SugarCRM SupportKnowledge BasePassword ManagementConfiguring SSO With Google

Configuring SSO With Google

Overview

Sugar® allows single sign-on authentication using Google and SAML so that Sugar can be integrated with a connected system using a single user ID and password. This article walks through configuring Google and Sugar to allow external authentication using SAML 2.0.

For more information about external authentication methods, please refer to the Password Management documentation as well as the Understanding Security Layers for User Authentication article. 

Note: This article pertains to Sugar versions 8.0.x and higher.

Prerequisites

  • Your organization must have an active G Suite account (Basic, Business, or Enterprise). 
  • Your Sugar users should be users in your organization's G Suite account.  
  • You must have access to a G Suite administrator account in order to complete the steps in this article. For more information on signing into the Admin console, please refer to the G Suite Administrator Help article.  
  • You must be familiar with G Suite and how to set up the SSO configurations that meet your organization's needs. 
  • You must be a Sugar administrator to configure the SAML settings for your instance via Admin > Password Management. For more information on configuring SAML in Sugar, please refer to the Password Management documentation.

Steps to Complete

The following sections explain how to add SugarCRM as a SAML application in Google, enable the SugarCRM app for users, and configure Sugar for SAML authentication.

Adding SAML Application in Google

Use the following steps to add a new SAML application for Sugar:

  1. Navigate to the Google Admin console in your web browser and log in with your G Suite administrator credentials.
  2. On the Admin console dashboard, select "Apps".
    Google AdminConsole Apps
  3. On the Apps page, select "SAML apps".
    Google Apps SAMLApps
  4. Next, click the plus (+) icon on the bottom right of the SAML apps page then locate and select "Sugar". 
  5. In the Option 2 section, click "Download" then save the metadata file which will be needed later when you configure the SAML authentication in Sugar. Click "Next".
  6. On the Basic Information step, enter an application name of your choice (e.g. SugarCRM). Optionally, you can enter a description (e.g. SugarCRM Application) and upload a logo. Click "Next". 
    sso-step3of4
  7. On the Service Provider Details step, enter the following values into the corresponding fields:
    Note: Replace {your-sugar-url} with your Sugar instance's domain.
    • ACS URL :  https://{your-sugar-url}/index.php?module=Users&action=Authenticate
    • Entity ID : php-saml
    • Start URL : https://{your-sugar-url}/
    • Name ID Format : EMAIL
    sso-step4of4
  8. Click "Finish".

Enabling the SugarCRM App for Users

To enable the SAML application for users, navigate to Apps > SAML apps in G Suite and select the SugarCRM app. Click the three dot icon on the upper right and select one of the following options according to your organization's requirements:

  • On for everyone : Enables the SAML application for all users
  • On for some organizations : Enables the SAML application for certain groups and users assigned to those groups

Note: Please make sure that the email IDs for your Sugar users match those in your Google domain. For more information on enabling the new SAML app, please refer to the G Suite Administrator Help article.

Configuring Sugar for SAML Authentication

Use the following steps to configure Sugar to work with Google:

  1. Log into Sugar as an administrator and navigate to Admin > Password Management.
  2. Scroll down to the SAML Authentication section and place a checkmark in the box next to "Enable SAML Authentication".
    enable-saml
  3. Click the "Import IdP Metadata File" button at the top of the page, locate the metadata file you saved in Step 5 of the Adding SAML Application in Google section, then click "Open".
    import-metadata-button
  4. The Login URL, Entity ID, and X509 Certificate fields will be auto-populated with information from Google. Optionally, complete any other desired fields on the setup page. For more information regarding the fields that are available to configure on the SAML configuration page, please refer to the Password Management documentation.  
    idp-metadata
  5. Click "Save" to preserve the settings. 

Application

Once you have completed the SAML configuration in Sugar, going forward, when a user navigates to Sugar they will be redirected to G Suite's login page to enter their login credentials. Once the user's login credentials are authenticated in G Suite, they will be directed back to their Sugar instance and be automatically logged in. The user can also launch their Sugar account from G Suite by clicking the Sugar app. Their Sugar instance will open in a new browser tab and the user will be logged in automatically.

Last modified: 2019-03-01 20:56:48