External Authentication

Overview

The authentication management capabilities in SugarIdentity allow admin users to set up LDAP, SAML, or OIDC authentication for single sign-on as well as configure SCIM for real-time data sync between the identity provider (e.g., Okta) and SugarIdentity. This guide covers the basics of configuring LDAP, SAML, or OIDC authentication in SugarIdentity in addition to generating the SCIM client values (e.g., Server URL) required to configure SCIM.

LDAP Settings

SugarIdentity can be configured to accept Lightweight Directory Access Protocol (LDAP) authentication if your organization has implemented LDAP or Active Directory authentication. When users in your system attempt to log in to Sugar, the application will authenticate their credentials against your LDAP directory or Active Directory. If authentication is successful, the user is granted access to Sugar. If the authentication is unsuccessful, SugarIdentity will then attempt to verify the provided credentials against its own database of valid usernames and passwords. When a tenant is configured to use LDAP authentication, the user email must be defined in the LDAP server.

Note: If the Active Directory authentication server is behind a corporate firewall, please ensure that the appropriate IP range is open on your firewall to allow communication with the Active Directory server. For more information on the IP addresses to add to your allowlist, refer to the Configuring Your SMTP Server to Work With SugarCloud article.

Use the following steps to configure LDAP authentication in SugarIdentity:

1. Log in to Sugar and navigate to Admin > SugarIdentity.
   Note: For Sugar versions 13.2 and lower, navigate to Admin > SugarCloud Settings. 
2. Click "LDAP Settings" from the home page in SugarIdentity.
   
3. Place a check in the Enable LDAP Authentication box to enable LDAP and reveal the LDAP configuration fields.
   Note: Disable this checkbox if you would like to disable LDAP authentication.
   
4. Enter the appropriate values in the following fields, then click "Save" to commit the changes.
   

   Field	Description	Suggested Values
   Encryption	Select the appropriate option from the dropdown to use LDAPS, StartTLS, or no encryption when connecting to the LDAP server.	Select "LDAPS" or "StartTLS" if your LDAP server supports one of these encryption methods. For no encryption, select "none" (not recommended). Select "LDAPS" if the LDAP server supports it. Select "StartTLS" if the LDAP server supports it. Select "none" for no encryption.
   Server	Enter the FQDN of your Active Directory Server, which should be your Domain Controller.	MYSERVER.MYDOMAIN.com.
   Port	Enter the default port number.	Please refer to the Configuring IP Addresses, Ports, and Domains article for port numbers.
   User DN	Enter the user DN name.	ou=people, dc=openldap, dc=com
   User Filter	Enter any additional parameters to apply when authenticating users.	is_user_id=1
   Bind Attribute	Enter a case-sensitive value for the bind attribute.	For Active Directory, enter userPrincipalName.
   Login Attribute	Enter a case-sensitive value for the login attribute.	For Active Directory, enter sAMAccountName.
   Authentication	Place a check in this box to enable the Authentication User DN and Password fields. Note: You must add a service account user (read-only access) to your Active Directory to authenticate via Sugar.	Authentication User DN: Enter "username@MYSERVER.MYDOMAIN.com" or "domain\\userfirstname.userlastname". Note: The latter username format requires double backslashes after the domain. Sugar will automatically remove one backslash upon Save. Password: Enter the corresponding Password.
   Group Membership	Enable this checkbox if you wish to specify that the user is a member of a specific group.	Group DN: Enter the group DN name. ou=groups dc=example dc=com Group Name: Enter the group name. cn=sugarcrm Group Attribute: The attribute of the group that will be used to filter against the User Attribute. MemberUid User Attribute: A unique identifier used to check if the user is a member of the group. uid
   Auto Create Users	Enable this checkbox to automatically create a new Sugar user when an LDAP user logs in to Sugar for the first time. Note: The user will count against the number of licensed user accounts for your Sugar instance.	Typically, this checkbox remains disabled.

Once LDAP is configured, when creating new users in SugarIdentity, you will need to enter the user's username (e.g., john@example.com) defined in your LDAP server.

