OpenID Connect Permissions
When the OpenID Connect (OIDC) Single Sign-on feature is enabled, the following permissions are available:
-
Set Up OpenID Connect (OIDC) Single Sign-on -permits users other than those with an Administrator role (NetSuite administrators) to view and edit the OpenID Connect (OIDC) Single Sign-on setup page. The Administrator role already has this permission.
Important:This is a highly-privileged permission, therefore two-factor authentication (2FA) is required. Roles with this permission are indicated in the Required 2FA column on the Two-Factor Authentication Roles page. For more information, see Two-Factor Authentication (2FA).
-
OpenID Connect (OIDC) Single Sign-on -requires users to log in to the NetSuite UI using the OpenID Connect (OIDC) Single Sign-on feature. This permission must be explicitly assigned to a role.
Important:Be aware of the following:
-
If a role is designated as Single Sign-on Only, users assigned this permission will not be able to log in to the NetSuite UI from the standard login page with their username and password.
-
Users will receive notifications from NetSuite regarding password expiration. For more information, see Password Expiration Notifications.
See OpenID Connect Permission Limitations for more information.
-
Both OIDC permissions are Setup type permissions that support only a Full permission level.
You can add the OpenID Connect (OIDC) Single Sign-on to an existing role, or you can create a new role.
Permissions are added to roles on the Role record page, available at Setup > Users/Roles > User Management > Manage Roles.
After the OpenID Connect (OIDC) Single Sign-on permission has been assigned to a role, there is a small delay before a user can use this role to log in using the OpenID Connect (OIDC) Single Sign-on feature. This delay is related to caching; the new permission is not available until the cache has timed out.
For more information about adding permissions to roles, see Customizing or Creating NetSuite Roles.
OpenID Connect Permission Limitations
OpenID Connect (OIDC) roles and permissions have various limitations that are intended to prevent problems.
No user can log in with an Administrator role using the OpenID Connect (OIDC) Single Sign-on feature. This limitation ensures that an administrator can always log in and resolve any problems that might occur with the OIDC provider (OP) setup or with single sign-on access.
The OpenID Connect (OIDC) Single Sign-on permission cannot be added to a role that has SuiteAnalytics Connect permission. OpenID Connect (OIDC) Single Sign-on access is not supported for SuiteAnalytics Connect.
Some limitations are intended to ensure that the administrator has absolute responsibility for explicitly deciding who is allowed to access their NetSuite account using OpenID Connect (OIDC) Single Sign-on. The administrator is deciding to trust the OP to authenticate users and allow access to their NetSuite account.
-
If a role is designated as Single Sign-on Only, users with a role that has OpenID Connect (OIDC) Single Sign-on permission cannot log in directly to the NetSuite user interface using the standard NetSuite login page.
-
A user who has accessed NetSuite through the OpenID Connect (OIDC) Single Sign-on feature cannot access any roles that do not have OpenID Connect Single Sign-on permission.
-
If a role has OpenID Connect (OIDC) Single Sign-on permission, it cannot also have SAML Single Sign-on permission.
Related Topics
- OpenID Connect (OIDC) Single Sign-on
- Register NetSuite with Your OpenID Connect Provider
- Enable the OpenID Connect (OIDC) Single Sign-on Feature in NetSuite
- Configure OpenID Connect (OIDC) in NetSuite
- Customize Roles for OpenID Connect
- Assign the OpenID Connect Single Sign-on Role to Users
- User Access to NetSuite with OpenID Connect
- Remove OpenID Connect Access to NetSuite
- Troubleshoot OIDC
- Authentication Overview