Configuring SSO With Azure Using OIDC
SugarIdentity allows single sign-on authentication using Microsoft Azure and OpenID Connect (OIDC) so that it can be integrated with a connected system using a single user ID and password. This article walks through configuring Microsoft Azure to allow external authentication using OpenID Connect for instances that use SugarIdentity. Please note that only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.
For more information about external authentication methods, refer to the following pages:
- Your organization must have an active Microsoft Azure account. For information on setting up an Azure account for your organization, please refer to their website at https://www.azure.com.
- Your SugarIdentity users should be users in your organization's Azure account.
- You must be familiar with Azure and how to set up the SSO configurations that meet your organization's needs.
- You must be a Sugar administrator to configure the OIDC settings in SugarIdentity via the SugarCloud Settings console.
Steps to Complete
Configuring Azure With SugarIdentity
Registering OIDC Application in Azure
Use the following steps to register the OIDC application in Azure and obtain the necessary credentials to configure OIDC in SugarIdentity:
- Navigate to https://portal.azure.com/ in your web browser and log in.
- Click "App registrations" on the home page.
- On the App Registrations page, click the "+ New registration" button.
- On the Register an Application page, enter an application name of your choice (e.g. SugarCRM OIDC).
Note: You will need to access the SugarCloud Settings console to obtain the Redirect URI value as covered in step 5.
- In a new browser tab, access the SugarCloud Settings console and click the Authentication tab, select "Setup OIDC support", then select the "Enable OIDC Authentication" option. Copy the Redirect URI value as this is required to complete the next step.
- Navigate back to Azure's Register an Application page and paste the Redirect URI value into the Redirect URI field. Click "Register".
- Next, click "Certificates & secrets" on the left tree menu of your new application then click "+ New client secret" in the Client Secrets section and populate the fields accordingly. Click "Add" to create the client secret.
- Record the client secret value that appears under the Client Secrets section as it is required when configuring OIDC in SugarIdentity via the SugarCloud Settings console.
- Next, click "Overview" on the left tree menu and record the "Application (client) ID" value at the top of the page as it is required when configuring OIDC in SugarIdentity.
- Now, click "Endpoints" at the top of the application page and record the following Endpoint values:
- OAuth 2.0 authorization endpoint (v2): For the "OIDC Server Authentication Endpoint" field in SugarIdentity.
- OAuth 2.0 token endpoint (v2): For the "OIDC Server Token Endpoint" field in SugarIdentity.
- Finally, click "Token configuration" on the left tree menu and click the "+ Add optional claim" button. Select "ID" as the Token type then select "family_name" and "given_name" claims. In the dialog box that appears, enable the "Turn on the Microsoft Graph profile permission" checkbox then click "Add".
Once you have obtained the necessary credentials (e.g. Client ID, Client Secret), navigate back to the SugarCloud Settings console to configure the OIDC authentication and complete the fields as follows:
- OIDC Server Authentication Endpoint: Enter the "OAuth 2.0 authorization endpoint (v2)" value from step 10 above.
- OIDC Server Token Endpoint: Enter the "OAuth 2.0 token endpoint (v2)" value from step 10 above.
- Client ID: Enter the "Application (client) ID" obtained in step 9 above.
- Client Secret: Enter the Client Secret obtained in step 8 above.
Once you have configured Azure and completed the OIDC configuration in SugarIdentity via the SugarCloud Settings console, going forward, when a user that is provisioned in SugarIdentity navigates to Sugar they will be redirected to Microsoft Azure's login page to enter their Azure credentials. Once the user's login credentials are authenticated in Azure, they will be directed back to their Sugar instance and be automatically logged in. Please note that all of the organization's users in Microsoft Azure will be assigned to the SugarCRM OIDC application by default once it has been created for SugarIdentity. For best practices on creating users in SugarIdentity, please refer to the SugarIdentity Guide.
Last modified: 2022-05-16 21:11:27