LDAP Attribute Mapping

By default, LDAP attributes map to the SugarIdentity user fields as described below. When an LDAP user is created in SugarIdentity or the LDAP attributes are modified, these changes will sync to SugarIdentity when the user logs in to Sugar. If you have configured SCIM for LDAP, the changes will automatically sync to SugarIdentity in real-time.

SAML Settings

SugarIdentity can be configured to accept Security Assertion Markup Language (SAML) for single sign-on (SSO) if it is implemented at your organization. When users in your system attempt to log in to Sugar, the application will authenticate them against SAML. If authentication is successful, the user is granted access to Sugar. If the authentication is unsuccessful, SugarIdentity will then attempt to verify the provided credentials against its own database of valid user names and passwords.

Note: The Name ID claim (e.g., john@example.com) gets mapped by default to the SAML User Name field in SugarIdentity.

To configure SAML authentication in SugarIdentity, you must first configure ADFS, AWS, Azure, Google, Okta, or OneLogin to allow external authentication, then obtain the identity provider metadata file to import some key data (e.g., Login URL, Entity ID, X509 Certificate) as covered in the section below. When configuring certain identity providers (e.g., Okta, Google), the Assertion Consumer Service URL must be entered. To obtain this information, click "SAML Settings" from the home page in SugarIdentity and locate the Assertion Consumer Service URL field, as shown in the image below.

Note: If you have configured SAML authentication for SugarIdentity before December 1, 2020, and would like your users to be able to initiate login to Sugar from their Okta, OneLogin, or G Suite dashboard, refer to the Reconfiguring SAML Authentication Using ACS URL for SugarIdentity article.

Importing IdP Metadata File

Once you have obtained the identity provider metadata file, use the following steps to import the file and configure SAML authentication:

1. Log in to Sugar and navigate to Admin > SugarIdentity.
   Note: For Sugar versions 13.2 and lower, navigate to Admin > SugarCloud Settings. 
2. Click "SAML Settings" from the home page in SugarIdentity.
   
3. Place a check in the Enable SAML Authentication box to enable SAML and reveal the SAML configuration fields.
4. Click the "Import IdP metadata file" link in the Quick Links menu.
   
5. Find and select the identity provider metadata file on your machine. The data (e.g., Login URL, Entity ID, X509 Certificate) it contains will instantly appear in the corresponding fields (e.g., Login URL) on the SAML Settings page in SugarIdentity.
6. Optionally, complete additional fields on the SAML Settings form based on your needs, then click "Save" to preserve the settings.
   Note: If using Okta with single logout enabled, you will need to complete the "Sign Logout Request", "Request Signing Private Key", and "Request Signing Certificate" fields to digitally sign the logout request.
   

   Field	Description
   Provider Name	Enter a custom name that you wish to display in the login button on Sugar's login screen. The login button will display "Log in with [Provider Name]". Note: If this field is left empty, then the login button will display "Log in with SAML" by default.
   Display Sugar Login as a Button	Enable this checkbox to have the Sugar Login displayed as a button on the login screen where users can enter their Sugar credentials. Note: By default, the Sugar Login displays as a text string on the login screen for users to click and enter their Sugar credentials.
   SLO URL	Enter the single logout endpoint to which SugarIdentity will send logout requests. When SugarIdentity sends a logout request to the identity provider (e.g., Okta), it will extend that request and terminate active sessions for all other service providers that are sharing the session established via SAML. Note: Single logout requests can be initiated from either the identity provider or SugarIdentity. This field will be auto-populated if single logout is enabled in Okta.
   SugarCRM Entity ID	Enter any ID to define your company.  Note: When configuring Microsoft Azure, enter your Sugar instance URL (e.g., https://mysugarinstance.sugarondemand.com) in this field.
   Auto Create Users	Enable this checkbox to automatically create a new Sugar user when a SAML user logs in to Sugar for the first time. Note: The user will count against the number of licensed user accounts for your Sugar instance.
   Request Signing Private Key	Add the Request Signing Private key to be used to sign the AuthN and Logout requests. Note: The private key must be added to sign the logout request, logout response, and/or AuthN request.
   Request Signing Certificate	Add the Request Signing certificate containing the X.509 certificate to be used to sign the AuthN and Logout requests. Note: The certificate should match the private key.
   Request Signing Method	Select the digital signing method for request and response to the identity provider. The recommended options are either "RSA-SHA256" or "RSA-SHA512".
   Sign AuthN Request	Enable this checkbox to sign the AuthN request using the private key and certificate.   Note: The "Request Signing Private Key", "Request Signing Certificate", and "Request Signing Method" fields must be completed to sign the AuthN request.
   Sign Logout Request	Enable this checkbox to sign the logout request using the private key and certificate. Note: The "Request Signing Private Key", "Request Signing Certificate", and "Request Signing Method" fields must be completed to sign the logout request.
   Sign Logout Response	Enable this checkbox to sign the logout response using the private key and certificate.  Note: The "Request Signing Private Key", "Request Signing Certificate", and "Request Signing Method" fields must be completed to sign the logout response.

