— |
— |
— |
|
OpenID Connect (OIDC) Single Sign-on |
S |
S |
— |
— |
— |
The NetSuite Inbound SSO feature is deprecated. Migrate your solutions to a different single sign-on feature:
-
Use the OpenID Connect (OIDC) Single Sign-on feature released with 2019.2. For more information, see OpenID Connect (OIDC) Single Sign-on.
-
Another alternative is to use the SAML Single Sign-on feature for access to NetSuite. For more information, see SAML Single Sign-on.
-
You can use the Token-based Authentication feature for SOAP web services integrations. For more information, see Token-based Authentication (TBA).
As of 2021.1, any solutions still using the Inbound SSO do not work.
Related Topics
- Password Requirements and Policies in NetSuite
- Session Management in NetSuite
- NetSuite Login Pages
- Enabling and Creating IP Address Rules
- Token-based Authentication (TBA)
- OAuth 2.0
- Two-Factor Authentication (2FA)
- Device ID Authentication
- Outbound Single Sign-on (SuiteSignOn)
- NetSuite as OIDC Provider
- SAML Single Sign-on
- OpenID Connect (OIDC) Single Sign-on
- Digital Signing
- SSH Keys for SFTP
- Secrets Management
- RESTlet Authentication