Single Sign On (SSO): Best Practices for Sugar

by Cristian Golopenta on October 17, 2017

A lot of websites and services require some form of authentication to access its features or content. With this continuous increase in websites and services, a centralized login system has become a necessity in web development.

SSO protocols integration comes as a response to this need. Different SSO protocols share session data in different ways, but the main concept is the same: there is a central domain, through which authentication is performed and consequently, the session is shared with other domains in some way.

Here is a general flow diagram that shows how SSO works:

SugarCRM supports Single Sign On and can be easily configured from Administration Panel.

Sugar can respect external authentication protocols (LDAP or SAML) to give users a seamless login process. LDAP and SAML configuration options are located in the last two panels of the Password Management page:

 

How SSO works with Sugar

When users from your Sugar system are trying to log in, the application will try to authenticate their credentials against LDAP directory or SAML. If the authentication is successful, the user is granted access to Sugar. If the authentication fails, Sugar will attempt to verify the provided user credentials against its database.

Sugar can be integrated with different IdP-s(Identity Providers).

Here is an example of how to integrate Sugar SSO authentication support with Okta IdP:

Firstly, you need to have a valid Okta account and an application linked to the Sugar system.

Then, from Sugar system, access 'Password Management' from Administration Panel and check 'Enable SAML Authentication.' Then, you need to fill the following information:

  1. Login URL: Sign into the Okta Admin dashboard to generate this value
  2. SLO URL: Do not enter any value here. The field must be empty
  3. X.509 Certificate: Sign into the Okta Admin dashboard to generate this value
  4. Check the 'Load login screen in the same window to avoid pop-up blocking' option

Save settings and try to login in Sugar. When 'Login' button is pressed, then you should be redirected to the login URL that was specified in 'SAML Authentication' section.

Alternatively, Sugar can be integrated with any other available IdP-s, using LDAP, SAML.

Anyway, there is still an additional aspect we need to consider: configuring the SSO login flow on mobile platform. As the URL dynamic(one in a desktop browser, one for use in the mobile app), we need to setup the SSO for mobile adding the following in config.override.php:

$sugar_config['SAML_loginurl_mobile'] = '{SSO URL for the mobile IdP}'

$sugar_config['SAML_SLO_mobile'] = '{SLO URL for the mobile IdP}'

$sugar_config['SAML_x509Cert_mobile'] = '{certificate for the mobile IdP}'

Also, the common tools used to troubleshoot and debug possible issues with SSO implementations are:

  • SAML tracer plugin
  • Network tab
  • sugarcrm.log
  • IdP logs
  • SSO flow diagram

Slide Deck Presentation from SugarCon 2017 Session


This post is part of our SugarCon 2017 Spotlight series. Take a look at all the articles from SugarCon 2017 here.

Find similar articles in these categories:

PRODUCT: SugarCRM

AUDIENCE: Developers