Authentication Updates in NetSuite 2021.1

This release note was updated March 17, 2021.

NetSuite as OIDC Provider (OP)

A new outbound single sign-on solution is now available for the NetSuite application. The NetSuite as

OIDC Provider feature is based on OpenID Connect, with NetSuite acting as an OIDC Provider (OP). User

credentials and policies are managed by NetSuite. Users can delegate access to a third-party application (relying party, RP) without any further authentication.

OIDC is an identity layer on top of the OAuth 2.0 protocol. OIDC uses JavaScript Object Notation (JSON) as

the data format, and uses JSON Web Tokens (JWT) to transfer claims between parties. The NetSuite as OIDC Provider feature is the recommended solution to replace the Outbound SSO (SuiteSignOn) feature. The Outbound SSO (SuiteSignOn) feature is scheduled to be deprecated in NetSuite 2023.1. You should migrate your solutions to use the Netsuite as OIDC Provider feature before 2023.1. To enable the NetSuite as OIDC Provider feature, go to Setup > Company > Enable Features. On the

SuiteCloud tab, in the Manage Authentication section, check the NetSuite as OIDC Provider box. When

this feature is enabled, you can create integration records that use the NetSuite as OIDC Provider feature. Important: To ensure the NetSuite as OIDC Provider feature works correctly, you also must enable the OAuth 2.0 feature. For more information, see the help topic Enable the OAuth 2.0 Feature. The NetSuite as OIDC Provider feature introduces a new permission called OIDC Provider Setup. Users who have this permission can allow other users to use the NetSuite as OIDC Provider integrations for outbound single sign-on.

Enhancements to NetSuite OAuth 2.0 Support

NetSuite 2021.1 enhances OAuth 2.0 authorization framework support for access to NetSuite through REST web services and RESTlets. These enhancements include new security measures and support for public clients.

Rotation of Certificates

The system uses certificates to validate access and refresh tokens during the OAuth 2.0 Code Grant flow. These certificates previously had an unlimited time validity and the public key was stable. As of 2021.1, the expiration date of the certificates is 90 days. The system generates new certificates 30 days before the previous certificates expire. During this 30-day period, both the previous and new certificates are valid. NetSuite public keys used to validate the OAuth 2.0 tokens are available here: https://.suitetalk.api.netsuite.com/services/rest/auth/ oauth2/v1/keys, where the represents your NetSuite account ID. As of 2021.1, the certificates are issued per account.

PKCE for Public Clients

As of 2021.1, the OAuth 2.0 Authorization Code Grant flow is extended to support the use of public clients with OAuth 2.0. Public clients have less strict authentication rules than confidential clients. To configure an integration for use with OAuth 2.0 public clients, check the Public Client box on the integration record. The following rules apply to OAuth 2.0 public clients:

• In the POST request to the token endpoint, the application only sends the client ID.
• The application sends the client ID as a parameter in the body of the request, instead of in the authorization header.
• The application must use PKCE, which is required for public clients.
• The application sends the PKCE parameters in Step 1 and Step 2 of the Authorization Code Grant Flow. For more information, see the help topic OAuth 2.0 Authorization Code Grant Flow.
• The refresh token for public clients is for one-time use only and expires after three hours. With every new refresh token request, the token endpoint generates a new pair of access and refresh tokens.
• The use of public clients is only available in the OAuth 2.0 Authorization Code Grant flow. Deprecation of the NetSuite Inbound Single Sign-on

Feature

As of 2021.1, the NetSuite proprietary Inbound SSO feature is deprecated and you cannot use it anymore. Partners and customers with solutions based on this feature must update these solutions to use an alternative inbound single sign-on feature. OpenID Connect (OIDC) SSO and SAML SSO provide alternatives for inbound SSO access to NetSuite UI and Commerce websites.

• To use OpenID Connect (OIDC) SSO, see the help topics OpenID Connect (OIDC) Single Sign-on and OpenID Connect (OIDC) Access to Web Store.
• To use SAML SSO, see the help topics SAML Single Sign-on and SAML Single Sign-on Access to Web Store. The SOAP web services ssoLogin and mapSso operations are part of the proprietary Inbound SSO feature. To avoid issues after this feature is deprecated, you must update your integrations that use the ssoLogin operation to use Token-based Authentication (TBA) instead. For more information, see the help topics Token-based Authentication (TBA) and Token-based Authentication and Web Services. Relying Party-initiated (RP) Logout for OpenID Connect

Single Sign-on (OIDC) for Web Store

As of 2021.1, NetSuite supports Relying Party-initiated (RP) logout for OpenID Connect Single Sign-on (OIDC) for web store. If your OIDC provider (OP) supports the End Session Endpoint configuration, when a user logs out of NetSuite, they are consequently logged out of the OP. The user is then redirected to the OP login page. NetSuite does not support a logout landing page configuration for OIDC for web store. Note: If you do not want to configure the End Session Endpoint field on the OIDC for web store setup page, you must do a manual configuration. To do so, choose the Set Configuration Manually option. For more information, see the help topic Configure OpenID Connect (OIDC) in NetSuite. SAML Single Sign-on Logouts for the NetSuite UI and Web

