Configuring SSO With Azure Using SAML

Overview

SugarIdentity allows single sign-on authentication using Microsoft Azure and SAML so that it can be integrated with a connected system using a single user ID and password. This article walks through configuring Microsoft Azure to allow external authentication using SAML 2.0 for instances that use SugarIdentity.

If you are using SugarLive in Sugar Serve, you can also set up SSO in SugarLive using SAML 2.0. To do so, you will also need to configure Microsoft Azure as an identity provider for Amazon Web Services (AWS). Refer to this article on the AWS website for details on this setup.

For more information about external authentication methods, refer to the following pages:

• SugarIdentity Guide
• Understanding Security Layers for User Authentication article  

Prerequisites

• Your organization must have an active Microsoft Azure account. For information on setting up an Azure account for your organization, refer to their website at https://www.azure.com. 
• Your SugarIdentity users should be users in your organization's Azure account.
• You must be familiar with Azure and how to set up the SSO configurations that meet your organization's needs. 
• You must be a Sugar administrator to configure the SAML settings in SugarIdentity.

Steps to Complete

The following sections cover how to configure Azure to allow external authentication using SAML 2.0 for Sugar instances that use SugarIdentity. 

Adding SAML 2.0 Application in Azure

1. First, log in to Sugar and navigate to Admin > SugarIdentity, then click "SAML Settings" from the home page. Export the XML metadata file from the SAML Settings page. You will need to import this metadata file in step 7 below. 
   Note: For Sugar versions 13.2 and lower, navigate to Admin > SugarCloud Settings.  
   
2. Next, navigate to https://portal.azure.com/ in your web browser and log in. 
3. Select "Enterprise applications" under Azure Services on the home page then click the "+ New Application" button on the following page. 
   
4. On the Browse Microsoft Entra Gallery page, perform a search for "Microsoft Entra SAML Toolkit" or "SugarCRM" and select the option that appears in the results.
5. In the new pop-up window, enter an application name (e.g., SugarIdentity SAML) of your choice, then click the Create button. 
   
6. Next, click the "Single sign-on" option on the left tree menu and select "SAML" for the single sign-on method.
   
7. Click the "Upload metadata file" button at the top of your new SugarCRM SAML application page to upload the metadata file you exported from SugarIdentity in step 1. After uploading the file, the Basic SAML Configuration form will open. 
   
8. On the Basic SAML Configuration form, enter your Sugar instance URL (e.g., https://mysugarinstance.sugarondemand.com) in the Sign on URL field. Then also update the Identifier (Entity ID) field with your Sugar instance URL. Click "Save".
   
9. Finally, on the SugarIdentity SAML screen, click the Download link to the right of the Federation Metadata XML field in the SAML Signing Certificate panel.
   Note: You will need to import this metadata file when configuring SAML in SugarIdentity.
   

Importing IdP Metadata File in SugarIdentity

1. In a new browser tab, access SugarIdentity and follow the instructions on the SugarIdentity Guide to import the IdP metadata file you downloaded on step 9 in the section above.
2. Next, enter your Sugar instance URL (e.g., https://mysugarinstance.sugarondemand.com) in the SugarCRM Entity ID field to match the Identifier (Entity ID) field in Azure (step 8 in section above). Click "Save". 
     

Assigning the SugarCRM App to Azure Users

In order for SugarIdentity users to leverage the Azure login capability with Sugar, you must assign the new SugarCRM SAML app created in the section above to your organization's users in Azure. For information on assigning applications to users in Azure, refer to this article on the Microsoft website.

Mapping Attributes for Azure

If you wish to have the attributes (e.g., First Name, Last Name) from Azure map to the SugarIdentity user fields, you will need to set up the attribute mapping in Azure. Once the attribute mapping is configured, going forward, when a new user is created in Azure or the user's attributes are modified in Azure, these changes will sync to SugarIdentity when the user logs in to Sugar. For more information on setting up the attribute mapping, please refer to the Configuring SAML Attribute Mapping for SugarIdentity article.

Application

Once you have configured Azure and completed the SAML configuration in SugarIdentity, going forward, when a user that is provisioned in SugarIdentity navigates to Sugar they will be redirected to Microsoft Azure's login page to enter their Azure credentials. Once the user's login credentials are authenticated in Azure, they will be directed back to their Sugar instance and be automatically logged in.