When using ADFS, AWS, or Azure, please refer to the Exporting Metadata File section below as you will need to export an XML metadata file to configure a new trust relationship between SugarIdentity and the identity provider (e.g., ADFS). 

Exporting Metadata File

When using ADFS, AWS, or Azure, you will need to export the XML metadata file containing the SAML settings (e.g., Assertion Consumer Service URL), which you will need to configure a new trust relationship between SugarIdentity and the identity provider (e.g., ADFS) to allow communication between the two services. Simply click the "Export metadata file" link in the Quick Links menu to download the necessary file. Once you have the metadata file, follow the steps in one of the articles below to configure the new trust relationship between SugarIdentity and the identity provider:

• Configuring SSO With Active Directory's ADFS
• Configuring SSO With AWS Using SAML (step 1)
• Configuring SSO With Azure Using SAML

SAML Attribute Mapping

To have SAML attributes map to the SugarIdentity user fields, you will need to set up the attribute mapping in the identity provider (e.g., Okta) using the predefined SAML attribute values. For more information on setting up the attribute mapping, refer to the Configuring SAML Attribute Mapping for SugarIdentity article. Once the attribute mapping is configured, when a SAML user is created in the identity provider or the SAML attributes (e.g., email) are modified, these changes will sync to SugarIdentity when the user next logs in to Sugar. If you have configured SCIM for the identity provider (e.g., OneLogin), then the changes will automatically sync to SugarIdentity in real-time.

OIDC Settings

SugarIdentity can be configured to accept OpenID Connect (OIDC) for single sign-on if it is implemented at your organization. When users in your system attempt to log in to Sugar, the application will authenticate them against OIDC. If authentication is successful, the user is granted access to Sugar. If the authentication is unsuccessful, SugarIdentity will then attempt to verify the provided credentials against its own database of valid user names and passwords.

To configure OIDC authentication in SugarIdentity, you must first obtain some key information (e.g., OIDC Server Authentication Endpoint, Client ID, Client Secret). The instructions for doing so with Auth0, Azure, Google, and Okta are covered in the following help articles. Once you have obtained the necessary information, refer to the following steps below to configure OIDC authentication.

• Configuring SSO With Auth0 Using OIDC
• Configuring SSO With Azure Using OIDC
• Configuring SSO With Google Using OIDC
• Configuring SSO With Okta Using OIDC

Use the following steps to configure OIDC authentication in SugarIdentity:

1. Log in to Sugar and navigate to Admin > SugarIdentity.
   Note: For Sugar versions 13.2 and lower, navigate to Admin > SugarCloud Settings. 
2. Click "OIDC Settings" from the home page in SugarIdentity.
   
3. Place a check in the Enable OIDC Authentication box to enable OIDC and reveal the OIDC configuration fields.
4. Enter the appropriate values in the following fields, then click "Save" to commit the changes.
   

