How to configure SAML SSO for Sugar

Matthew Marum —  February 14, 2017

Many customers want to configure Sugar for Single Sign On (SSO). Well Sugar supports Security Assertion Markup Language (SAML) so this must be easy, right? But the devil is always in the details.

Each SAML identity provider behaves a little differently. Each of these systems has different terminology and methods for configuration and may use different default settings. Some of these important configuration settings can make the difference between a successful SSO implementation and a tire fire. For example, are users provisioned Just-In-Time or will they be provisioned manually? Did you know that Sugar uses the e-mail address as the SAML application username format?

Below are instructions for configuring SAML SSO with a couple of common identity providers.

Okta

One of our Solution Architects, Enrico Simonetti, wrote a good summary of how to configure SAML authentication for Sugar using Okta as the identity provider. Okta is convenient for trying out SSO because they have a developer program you can join. Enrico also covers a few tips and details that can trip up any SAML implementation.

Please visit Enrico’s post called SSO Authentication on SugarCRM with SAML for more details including screen shots and even code examples.

Active Directory Federation Service

The most common system that we get questions about is Microsoft’s Active Directory Federation Service (ADFS). ADFS is pretty complicated so there are several steps that you need to follow to get it done right.

We recently publish a SugarCRM Knowledge Base article called Configuring SSO With Active Directory’s ADFS. It was written by Lars Blockken, one of our Senior Technical Account Managers, and in it he walks you through each of these steps in detail along with screenshots. It will have you up and running on ADFS in no time!

Matthew Marum

Posts

Matt is the Director of Developer Advocacy for SugarCRM. Previously he was an Engineer on Sugar 7 and a Solutions Architect for the OEM program. He is also an avid trail runner, Boston Marathon qualifier and a karaoke aficionado.

15 responses to How to configure SAML SSO for Sugar

  1. 

    Do you know if this will work if implemented on two separate Sugar instances, but using same Active Directory?
    In other words, one company
    one Active Directory
    Two Sugar instances

    • 

      Yes, this will work. You would just treat the 2 Sugar instances as separate applications from Active Directory perspective. It shouldn’t be any different than configuring any other app for single sign on. You would just repeat the steps for both instances. Though if you go through steps listed in that KB article, you will see in step 9 that you will need to make sure your Relying Party Trust Identifier is different for each Sugar instance that you integrate. So you will not be able to use the default.

  2. 

    SugarCRM uses a very oold version of the Onelogin SAML toolkit.
    https://github.com/sugarcrm/sugarcrm_dev/tree/master/modules/Users/authentication/SAMLAuthenticate/lib/onelogin

    A review of this implementation is required.

    • 

      Sixto – you are looking at Community Edition which is no longer enhanced by SugarCRM. Our commercial editions of Sugar, such as Sugar 7 Professional, Enterprise, and Ultimate, use much newer versions of the OneLogin SAML toolkit. For example, Sugar 7.8 uses version 2.6.1.

  3. 

    Is there any way for a single Sugar instance to support more than one SSO provider? We use SAML login with our current employees. However, we are looking at adding external vendors to our instance as well so they can participate on sales opportunities. These users are stored in a separate directory and would need to authenticate against a different SAML provider.

    I assume you would have to use different entry points/URLs for the user categories. I’m betting this isn’t supported out of the box, but I’m wondering if it is a customization which has been done.

    • 

      Hi Aaron,

      No way that you could synchronize these identities into a single IdP? It might make it all easier to manage.

      Out of the box we only support one SSO provider. You can completely override Sugar’s authentication mechanism with any method of your choosing by creating a custom SugarAuthenticate class and setting $sugar_config[‘authenticationClass’] to this class name. You can see examples of different Sugar authentication classes under modules/Users/authentication.

      • 

        We are pushing to have the directories authenticate through a single provider so we could bypass the issue and simplify management. However, I don’t have a guarantee that is doable in our environment yet. I just wanted to verify the functionality wasn’t built in and get some idea of the customization effort.

        Thanks for your reply.

  4. 

    Will you also cover Multifactor Authentication soon?
    Ideally a Sugar built module rather than a 3rd party SaaS provider?

  5. 

    Hi Matthew, we tried to configure ADFS for SugarCRM but no success. I followed the article but nevertheless the request seems not even to be able to reach ADFS. Should I update only the onelogin saml2 module? We have Version 7.8.2 and Sugar Version 6.5.24 (Build 509).

    • 

      Are you using Community Edition or Professional/Enterprise? The KB article indicates that it should work for Sugar 6.x but this is likely just for commercial editions of Sugar.

  6. 

    Hi Matthew, I am looking for a solution to capture IP address where Sugar is integrated with Octa. I have two challenges. First I am investigating on how to capture IP address in Octa and then how to pass the IP address to Sugar, so Sugar can parse the IP (basically location) and produces the UI accordingly. Do you have any idea that is there any way to pass extra parameter from Octa to Sugar? My assumption is capturing the IP address is possible in OCTA.