Demand planning SSO login stuck in authentication loop when MFA enabled

Our demand planning users are stuck in an endless authentication loop after we enabled MFA for SSO logins in NetSuite 2023.2. They authenticate successfully with our identity provider (Okta), complete the MFA challenge, get redirected back to NetSuite, but then immediately get sent back to the SSO login page again.

The loop continues indefinitely. Regular NetSuite users with SSO work fine - only demand planning module users are affected. We’ve verified the SAML assertion attributes look correct in the Okta logs, and the user roles include proper demand planning permissions.

SAML response shows:

<saml:Attribute Name="email">
<saml:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue>Demand Planner</saml:AttributeValue>

Anyone encountered this specific issue with SSO and MFA integration in the demand planning module?

Check if your SAML assertion includes the NetSuite internal role ID rather than just the role name. Demand planning roles often have specific internal IDs that need to be mapped correctly in the SAML attribute statement. The role name “Demand Planner” might not be matching what NetSuite expects.

I’ve resolved this exact issue multiple times with demand planning SSO implementations. The problem stems from how NetSuite handles SSO and MFA integration specifically for module-specific roles.

Root Cause: The authentication loop occurs because the SAML assertion attributes don’t include the required module-specific session parameters that demand planning needs. When MFA is enabled, NetSuite validates not just the user credentials but also the module access context, and demand planning has stricter requirements than other modules.

SAML Assertion Attributes Configuration:

Your SAML response needs three specific attributes for demand planning with MFA:

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue>user@company.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="role">
  <saml:AttributeValue>3</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="subsidiary">
  <saml:AttributeValue>1</saml:AttributeValue>
</saml:Attribute>

The role value must be the internal NetSuite role ID (numeric), not the role name. To find this, go to Setup > Users/Roles > Manage Roles, open your Demand Planner role, and look at the URL - the ID is in the parameter role=X.

SSO and MFA Integration Fix:

In Okta (or your IdP), you need to configure the SAML assertion to handle the MFA session token properly:

1. Increase the SAML assertion validity period:

// In Okta SAML settings:
Assertion Validity: 10 minutes (not default 5)
Single Logout: Enabled
Authn Context Class: PasswordProtectedTransport

2. Add the NetSuite-specific attributes in your Okta application:

• Go to Applications > [Your NetSuite App] > Sign On > SAML Settings
• Add custom attribute statements:
  • Name: role, Value: `user.netsuiteRoleId
  • Name: subsidiary, Value: `user.netsuiteSubsidiary
  • Name: department, Value: user.netsuiteDepartment (if applicable)

Authentication Loop Troubleshooting Steps:

1. Verify NetSuite SAML Configuration:

Setup > Company > Enable Features > SuiteCloud > Manage Authentication
SAML Single Sign-on Settings:
- Entity ID: Must match Okta exactly
- SSO URL: Must use HTTPS
- SLO URL: Must be configured (required for MFA)
- Certificate: Must be current and not expired

2. Check Role Mapping: The critical piece most implementations miss is that demand planning roles require explicit module access mapping in the SAML configuration. In NetSuite:

// Pseudocode - SAML role mapping validation:
1. Navigate to Setup > Company > SAML Single Sign-on
2. Click "Manage Role Mappings"
3. For each demand planning role:
   a. Add role ID from SAML assertion
   b. Map to internal NetSuite role ID
   c. Enable "Allow Module-Specific Access"
   d. Check "Require Subsidiary Context"
4. Save and deploy configuration
// This ensures MFA session includes module context

3. MFA Session Persistence: The authentication loop happens because the MFA token isn’t persisting across the SAML redirect. In NetSuite, enable these settings:

• Setup > Company > General Preferences > Security
• “Remember Device for MFA”: 30 days
• “SSO Session Timeout”: 60 minutes
• “Require MFA for Role Changes”: Disabled (this causes loops)

4. Browser Cookie Configuration: Demand planning SSO with MFA requires SameSite=None cookies. Verify in your SAML response:

<samlp:Extensions>
  <cookiePolicy sameSite="None" secure="true"/>
</samlp:Extensions>

Testing Procedure:

1. Clear all browser cookies and cache
2. Navigate to your NetSuite SSO URL (not the direct login)
3. Authenticate with Okta
4. Complete MFA challenge
5. Monitor the SAML POST in browser dev tools - verify the response includes all three attributes (email, role ID, subsidiary)
6. Check NetSuite’s SAML verification log: Setup > Company > SAML SSO > View Authentication Logs

Common Pitfalls:

• Using role name instead of role ID in SAML assertion
• Not configuring Single Logout URL (required for MFA)
• Certificate mismatch between Okta and NetSuite
• Missing subsidiary context in SAML attributes
• Browser blocking third-party cookies (especially Safari)

After implementing these changes, the authentication loop should resolve. The key is ensuring the SAML assertion includes the module-specific context that demand planning requires, and that the MFA session token persists through the entire redirect chain.

Authentication loop troubleshooting usually points to session cookie issues. When MFA is enabled, NetSuite creates an additional session token that needs to persist across the redirect. Check if your users have third-party cookies blocked in their browsers - this is critical for SSO with MFA. Also verify that the SAML response includes the SessionIndex attribute, as this is required for maintaining session state during MFA flows. I’ve seen Chrome’s enhanced privacy settings cause exactly this symptom.