   Field	Description
   Provider Name	Enter a custom name that you wish to display in the login button on Sugar's login screen. The login button will display "Log in with [Provider Name]". Note: If this field is left empty, then the login button will display "Log in with OIDC" by default.
   Display Sugar Login as a Button	Enable this checkbox to have the Sugar Login displayed as a button on the login screen where users can enter their Sugar credentials. Note: By default, the Sugar Login displays as a text string on the login screen for users to click and enter their Sugar credentials.
   OIDC Server Authorization Endpoint	Enter the authorization endpoint which is used by the Login Service to obtain authorization from the resource owner via user-agent redirection.
   OIDC Server Token Endpoint	Enter the token endpoint which is used by the Login Service to obtain an access token by presenting its authorization grant or refresh token.
   OIDC Server Userinfo Endpoint	Enter the user info endpoint which is used to obtain the user information from the identity provider (e.g., Okta).
   ClientID	Enter the Client ID obtained from the identity provider (e.g., Okta).
   Client Secret	Enter the Client Secret obtained from the identity provider (e.g., Okta).
   Scopes	Choose the scopes to use during OIDC authentication:  OpenID: Used to obtain the ID token. Profile: Used to read the user's first and last name. Email: Used to read the user's email address. Address: Used to read the user's address. Phone: Used to read the user's phone number. Note: The OpenID, Email, and Profile options are required for OIDC and must be selected.
   Redirect URI	This field is pre-populated by default. The value is required to be entered when configuring the identity provider (e.g., Okta) for OpenID Connect.
   Auto Create Users	Enable this checkbox to automatically create a new Sugar user when a OIDC user logs in to Sugar for the first time. Note: The user will count against the number of licensed user accounts for your Sugar instance.

Once OIDC authentication is configured, when creating new users in SugarIdentity, you will need to enter the user's OIDC user name, which is a unique alphanumeric ID (e.g., User ID) that is defined in the identity provider (e.g., Okta). It is recommended that the Show Full Names option in Admin > System Settings be enabled in your Sugar instance to avoid having the alphanumeric IDs display in Sugar. 

OIDC Attribute Mapping

By default, certain attributes (e.g., first name, last name) from the identity provider (e.g., Okta) will map to the SugarIdentity user fields once you configure the OIDC authentication. Please note that when a new user is created in the identity provider or the OIDC attributes are modified, these changes will sync to SugarIdentity when the user next logs in to Sugar. If you have configured SCIM for the identity provider (e.g., Okta), then the changes will automatically sync to SugarIdentity in real-time.

The following table outlines the general attribute mapping between OIDC and SugarIdentity. Please note that the default attribute mapping varies between the identity providers.

The table below outlines the default attribute mapping between the supported identity providers and SugarIdentity.

Note: The user's address, phone, title, and department attributes do not map between Auth0, Azure, Google and SugarIdentity. You will need to manually enter/update this information when creating the users in SugarIdentity or when these OIDC attributes are modified in the identity provider, if you wish to maintain consistent data.   

SCIM Settings

SugarIdentity supports System for Cross-domain Identity Management (SCIM), which can be configured to allow user identity information (e.g., name, email, phone number) to automatically sync to SugarIdentity in real-time. Please note that the sync behavior will be different depending on whether you have SCIM configured or not as summarized in the table below:

To configure SCIM, you must first obtain the required SCIM credentials (e.g., Server URL, Bearer Token) as follows:

1. Click "SCIM Settings" on the home page in SugarIdentity.
   
2. On the SCIM Settings page, click the Create Client button to generate the "Server URL", "Username", "Password", and "Bearer Token" values.

If, for example, your organization uses SAML and has already configured SAML authentication in SugarIdentity, then you can configure SCIM for real-time data sync. For more information on configuring SCIM when using SAML, refer to the Configuring SCIM for SugarIdentity WIth Okta or Configuring SCIM for SugarIdentity With OneLogin articles. Please note that the SCIM credentials required for configuring SCIM will vary between identity providers (e.g., OneLogin, Okta). For example, when configuring SCIM for OneLogin, you will only need the "Server URL" and "Bearer Token" values.