Skip to main content
CFCX Work

Authentication Updates in NetSuite 2020.2

2020.2 Authentication |
  • OAuth 2.0 Proof Key for Code Exchange (PKCE) Available for Confidential Clients
  • Deprecation of Google OpenID SSO and NetSuite Inbound SSO Features
  • OpenID Connect (OIDC) Relying Party-Initiated Logout for NetSuite UI
  • Embedding Sensitive Website Pages in an iFrame is Prohibited
  • Addition of Logout Entries to Login Audit Trail
  • New Design of Login Pages in NetSuite UI
  • Recent Changes in NetSuite Service Provider Metadata
  • View Unencrypted Credit Cards Permission Now Requires Two-Factor Authentication (2FA)

OAuth 2.0 Proof Key for Code Exchange (PKCE) Available for Confidential Clients As of 2020.2, NetSuite supports the Proof Key for Code Exchange (PKCE) as an additional security measure for the OAuth 2.0 Authorization Code Grant flow. PKCE is recommended for use with confidential clients in OAuth 2.0.

New Parameters in OAuth 2.0 Authorization Code Grant Flow

With PKCE, NetSuite supports new optional parameters for use with the OAuth 2.0 Authorization Code Grant flow. The parameters are specified in step 1 and step 2 of the flow. For more information, see the help topic OAuth 2.0 Authorization Code Grant Flow. The values of the code_challenge and code_challenge_method parameters are verified on the authorization server when the authorization code is generated. If the parameters are missing, malformed, or the authorization server cannot read them, the system sends an invalid_request error to the Redirect URI. The system creates the corresponding error entry in the Login Audit Trail. When the application sends an access token request, the authorization server calculates the code_challenge based on the code_verifier provided. If the verification in step 2 fails, the system returns an HTTP 400 Bad Request response. Note: In 2020.2 NetSuite does not support PKCE for public clients. Deprecation of Google OpenID SSO and NetSuite Inbound

SSO Features

As of 2020.2, Google OpenID SSO is deprecated and you cannot use it anymore. As of 2021.1, the NetSuite proprietary Inbound SSO feature is targeted for deprecation. Partners and customers with solutions based on these features must update these solutions to use an alternative inbound single sign-on feature. OpenID Connect (OIDC) SSO and SAML SSO provide alternatives for inbound SSO access to NetSuite UI and Commerce websites.

  • To use OpenID Connect (OIDC) SSO, see the help topics OpenID Connect (OIDC) Single Sign-on and OpenID Connect (OIDC) Access to Web Store.
  • To use SAML SSO, see the help topics SAML Single Sign-on and SAML Single Sign-on Access to Web Store. Important: Before the NetSuite proprietary Inbound SSO feature becomes deprecated, you can disable the feature for testing purposes. You can disable and re-enable the feature at any time. To temporarily disable the Inbound SSO feature, go to Setup > Company > Setup Tasks > Enable Features. On the SuiteCloud subtab, check the Disable Inbound Single Sign-on box. The SOAP web services ssoLogin operation is part of the proprietary Inbound SSO feature. To avoid issues after this feature is deprecated, you must update your integrations that use the ssoLogin operation to use Token-based Authentication (TBA). For more information, see the help topics Token-based Authentication (TBA) and Token-based Authentication and Web Services. OpenID Connect (OIDC) Relying Party-Initiated Logout for

NetSuite UI

As of 2020.2, NetSuite supports Relying Party-initiated logout for OpenID Connect (OIDC) access to the UI. When you configure this feature, the system sends a request to a specified OIDC provider URL to trigger the logout. Consequently, the user is redirected to one of the following:

  • The URL specified on the OIDC setup page
  • The NetSuite visitor home page If the OIDC provider does not support the post logout redirect URL functionality, the redirect can be based on the OIDC provider’s specific implementation.

New Fields on the OIDC Setup Page

There are two new fields that you can use to set up Relying Party-initiated logout on the OIDC setup page:

  • End Session Endpoint – To automatically populate the end session endpoint, choose Set Configuration From URL. To manually configure the end session endpoint, select Set Configuration Manually and enter a valid URL.
  • Post Logout Redirect URL – When a user explicitly logs out of NetSuite, the system redirects the user to the URL entered in this field. The value of the field must match the value on the OIDC provider’s side. If you leave the field empty, the user is redirected to the NetSuite visitor home page or to a different URL, depending on the OIDC provider’s specific implementation. Note: We do no support the following:
  • OpenID Connect Provider-initiated logout
  • Relying Party-initiated logout for Commerce websites Embedding Sensitive Website Pages in an iFrame is

Prohibited

As of 2020.2, it is no longer possible to present the Change Password and Change Email Address pages in an iFrame.

