Enhancing Security in Sugar with Single Sign-On using Azure Active Directory

by Paul Candela on August 17, 2015

One of the best things about Office 365 is integration into Azure Active Directory (AAD). Simply put, AAD is a cloud-based directory and identity management system. This means if you have one account, your Office 365 account can be used to authenticate to any number of different cloud-based services including SugarCRM.  While AAD does have a paid subscription element, the parts we need for integrating to SugarCRM are free.

Getting Started

To get this working in SugarCRM, you’ll need to have the following items:

  1. An Office 365 Subscription with an administrator login.
  2. Two SugarCRM Accounts
    • One must be a system administrator
  3. A text editor application.  In this article, I’ll be using notepad.
  4. Optional (but helpful is to have access to two different computers when testing.  If something goes wrong, you should be able to use the ‘Admin’ account to log back in and disable SSO for troubleshooting. 

Before Starting

  • The user’s Email Address in SugarCRM must match the username of their Office 365 Account.
  • While SugarCRM supports authentication using either LDAP or SAML, Azure AD requires Sugar On-Demand. 

Is Azure Enabled?

If it's not already enabled, you’ll need to activate your subscription to Azure Active Directory.  If this is already done, feel free to skip the next five steps and advance to ‘Setting up Sugar in Azure.'

The easiest way to do this is from the Office 365 Admin Center. 

  1. Log in at https://login.microsoftonline.com/
  2. On the right, scroll down until you find ‘Admin’ and click on ‘Azure AD’.
  3. Your browser will open a new tab and you’ll be prompted to ‘Purchase’.  Don’t worry, its free. You’ll be getting the ‘Free’ service detailed here:  http://azure.microsoft.com/en-us/pricing/details/active-directory/
  4. After you click the ‘Purchase’ button, your Azure AD subscription will be created.  This takes a few minutes.  The page will refresh once its completed.
  5. Once completed, click ‘Start managing my service’ to get started.

Setting up SugarCRM in Azure

  1. In your Azure subscription, click on your directory.
  2. Click on ‘Applications’

     
  3. Click the ‘Add’ button.  Its tricky to find; it’s at the very bottom of the page.
  4. Select ‘Add an application from the gallery’

     
  5. Search for ‘SugarCRM’.   When it displays in the list, select it and then click the checkbox.

     
  6. Once the application is added, Azure will prompt you to begin set up.  Click ‘Configure single sign-on’.

     
  7. Click the Next arrow.

     
  8. Enter your SugarCRM Sign-on URL.  Click the Next arrow.

     
  9. Click the ‘Download certificate’ link.  Then open your downloads directory and locate the certificate file.

     
  10. In a new browser window, log into SugarCRM as an administrator.
  11. Once logged into SugarCRM, navigate to the Admin page and click on Password Management.
       

     
  12. Hidden at the bottom of the page is ‘SAML Authentication’.  Click the checkbox.

     
  13. On the browser with the ‘Configure Single Sign-On’ window, copy the ‘Remote Login URL’ and paste it into BOTH the Login URL and SLO URL.

     
  14. Restore your downloads folder, right-click on the certificate file and open it with notepad.
      

     
  15. Copy the contents of the notepad file into the X509 Certificate field.

     
  16. Click ‘Save’.

     
  17. Check the box next to ‘Confirm that you have configured …’ and click the Next arrow.

     
  18. Click the Finish button.

     
  19. Click on Assign accounts.

     
  20. Select the all user’s that will be using Single Sign-On (You can use Control + Click to select more than one).  Once you’ve got all the users selected, click ‘Assign’. 

Logging into SugarCRM with SSO

Now that Azure and SugarCRM are both configured, its time to test. 

  1. From another user’s computer, open a browser and navigate to your Sugar instance. 
  2. You’ll notice that the browser has blocked a pop-up window. 

     
  3. Click the box and select the option that will always allow the pop-ups.

     
  4. Refresh the page.

     
  5. Once the page refreshes, you’ll get a pop-up asking for the user’s Office 365 Login.  Provide the credentials and click Sign In.  Optionally, you can click ‘Keep me signed in’.  This has the benefit of simply logging you into SugarCRM whenever you browse to the page.

     
  6. Once you’ve signed in, it will take between 5 - 10 seconds before SugarCRM to complete the login process.

 



We hope you've enjoyed this tutorial on Enhancing Security with Sugar with Single Sign-On and Azure Active Directory. If you have any questions, reach out to our team here,  and we'll be happy to answer!

Find similar articles in these categories:

PRODUCT: SugarCRM

AUDIENCE: Administrators

Paul Candela
Director of Technology at UpCurve Cloud
More From This Author »