Menu
Welcome, Guest
Username: Password: Remember me

TOPIC: SuiteCRM SAML configuration

SuiteCRM SAML configuration 3 months 3 weeks ago #84666

  • hakkih1
  • hakkih1's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
  • Karma: 0
We are trying to have the SAML configured to our SuiteCRM application. The support team requested us with the below URLs for the Azure configuration.

Login URL: https://*******.com/index.php?action=Login&module=Users
Reply URL: https://*******.com/index.php?module=Home&action=index

After setting up in Azure, Login URL, SLO URL and X509 certificate was setup in the SuiteCRM application.

When we are trying to login the page just goes blank, If anyone here can help us understand where we are going wrong or any detailed document would be helpful.

SuiteCRM Version: 7.10.7
The administrator has disabled public write access.

SuiteCRM SAML configuration 3 months 3 weeks ago #84792

  • pgr
  • pgr's Avatar
  • Offline
  • Administrator
  • Posts: 10932
  • Thank you received: 1635
  • Karma: 371
Blank pages are usually accompanied by PHP FATAL errors on one of your logs.

I would also recommend an upgrade to the latest 7.10.x, there are many bugs fixed since your version.

My SuiteCRM In-depth blog.
Thank you for always stating your SuiteCRM version, checking your logs, reading the Docs, and searching before you ask!
The administrator has disabled public write access.

SuiteCRM SAML configuration 3 months 2 weeks ago #85235

  • hakkih1
  • hakkih1's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
  • Karma: 0
We tried to setup in our test environment which is on version 7.10.11. Its connecting to the Microsoft Signon page, once the Sign in is done the below error is showing.

AADSTS700016: Application with identifier 'https://********/suitecrm/index.php?action=Login&module=Users' was not found in the directory '34ddb339-7fd0-4f00-*****************'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

I do not see any errors on the suitecrm.log. I will post here if I see any errors in php_error.log.

Please let us know if I need to verify something. Do you see any issue with the Login and Reply URL which was posted above.
The administrator has disabled public write access.

SuiteCRM SAML configuration 3 months 2 weeks ago #85273

  • pgr
  • pgr's Avatar
  • Offline
  • Administrator
  • Posts: 10932
  • Thank you received: 1635
  • Karma: 371
This looks like something peculiar to your web server / security configurations... I am afraid I never saw a problem like this, I am a bit lost on how to help you... :unsure:

My SuiteCRM In-depth blog.
Thank you for always stating your SuiteCRM version, checking your logs, reading the Docs, and searching before you ask!
The administrator has disabled public write access.

SuiteCRM SAML configuration 3 months 1 week ago #85660

  • TLi
  • TLi's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Thank you received: 1
  • Karma: 0
I've spent a while now trying to get this to work and encountered the same error message. For us, it was a result of a small difference between Azure's Entity ID and the identifier sent by SuiteCRM (crm.example.com:443/... in config.php vs. crm.example.com/... in Azure AD). Since SuiteCRM seems to create and send identifier based on the configured site_url and Azure AD is sensitive with the input, I got rid of this error by omiting port from site_url in SuiteCRM's config.php.

I'm still stuck on an eternal login loop though, so I assume some data on Azure's end is still incomplete.
Using and tweaking SuiteCRM since 2015.
Last Edit: 3 months 1 week ago by TLi. Reason: Fixed a typo
The administrator has disabled public write access.

SuiteCRM SAML configuration 3 months 1 week ago #85662

  • hakkih1
  • hakkih1's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Thank you received: 1
  • Karma: 0
We have made the ACS URL and entity ID the same in Azure configurations and it started working there are no other changes done.

ACS URL: https://********/suitecrm/index.php?action=Login&module=Users
Entity ID: https://********/suitecrm/index.php?action=Login&module=Users
The administrator has disabled public write access.
The following user(s) said Thank You: pgr

SuiteCRM SAML configuration 1 month 17 hours ago #88393

  • griemser
  • griemser's Avatar
  • Offline
  • Junior Member
  • Posts: 24
  • Thank you received: 1
  • Karma: 0
hi hakkih1,
could you please describe how you set up azure/ad/suitecrm?

I'm trying to get it work for a while now and I'm stuck. We're getting the microsoft login-page, but are redirected to the regular login or get trapped in a never ending loading screen.

your help would be much appreciated!
The administrator has disabled public write access.

SuiteCRM SAML configuration 1 week 2 days ago #89233

  • boris.yakimov
  • boris.yakimov's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Hello,

I am hitting the same issue with the latest version that has a Docker image - 7.11.8. I am running SuiteCRM in Kubernetes using the Helm chart and Docker images from Bitnami. SuiteCRM runs fine until I enable SAML and put login/logout URLs and Certificate generate from a Keycloak SAML client.