NetSuite prohibits the presentation of sensitive pages in an iFrame (an inline frame that uses the

HTML tag) on Commerce website pages. This prohibition was introduced in January, 2015. As of this date, browsers no longer rendered login pages presented in iFrames for NetSuite Commerce websites. The ban against presenting NetSuite pages in an iFrame has been extended to apply to Change Password and Change Email Address pages as of 2020.2. If you have a SiteBuilder, SuiteCommerce, or SuiteCommerce Advanced website, review your authentication logic to ensure your account complies with the security policy. For more information, see the help topics Secure Login Access to Your NetSuite Account and Displaying Login Fields on Your Web Page.

Addition of Logout Entries to Login Audit Trail

As of 2020.2, the Login Audit Trail additionally tracks explicit user logouts. There are new values for logout entries in the Detail field in the Login Audit trail:

  • ExplicitLogout – When a user clicks the Log Out link.
  • RoleSwitchLogout – When a user switches to another role. In some cases, a user’s NetSuite session is ended even when the user has not explicitly logged out of NetSuite. For example, this situation occurs when a user’s NetSuite session times out. If the logout is not explicit, the system does not create a logout entry in the Login Audit Trail. Important: If you use the data from the Login Audit Trail for the purpose of counting the number of successful logins, you should not to include the successful logout entries. You can do this by filtering out the new values for successful logouts. Currently, logout entries are not created for SAML SSO logouts initiated by an identity provider. For more information about the Login Audit Trail, see the help topic Login Audit Trail Overview.

New Design of Login Pages in NetSuite UI

As of 2020.2, the design of the NetSuite login pages is changing. The functionality of the login pages will not change. The change is relevant to the following login URLs:

  • The customer center login page URL: https://.app.netsuite.com/app/login/secure/privatelogin.nl
  • The following standard login page URLs:
    • https://.app.netsuite.com/app/login/secure/enterpriselogin.nl
    • https://system.netsuite.com/app/login/secure/enterpriselogin.nl?c=&whence= The relevant NetSuite login forms are now in a frame in the middle of the login page. Your company logo will appear in the upper part of the customer center login form. Note: The design of the standard login pages not mentioned above has not changed. For more information, see the help topic Types of Login Pages for Your NetSuite Account.

Recent Changes in NetSuite Service Provider Metadata

As of May 2020, the default Assertion Consumer Service in the NetSuite Service Provider Metadata file refers to the NetSuite system domain: https://system.netsuite.com/saml2/acs. Previously, when you configured SAML Single Sign-on access to NetSuite, the default Assertion Consumer Service referred to a data center domain where your account resided. You used this value to configure the Assertion Consumer Service for your Identity Provider (IdP).

We encourage you to change your SAML SSO configuration for the IdP to use the new default value for

the Assertion Consumer Service. This action supports proper functioning of your SAML SSO configuration when your data center changes, or when you configure SAML SSO in multiple accounts. For more information about SAML SSO configuration, see the help topic Configure NetSuite with Your Identity Provider. View Unencrypted Credit Cards Permission Now Requires

Two-Factor Authentication (2FA)

As of 2020.2, the View Unencrypted Credit Cards permission requires Two-Factor Authentication (2FA). If a user logs in to NetSuite with a role that has this permission, the user is prompted to pass the 2FA challenge. If 2FA has not yet been set up for the user, the 2FA setup page shows instead. For more information, see the following topics:

  • Two-Factor Authentication (2FA)
  • Permissions Requiring Two-Factor Authentication (2FA)
  • Complete Your 2FA Setup

Additionally, a user with the View Unencrypted Credit Cards permission cannot access NetSuite

through integrations that use user credentials as an authentication method. User credentials are not compliant with the Mandatory 2FA policy. For more information, see the help topic Mandatory Two-Factor Authentication (2FA) for NetSuite Access. You can use other authentication methods to access NetSuite through integrations: OAuth 2.0 and Token-based Authentication (TBA).

  • For more information about OAuth 2.0, see the help topic OAuth 2.0.
  • For more information about TBA, see the help topic Token-based Authentication (TBA).