Reconfiguring SAML Authentication Using ACS URL for SugarIdentity

Overview

SugarIdentity can be configured to accept Security Assertion Markup Language (SAML) for single sign-on (SSO) if it is implemented at your organization. For more information on configuring SAML authentication in SugarIdentity, refer to the SugarIdentity Guide. When configuring the SAML authentication for SugarIdentity, you must enter the Assertion Consumer Service URL (ACS URL) in the identity provider. Please note that the URL, which includes your tenant ID, can be obtained from the SAML settings page in SugarIdentity.

Prior to December 1, 2020, the ACS URL that was used to configure the identity provider (e.g., Okta, OneLogin) did not include your tenant ID. For customers who previously configured SAML authentication using this ACS URL, the Assertion Consumer Service URL field on the SAML settings page will display the following URL: https://login-{your_region}.service.sugarcrm.com/saml/acs. 

If the identity provider was configured using this ACS URL, your SAML users will be able to log in from Sugar using SSO, but will not be able to initiate login to Sugar from their Okta, OneLogin, or G Suite dashboard. This article covers how to reconfigure the SAML authentication for SugarIdentity so that your users can initiate login to Sugar from their Okta, OneLogin, or G Suite dashboard.

Prerequisites

• You must be a Sugar administrator to reconfigure the SAML settings in SugarIdentity.
• You must have access to an administrator account in the identity provider (e.g., Okta, OneLogin) to update the existing SugarCRM application.

Steps to Complete

If you would like your users to be able to initiate log in to Sugar from their Okta, OneLogin, or G Suite dashboard, you will need to reconfigure the SAML authentication in SugarIdentity using the following steps:

1. Log in to Sugar and navigate to Admin > SugarIdentity.
   Note: For Sugar versions 13.2 and lower, navigate to Admin > SugarCloud Settings.  
2. Click "SAML Settings" from the home page in SugarIdentity.
   Note: The Assertion Consumer Service URL field on the SAML settings page will show the URL as follows: https://login-{your_region}.service.sugarcrm.com/saml/acs.
   
3. Remove the checkmark from the "Enable SAML Authentication" option to disable SAML, then click "Save".
   
4. Select the "Enable SAML Authentication" option again to re-enable SAML.
5. The Assertion Consumer Service URL field will now display the URL as follows: https://login-{your_region}.service.sugarcrm.com/saml/acs/{your_tenant_ID}. Record this URL as it is required to update the identity provider (e.g., Okta, OneLogin). 
   
6. Next, navigate to your organization's identity provider account to update the existing SugarCRM application with this ACS URL. Refer to the appropriate article below for information on updating the identity provider with the Assertion Consumer Service URL:
   • Configuring SSO With Google
   • Configuring SSO With Okta
   • Configuring SSO With OneLogin
7. Once you have updated the identity provider with the ACS URL and obtained the Identity Provider metadata file, import the file in SugarIdentity. For more information on importing the file, refer to the SugarIdentity Guide.

Application

Once you have completed the SAML configuration in SugarIdentity, going forward, your SAML users will be able to launch their Sugar account from Okta, OneLogin, or G Suite by clicking the SugarCRM app from their dashboard. Their Sugar instance will open in a new browser tab, and the user will be authenticated and automatically logged in. Please note that they can also continue to log in to their Sugar account using single sign-on by navigating to Sugar and entering their SSO credentials.