SugarCRM SupportHelp ArticlesUser Login ManagementSAML AuthenticationReconfiguring SAML Authentication Using ACS URL for SugarIdentity

Reconfiguring SAML Authentication Using ACS URL for SugarIdentity

Overview

SugarIdentity can be configured to accept Security Assertion Markup Language (SAML) for single sign-on (SSO) if it is implemented at your organization. For more information on configuring SAML authentication in SugarIdentity, refer to the SugarIdentity Guide. When configuring the SAML authentication for SugarIdentity, you must enter the Assertion Consumer Service URL (ACS URL) in the identity provider. Please note that the URL, which includes your tenant ID, can be obtained from the SAML settings page in the SugarCloud Settings console.
CS New ACSURL

Prior to December 1, 2020, the ACS URL that was used to configure the identity provider (e.g. Okta, OneLogin) did not include your tenant ID. For customers who previously configured SAML authentication using this ACS URL, the Assertion Consumer Service URL field on the SAML settings page will display the following URL: https://login-{your_region}.service.sugarcrm.com/saml/acs. 

If the identity provider was configured using this ACS URL, your SAML users will be able to log in from Sugar using SSO, but will not be able to initiate login to Sugar from their Okta, OneLogin, or G Suite dashboard. This article covers how to reconfigure the SAML authentication for SugarIdentity so that your users can initiate login to Sugar from their Okta, OneLogin, or G Suite dashboard.

Prerequisites

  • You must be a Sugar administrator to reconfigure the SAML settings in SugarIdentity via the SugarCloud Settings console.
  • You must have access to an administrator account in the identity provider (e.g. Okta, OneLogin) to update the existing SugarCRM application.

Steps to Complete

If you would like your users to be able to initiate log in to Sugar from their Okta, OneLogin, or G Suite dashboard, you will need to reconfigure the SAML authentication in SugarIdentity using the following steps:

  1. Log in to Sugar and navigate to Admin > Password Management. You will be directed to SugarIdentity in the SugarCloud Settings console in a new browser tab.
    Note: For Sugar versions 11.0.0 and higher, navigate to Admin > SugarCloud Settings to access the SugarCloud Settings console.
  2. Click the Authentication tab in the SugarCloud Settings console and select "Setup SAML support".
    Note: The Assertion Consumer Service URL field on the SAML settings page will show the URL as follows: https://login-{your_region}.service.sugarcrm.com/saml/acs.
    ReconfiguringSAMLAuth SCS SetupSAML
  3. Remove the checkmark from the "Enable SAML Authentication" option to disable SAML then click "Save".
    SCS EnableSAMLAuth
  4. Select the "Enable SAML Authentication" option again to re-enable SAML.
  5. The Assertion Consumer Service URL field will now display the URL as follows: https://login-{your_region}.service.sugarcrm.com/saml/acs/{your_tenant_ID}. Record this URL as it is required to update the identity provider (e.g. Okta, OneLogin). 
    CS New ACSURL
  6. Next, navigate to your organization's identity provider account to update the existing SugarCRM application with this ACS URL. Refer to the appropriate article below for information on updating the identity provider with the Assertion Consumer Service URL:
  7. Once you have updated the identity provider with the ACS URL and obtained the Identity Provider metadata file, import the file in SugarIdentity via the SugarCloud Settings console. For more information on importing the file, refer to the SugarIdentity Guide.

Application

Once you have completed the SAML configuration in SugarIdentity, going forward, your SAML users will be able to launch their Sugar account from Okta, OneLogin, or G Suite by clicking the SugarCRM app from their dashboard. Their Sugar instance will open in a new browser tab, and the user will be authenticated and automatically logged in. Please note that they can also continue to log in to their Sugar account using single sign-on by navigating to Sugar and entering their SSO credentials. 

Last modified: 2021-11-09 17:21:00