You’ve hit a common but poorly documented issue with SAML SSO and JIT provisioning in NetSuite 2024.1, particularly when migrating identity providers. Let me walk you through the complete solution that addresses all three aspects of your problem.
Understanding Why SAML Assertion Missing Role Attribute:
The core issue is that NetSuite’s SAML implementation requires role information to be passed in a very specific format during JIT provisioning. When you migrated to the new Okta tenant, the attribute format changed from ‘memberOf’ to ‘groups’, but more critically, the values themselves are probably in a different structure. NetSuite expects role mappings to use either:
- NetSuite internal role IDs (numeric)
- Role names that exactly match your NetSuite role records
- A custom attribute you’ve explicitly mapped in SAML configuration
Your SAML assertion is likely sending group names like ‘HR-Employees’ or ‘Onboarding-Team’, but NetSuite doesn’t know how to translate these to actual NetSuite roles.
Why Manual Role Assignment Works:
Manual assignment works because you’re directly selecting NetSuite role objects through the UI, bypassing the SAML attribute mapping entirely. This proves your role configuration is correct - the issue is purely in the SAML-to-NetSuite translation layer.
Complete Solution for Automated Provisioning:
Step 1: Configure Okta Attribute Mapping
In your Okta NetSuite application:
- Go to Applications > NetSuite > Sign On tab
- Click Edit under SAML 2.0 Settings
- Add a custom attribute statement:
- Name: netsuiteRoles (this is what NetSuite will look for)
- Name format: Unspecified
- Value: Use Okta Expression Language to transform groups
Example expression:
String.replace(String.join(",", user.groups), "HR-Employees", "3")
Where “3” is your NetSuite HR Employee role internal ID.
Step 2: Configure NetSuite SAML Attribute Mapping
In NetSuite:
- Navigate to Setup > Company > Setup Tasks > Single Sign-On
- Click on your SAML SSO configuration
- Under ‘Attribute Mappings’ section, add:
- SAML Attribute: netsuiteRoles
- NetSuite Field: Role
- Mapping Type: Direct
Step 3: Set Up Role Mapping Table
Create a mapping document that correlates:
- Okta Group Name → NetSuite Role Name → NetSuite Role Internal ID
For example:
- HR-Employees → Employee: HR → 3
- HR-Managers → HR Manager → 15
- Onboarding-Coordinators → HR Onboarding → 22
You’ll need these internal IDs for your Okta expression.
Step 4: Handle Multi-Role Scenarios
If users can have multiple roles, configure Okta to send comma-separated role IDs:
String.join(",", Arrays.transform(user.groups, "groupToRoleID"))
And in NetSuite SAML settings, set ‘Multiple Roles’ to ‘Allowed’.
Resolving Onboarding SLA Breaches:
Immediate workaround while implementing the above:
- Create a ‘New Hire Default’ role with minimal permissions
- Set this as the ‘Default Role for JIT Users’ in SAML settings
- Implement a scheduled script that runs hourly to:
- Identify users with only the default role
- Check their Okta group membership via API
- Assign appropriate roles programmatically
This gets new hires into the system immediately while proper role assignment happens within an hour.
Testing the Solution:
- Create a test user in Okta with known group memberships
- Have them authenticate to NetSuite via SAML
- Verify their user record shows correct role assignments
- Check Setup > Company > System Notes to see the JIT provisioning activity
Common Gotchas:
- Role internal IDs can differ between NetSuite environments (sandbox vs production)
- Some role types (like ‘Administrator’) can’t be assigned via JIT for security reasons
- NetSuite caches SAML configurations for up to 15 minutes - wait after changes
After implementing this solution, your new employee onboarding should be fully automated again, and you’ll meet your SLA requirements without manual intervention.