Store

As of 2021.1, NetSuite supports Service Provider-initiated (SP) logout for SAML Single Sign-on access to the UI and web store, and Identity Provider-initiated (IdP) logout for the web store. Note: NetSuite currently supports only POST binding. Service Provider-initiated (SP) Logout for the NetSuite UI and

Web Store

If your identity provider (IdP) supports the SP-initiated logout, when a user logs out of NetSuite, they are consequently logged out of the IdP. The user is then redirected to the Logout Landing Page specified on the SAML SSO setup page. To ensure the SP-initiated logout for SAML SSO works correctly, check the following:

• Your IdP supports the functionality.
• There is a valid URL in the Logout Landing Page field on the SAML SSO setup page. For more information, see the help topic Logout Landing Page.
• The IdP metadata file used for SAML SSO setup includes the Single Logout Service (SLO) parameter. Note: If the SLO parameter is missing from the IdP metadata file, the SP-initiated logout does not initiate the IdP logout.

Identity Provider-initiated (IdP) Logout for Web Store

The IdP-initiated logout was previously only available for the NetSuite UI. As of 2021.1, this logout is also available for the web store. When NetSuite receives a logout request from the IdP, all related NetSuite sessions are ended. Deprecation of HMAC-SHA1 for Token-based

Authentication (TBA)

As of 2021.1, it is no longer possible to start using the HMAC-SHA1 signature method for Token-based

Authentication (TBA). If you are actively using the HMAC-SHA1 signature method in your account, you

can continue using it currently, but you must stop using it before your account is upgraded to NetSuite 2022.1. You should use the HMAC-SHA256 signature method to create new solutions for use with TBA. You also should update your existing solutions to use HMAC-SHA256 as soon as possible. As of 2022.1, any solutions using the TBA feature with HMAC-SHA1 as a signature method will stop working. You must update your TBA integrations to use HMAC-SHA256 before your account is upgraded to 2022.1. This limitation also applies to any third-party integration. Before 2022.1, you must update your authorization header to use HMAC-SHA256. To do so, change the value of the oauth_signature_method parameter to HMAC-SHA256. The value of the oauth_signature parameter should change accordingly. For more information, see the following help topics Example OAuth Header, The Authorization Headers, and The Signature for Web Services and RESTlets. Important: If you are using a library for signing, verify whether the library supports HMAC- SHA256, and if needed, update the library with HMAC-SHA256 support.

Unsupported Cipher Suite for SuiteAnalytics Connect

As of February 2021, the following cipher suite is no longer supported for SuiteAnalytics Connect:

ECDHE-RSA-AES128-SHA256

Currently, you can use this cipher suite to access other NetSuite services. However, support for this cipher

suite is scheduled to end soon, and you will not be able to use it to access any NetSuite services. You will receive a notification with the date of the upcoming end of support.

Additionally, the list of supported cipher suites has changed. If you are using a cipher suite that is not

supported, you cannot access any NetSuite services that require the use of cipher suites. You should remove the unsupported cipher suite and include one of the supported cipher suites. For more information about the supported and unsupported cipher suites, see the help topic Supported TLS Protocol and Cipher Suites.

New Look for NetSuite Authentication Email Messages

NetSuite system-generated email messages related to authentication, including messages about

password expirations, password resets, and security questions, have a new look. This new design is intended to provide better readability. The following image is an example of the header for redesigned authentication messages. Both users and administrators will see the new look in authentication-related email messages. Create Your Own Test Window for HMAC-SHA1 in TBA

Integrations

As of NetSuite 2022.1, the HMAC-SHA1 signature method for Token-based Authentication (TBA) integrations will no longer be supported, and any integrations still using it will stop working. To help you prepare for the end of support, you can temporarily disable the HMAC-SHA1 signature method for TBA in your production account. Disabling HMAC-SHA1 temporarily allows you to test your TBA integrations to verify that they are not using the HMAC SHA1 signature method. Note: Support ended on July 30, 2021 for the HMAC-SHA1 signature method for TBA integrations in all non-production accounts, such as sandbox, test drives, development accounts, and Release Preview accounts. To temporarily disable HMAC-SHA1 for TBA in your NetSuite production account:

1. Go to Setup > Company > Setup Tasks > Enable Features.
2. Click the SuiteCloud tab, and scroll down to the Manage Authentication section.
3. Check the Disable HMAC-SHA1 for Token-based Authentication box. To re-enable HMAC-SHA1 for TBA, clear the Disable HMAC-SHA1 for Token-based Authentication box. Important: You must update any TBA integrations to use HMAC-SHA256 for the signature method before the end of support in NetSuite 2022.1. Accounts will be upgraded to 2022.1 between February and April of 2022. For more information, see the help topic The Signature for Web Services and RESTlets.