SugarCRM SupportHelp ArticlesUser Login ManagementSAML AuthenticationConfiguring SSO With AWS Using SAML

Configuring SSO With AWS Using SAML


SugarIdentity allows single sign-on authentication using AWS and SAML so that it can be integrated with a connected system using a single user ID and password. This article walks through configuring AWS Single Sign-On (SSO) to allow external authentication using SAML 2.0 for Sugar instances that use SugarIdentity. 

If you are using SugarLive in Sugar Serve, you can also set up SSO in SugarLive using SAML 2.0. To do so, you will also need to configure AWS SSO as an identity provider for Amazon Web Services (AWS). Refer to this article on the AWS website for details on this setup.

Note: Only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.

For more information about external authentication methods, refer to the following pages:


  • Your organization must have an active AWS account.
  • Your SugarIdentity users should be users in AWS SSO.
  • You must have access to the AWS SSO console in order to complete the steps in this article.
  • You must be familiar with AWS SSO and how to set up the SSO configurations that meet your organization's needs. 
  • You must be a Sugar administrator to configure the SAML settings in SugarIdentity via the SugarCloud Settings console.

Steps to Complete

The following sections cover how to configure AWS SSO to allow external authentication using SAML 2.0 for Sugar instances that use SugarIdentity. 

Adding SAML 2.0 Application in AWS

  1. Navigate to in your web browser and log in to your AWS account.
  2. On the AWS Management Console page, click "All services" in the AWS Services panel then select "AWS Single Sign-On".
    AWS SSO AWSMgmtConsolePage
  3. Click "Enable AWS SSO" on the following page.
    Note: You may be prompted to create an AWS Organization for your AWS account to enable AWS SSO. If so, click the "Create AWS organization" button in the pop-up window. 
  4. On the AWS Single Sign-On page, select "Applications" from the menu on the left then click the "Add a new application" button.
    AWS SSO Applications
  5. On the Add New Application page, select the "Add a custom SAML 2.0 application" option.
  6. On the Configure Custom SAML 2.0 Application page, click the Download link in the AWS SSO Metadata section to download the AWS SSO SAML metadata file. You will need to import this metadata file when configuring SAML in SugarIdentity via the SugarCloud Settings console.
    AWS SSO SAMLMetadataFile
  7. Once you have imported the IdP metadata file to the SugarCloud Settings console and have exported the XML metadata file containing the SAML settings (e.g., Assertion Consumer Service URL), upload the exported file under the Application Metadata section. 
    AWS SSO Exported XMLMetadataFile
  8. Click the Save Changes button on the Configure Custom SAML 2.0 Application page.

Mapping Attributes for AWS SSO

If you wish to have the attributes (e.g., First Name, Last Name) from AWS SSO map to the SugarIdentity user fields, you will need to set up the attribute mapping in AWS SSO. Once the attribute mapping is configured, going forward, when a new user is created in AWS SSO or the user's attributes are modified in AWS SSO, these changes will sync to SugarIdentity when the user logs in to Sugar. For more information on setting up the attribute mapping, please refer to the Configuring SAML Attribute Mapping for SugarIdentity article.

Assigning the SugarCRM App to AWS SSO Users

In order for SugarIdentity users to leverage the AWS SSO login capability with Sugar, you must assign the Custom SAML 2.0 app from the section above to your organization's users in AWS SSO. For information on assigning applications to users in AWS SSO, please refer to the Assign User Access article on the AWS website.


Once you have configured AWS SSO and completed the SAML configuration in SugarIdentity via the SugarCloud Settings console, going forward, when a user tries to access Sugar they will be redirected to the AWS SSO user portal to enter their user portal login credentials. Once the user's login credentials are authenticated in AWS, they will be directed back to their Sugar instance and be automatically logged in. The user can also launch their Sugar account from the AWS SSO user portal by choosing the Custom SAML 2.0 app that appears in their portal. Their Sugar instance will open in a new browser tab, and the user will be authenticated and automatically logged in.

Last modified: 2021-11-15 20:50:48