Skip to main content
CFCX Work

Authentication Updates in NetSuite 2021.2

2021.2 Authentication |

Enhancements to NetSuite OAuth 2.0 Support

NetSuite 2021.2 introduces the client credentials flow, a new type of OAuth 2.0 flow, and provides updates to the consent screen. In addition, the consent screen is now designed for better readability and easier use. The Allow/ Continue button is now highlighted.

OAuth 2.0 Client Credentials Flow

As of NetSuite 2021.2, you can implement the OAuth 2.0 client credentials flow. The standard OAuth 2.0 client credentials flow has one step and does not require any user interaction. To use the OAuth 2.0 client credentials flow, the Administrator must check the Client Credentials Grant (Server-To-Server) box in the integration record. The Administrator must also register the public key with the integration, and the account. Every integration-account pair must have its own public key.

automatically when the flow initiates. It is possible to manually revoke the consent to invalidate the access token for an integration.

Request to the token endpoint in OAuth 2.0 client credentials flow consists of two steps:

  • An application sends the request parameters for authentication.
  • If the request is successfully authorized, the system issues an access token, valid for 60 minutes. There is no refresh token. The application must authenticate again after the access token expires. Note: The use of public clients is not supported for the OAuth 2.0 client credentials flow.

You can now choose how often a consent screen displays during the OAuth 2.0 authorization code grant flow.

Change

screen, never display it, or display it the first time only. See the following for more details about these options:

  • Ask always - This is the default option. The consent screen displays every time the OAuth 2.0 code grant flow is initiated.
  • Ask never - The consent screen does not display during the OAuth 2.0 code grant flow. The integration is autoapproved by the Administrator.
  • Ask for the first time - The consent screen only displays the first time the OAuth 2.0 code grant flow is initiated. The consent screen also displays if any of the following is true:
    • The consent was not given previously
    • The system does not know which role or account to choose for the user to log in with
    • The application requires a different set of scopes and needs a new consent Integration developers can adjust the consent screen options using the prompt parameter in Step One of the OAuth 2.0 code grant flow. Note: If there is no active NetSuite session, the user must authenticate even if the consent screen does not display. If there is no active session, the user is redirected to the NetSuite login form or to an identity provider’s login form. End of Support for HMAC-SHA1 Signature Method for TBA

Postponed

The end of support for the HMAC-SHA1 signature method for the Token-based Authentication (TBA) feature has been postponed until 2022.1. Originally, the end of support was targeted for 2021.2. Even though the end of support has been delayed, you should update your integrations to use HMAC-SHA256 as soon as possible. When your account is upgraded to NetSuite 2022.1, any integrations using the TBA feature with HMAC- SHA1 as a signature method will stop working. The end of support and the request to change the signature method to HMAC-256 also applies to third-party integrations. You must use the HMAC-SHA256 signature method to create new integrations for use with TBA. Before 2022.1, you must update your authorization header to use HMAC-SHA256. To update the authorization header, change the values of the oauth_signature_method parameter and the oauth_signature parameter to HMAC-SHA256. For more information, see the following help topics Example OAuth Header, The Authorization Headers, and The Signature for Web Services and RESTlets. Important: If you are using a library for signing, verify that the library supports HMAC-SHA256, and if needed, update to a library with HMAC-SHA256 support. Enhancements to the SAML Single Sign-on Service

Provider-initiated (SP) Flow for Web Store

As of 2021.2, the SAML Single Sign-on feature for web store setup is enhanced. It is now possible to make SAML SSO a primary authentication method for SAML SSO on the SAML SSO for web store setup page. To

Change

make SAML SSO the primary authentication method, check the Primary Authentication Method box on the setup page. By checking the box, you choose the service provider-initiated flow to be used for your web store.

  • By default, the Primary Authentication Method box is not checked for new web store setup. If you used the SAML Single Sign-on feature for web store before, the box is checked by default. If SAML users click a link to access NetSuite when no active NetSuite session exists, they are redirected to the NetSuite login page. This redirect might cause issues for users who do not know their NetSuite credentials.
  • If the Administrator checks the Primary Authentication Method box, users can be redirected to the external IdP login page. This redirect is available if:
    • The user has already logged into NetSuite, and the redirect occurs based on previous experience with NetSuite
    • The access link identifies the web store by a web store-specific domain URL. Users will be redirected to the IdP login page when the session times out. Note: If the Primary Authentication box is checked, and a user clicks a link containing the c or compid URL parameter or the account-specific domain URL, the user is redirected to the external IdP login page. The originally requested URL is passed as a RelayState parameter, in accordance with the SAML 2.0 specification. As a result, the IdP can direct the user back to the correct NetSuite resource after authentication. If there is a live session for the IdP, the user is redirected back to the NetSuite resource without being asked for credentials. For more information, see the help topic SAML Single Sign-on Access to Web Store.