When I re-open SuiteCRM I get a blank page(see the screenshot attached). In the suitecrm.log file I get these errors showing every few seconds when SAML is enabled :
Wed Sep 11 07:17:32 2019 [149][-none-][FATAL] Exception handling in /bitnami/suitecrm/include/MVC/Controller/SugarController.php:400
Wed Sep 11 07:17:32 2019 [149][-none-][FATAL] Exception in Controller: Invalid array settings: sp_acs_url_invalid, sp_sls_url_invalid
Wed Sep 11 07:17:32 2019 [149][-none-][FATAL] backtrace:
#0 /bitnami/suitecrm/vendor/onelogin/php-saml/src/Saml2/Auth.php(177): OneLogin\Saml2\Settings->__construct(Array)
#1 /bitnami/suitecrm/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php(74): OneLogin\Saml2\Auth->__construct(Array)
#2 /bitnami/suitecrm/modules/Users/Login.php(46): SAML2Authenticate->pre_login()
#3 /bitnami/suitecrm/include/MVC/View/SugarView.php(834): include_once('/bitnami/suitec...')
#4 /bitnami/suitecrm/include/MVC/View/views/view.classic.php(72): SugarView->includeClassicFile('modules/Users/L...')
#5 /bitnami/suitecrm/include/MVC/View/SugarView.php(226): ViewClassic->display()
#6 /bitnami/suitecrm/include/MVC/Controller/SugarController.php(435): SugarView->process()
#7 /bitnami/suitecrm/include/MVC/Controller/SugarController.php(375): SugarController->processView()
#8 /bitnami/suitecrm/include/MVC/SugarApplication.php(113): SugarController->execute()
#9 /bitnami/suitecrm/index.php(52): SugarApplication->execute()
#10 {main}

Nothing shows in Keycloak logs, so I don't think it reaches it at all.
Attachments:
The administrator has disabled public write access.

SuiteCRM SAML configuration 2 days 18 hours ago #89478

  • MadMart
  • MadMart's Avatar
  • Offline
  • Senior Member
  • Posts: 49
  • Thank you received: 18
  • Karma: 2
from what I understand the SAML2Authentication code in SuiteCRM depends on a non-working version of onelogin or it is just broken

I have updated onelogin and made some changes in my companies instance and SAML works for us via G-Suite

please find attached a zip file with the aforementioned changes.

replace the SAML2Authenticate folder which can be found at
<suitecrm_dir>/modules/Users/authentication/SAML2Authenticate

known to work on SuiteCRM versions
7.10.*
7.11.*
Attachments:
The administrator has disabled public write access.

SuiteCRM SAML configuration 2 days 17 hours ago #89483

  • pgr
  • pgr's Avatar
  • Offline
  • Administrator
  • Posts: 10932
  • Thank you received: 1635
  • Karma: 371
@madmart could you please provide those changes on Github? Or at least an Issue, explaining what is necessary.

Thanks

My SuiteCRM In-depth blog.
Thank you for always stating your SuiteCRM version, checking your logs, reading the Docs, and searching before you ask!
The administrator has disabled public write access.

SuiteCRM SAML configuration 2 days 16 hours ago #89485

  • MadMart
  • MadMart's Avatar
  • Offline
  • Senior Member
  • Posts: 49
  • Thank you received: 18
  • Karma: 2
@pgr it was sometime last year when I worked on it so I don't remember the exact nature of the issue but
we recently upgraded our instance to 7.11.5 which reverted my changes and caused SSO to keep looping back to the login prompt for google so I assume there is a problem still.

I'll have a look at my code and the differences to a fresh install and write something up
Last Edit: 2 days 16 hours ago by MadMart. Reason: missed out a word
The administrator has disabled public write access.
The following user(s) said Thank You: pgr

SuiteCRM SAML configuration 2 days 16 hours ago #89487

  • TLi
  • TLi's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Thank you received: 1
  • Karma: 0
We got SAML authentication using Azure AD working some time after my last post. I can't remember what exactly was the problem and how did I get it working (I think in the end it was some stupid mistake on my part). It did require a fair bit of trial-and-error, but I didn't need to change any line of the code.
Using and tweaking SuiteCRM since 2015.
The administrator has disabled public write access.

SuiteCRM SAML configuration 2 days 15 hours ago #89493

  • MadMart
  • MadMart's Avatar
  • Offline
  • Senior Member
  • Posts: 49
  • Thank you received: 18
  • Karma: 2
Just finished reviewing the two folders. and it turns out that onelogin has been updated since last year to the same version I am using
not sure what happened during the upgrade the other day but at this point the folder I sent in isn't necessary
The administrator has disabled public write access.

SuiteCRM SAML configuration 2 days 13 hours ago #89506

  • pgr
  • pgr's Avatar
  • Offline
  • Administrator
  • Posts: 10932
  • Thank you received: 1635
  • Karma: 371
Maybe what happened was this

github.com/salesagility/SuiteCRM/pull/7574

or that you ran a "composer install --no-dev" and it updated the software for you...

anyway I'm glad it's up to date now.

My SuiteCRM In-depth blog.
Thank you for always stating your SuiteCRM version, checking your logs, reading the Docs, and searching before you ask!
The administrator has disabled public write access.
Time to create page: 0.047 seconds
Powered by Kunena Forum