SugarCRM SupportHelp ArticlesUser Login ManagementOIDC AuthenticationConfiguring SSO With Okta Using OIDC

Configuring SSO With Okta Using OIDC

Overview

SugarIdentity allows single sign-on authentication using Okta and OpenID Connect (OIDC) so that it can be integrated with a connected system using a single user ID and password. This article walks through configuring Okta to allow external authentication using OpenID Connect for instances that use SugarIdentity. Please note that only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.

For more information about external authentication methods, please refer to the following pages:

Prerequisites

  • Your organization must have an active Okta account. For information on setting up an Okta account for your organization, please refer to their website at https://www.okta.com/.
  • Your SugarIdentity users should be users in your organization's Okta account.
  • You must have access to an Okta administrator account in order to complete the steps in this article. For more information regarding the administrator role, please refer to this Okta documentation
  • You must be familiar with Okta and how to set up the SSO configurations that meet your organization's needs. 
  • You must be a Sugar administrator to configure the OIDC settings in SugarIdentity via the SugarCloud Settings console.

Steps to Complete

The following sections cover how to configure Okta to allow external authentication using OpenID Connect. 

Configuring Okta With SugarIdentity

Creating OIDC Application in Okta

Use the following steps to create a new OIDC application for SugarIdentity in Okta:

  1. Navigate to https://developer.okta.com/ in your web browser and log in with your admin credentials. 
  2. Click "Admin" on the upper right of the home page.
  3. Next, click the Applications tab in the navigation bar and then click the "Add Application" button.
  4. On the Create New Application page, select the "Web" application and click "Next".
    OktaOIDC CreateNewApp Web  
  5. On the Application Settings page, enter an application name of your choice (e.g. SugarCRM OIDC). 
    Note: You will need to access the SugarCloud Settings console to obtain the Login redirect URIs value as covered in the next step. 
  6. In a new browser tab, access the SugarCloud Settings console and click the Authentication tab, select "Setup OIDC support", then select the "Enable OIDC Authentication" option. Copy the Redirect URI value as this is required to complete the next step.
    OktaOIDC RedirectURI2
  7. Navigate back to Okta's Application Settings page and paste the Redirect URI value into the Login redirect URIs field.
    OktaOIDC CreateNewApp1
  8. Click "Done" at the bottom of the page. 
  9. Record the "Client ID" and "Client Secret" values under the General tab of your new application as this is required when configuring OIDC in SugarIdentity via the SugarCloud Settings console.
    OktaOIDC ClientCredentials
  10. Next, click the API tab on the navigation bar and select "Authorization Servers". Click the Default link to access the Default server settings.
    OktaOIDC IssuerURL
  11. Record the Issuer URL under the Settings tab as this is required when configuring OIDC in SugarIdentity via the SugarCloud Settings console.
    OktaOIDC IssuerURL

Once you have obtained the Client ID, Client Secret, and Issuer URL, navigate back to the SugarCloud Settings console to configure the OIDC authentication and complete the fields as follows:
Note: Replace {Issuer URL} with the value obtained in step 11 above. 

  • OIDC Server Authentication Endpoint: Enter {Issuer URL}/v1/authorize. 
  • OIDC Server Token Endpoint: Enter {Issuer URL}/v1/token.
  • OIDC Server Userinfo Endpoint: Enter {Issuer URL}/v1/userinfo.
  • Client ID: Enter the Client ID obtained in step 9 above.
  • Client Secret: Enter the Client Secret obtained in step 9 above.

Mapping Attributes for Okta

If you wish to have the Title and Department attributes from Okta map to the SugarIdentity user fields, you will need to set up the attribute mapping in Okta. Please note that other attributes such as first name, last name, email, phone, and address will map automatically once you configure OIDC in SugarIdentity. 

Use the following steps to set up the attribute mapping for title and department:

  1. Follow steps 1-3 in the Configuring SAML Attribute Mapping for SugarIdentity article.
  2. Next, click "API" in the navigation bar then select "Authorization Servers".  
  3. Click the Default link for your application then click the Claims tab on the following page. 
  4. Click the "+ Add Claim" button and populate the fields as follows: 
    • Name: Enter the attribute name (e.g. title).
    • Include in token type: Select "ID Token" and "Userinfo / id_token request".
    • Value type: Leave as "Expression".
    • Value: Enter "appuser.{attribute name}" (e.g. appuser.title).
    • Include in: Select "The following scopes" then enter and select "profile" in the open text box.
  5. Click "Create" to add the claims for title and department. 
    OIDC Okta AddClaims

Once the attribute mapping is configured for title and department, going forward, when a new Okta user is created or the user's title/department attributes are modified in Okta, the changes will sync to SugarIdentity when the user logs into Sugar.

Assigning the SugarCRM App to Okta Users

In order for SugarIdentity users to leverage Okta's login capability with Sugar, you must assign the SugarCRM app from the section above to your organization's users in Okta. For information on assigning applications to users in Okta, please refer to the Using the Applications Page documentation in Okta.

Once you have assigned the SugarCRM app to Okta users, you can then configure OIDC authentication in SugarIdentity via the SugarCloud Settings console. 

Application

Once you have configured Okta and completed the OIDC configuration in SugarIdentity via the SugarCloud Settings console, going forward, when a user that is provisioned in SugarIdentity navigates to Sugar they will be redirected to Okta's login page to enter their Okta credentials. Once the user's login credentials are authenticated in Okta, they will be directed back to their Sugar instance and be automatically logged in. Please refer to the SugarIdentity Guide for best practices on creating users in SugarIdentity.

Last modified: 2022-05-16 21:11:56