Configuring SSO With OneLogin Using SAML

Overview

SugarIdentity allows single sign-on authentication using OneLogin and SAML so that it can be integrated with a connected system using a single user ID and password. This article walks through configuring OneLogin to allow external authentication using SAML 2.0 for Sugar instances that use SugarIdentity. Please note that you can also configure the SAML integration in OneLogin for Sugar instances that do not use SugarIdentity, but it is not covered in this article.

If you are using SugarLive in Sugar Serve, you can also set up SSO in SugarLive using SAML 2.0. To do so, you will also need to configure OneLogin as an identity provider for Amazon Web Services (AWS). Refer to this knowledge base article on OneLogin's website for details on this setup.

For more information about external authentication methods, refer to the following pages:

• SugarIdentity Guide 
• Understanding Security Layers for User Authentication article 

Prerequisites

• Your organization must have an active OneLogin account. For information on setting up a OneLogin account for your organization, please refer to their website at https://www.onelogin.com/.
• Your SugarIdentity users should be users in your organization's OneLogin account.
• You must have access to an administrator account in OneLogin in order to complete the steps in this article. 
• You must be familiar with OneLogin and how to set up the SSO configurations that meet your organization's needs. 
• You must be a Sugar administrator to configure the SAML settings in SugarIdentity.

Configuring OneLogin With SugarIdentity

The following sections cover how to configure OneLogin to allow external authentication for Sugar instances that use SugarIdentity. 

Creating SAML Integration in OneLogin

Use the following steps to create a new SAML integration for SugarIdentity in OneLogin:

1. Navigate to https://www.onelogin.com/ in your web browser and log in to your OneLogin administrator account.
2. Follow the instructions in the Add the SAML Test Connector section of the Use the OneLogin SAML Test Connector article in OneLogin to add a SAML test connector app. For the purpose of this article, we will select "SAML Test Connector (Advanced)" then click "Save".  
   Note: On the SAML applications Info page, you can update the Display Name field to enter an app name of your choice (e.g., SugarCRM Application).
3. From the new applications page, select "Configuration" from the menu on the left, then complete the following fields:
   Note: Replace {your region} in the URLs below with the Region value obtained from the Tenant Settings page in SugarIdentity. 
   
   • Relay State: Leave empty
   • Audience: https://login-{your region}.service.sugarcrm.com/saml/metadata
   • Recipient: https://login-{your region}.service.sugarcrm.com/saml/acs 
   • ACS (Consumer) URL Validator: https://login-{your region}.service.sugarcrm.com/*
   • ACS (Consumer) URL: Enter the Assertion Consumer Service URL obtained from SugarIdentity.
     Note: If you have configured SAML authentication for SugarIdentity before December 1, 2020, and would like your users to be able to initiate login to Sugar from their OneLogin dashboard, please update this field using the steps in the Reconfiguring SAML Authentication Using ACS URL for SugarIdentity article. You will then need to obtain the metadata file mentioned in Step 5 below to import the file and reconfigure SAML Authentication in SugarIdentity.  
   • Single Logout URL: https://login-{your region}.service.sugarcrm.com/saml/logout
     
4. Click "Save". 
5. Now, click the More Actions menu at the top of the page and select "SAML Metadata" to download and save the metadata file to your computer. This file will be needed later when configuring SAML in SugarIdentity. 
    

Mapping Attributes for OneLogin

If you wish to have the attributes (e.g., phone) from OneLogin map to the SugarIdentity user fields, you will need to set up the attribute mapping in OneLogin. Once the attribute mapping is configured, going forward, when a new OneLogin user is created or the user's attributes are modified in OneLogin, these changes will sync to SugarIdentity when the user logs in to Sugar. If you have configured SCIM for OneLogin, then the changes will automatically sync to SugarIdentity in real-time. For more information on setting up the attribute mapping, please refer to the Configuring SAML Attribute Mapping for SugarIdentity article.

Assigning the SugarCRM App to OneLogin Users

In order for SugarIdentity users to leverage OneLogin's login capability with Sugar, you must assign the SugarCRM app from the section above to your organization's users in OneLogin. For information on assigning applications to users in OneLogin, please refer to the Assigning Apps to Users article in OneLogin.

Once you have assigned the app to OneLogin users, you can then configure SAML authentication in SugarIdentity. 

Application

Once you have configured OneLogin and completed the SAML configuration in SugarIdentity, going forward, when a user navigates to Sugar they will be redirected to OneLogin's login page to enter their OneLogin credentials. Once the user's login credentials are authenticated in OneLogin, they will be directed back to their Sugar instance and be automatically logged in. The user can also launch their Sugar account from OneLogin by clicking the SugarCRM app from their dashboard. Their Sugar instance will open in a new browser tab, and the user will be authenticated and automatically logged in.