Auth0 on Suitecrm 7.14

Trying to get suitecrm to work with Auth0. Just want to do a simple login/signup. I created an external Oauth Povider - Updated the clientID, clientsecret, callback url and end points. What is the next step to get this to work?

Where are you at in the documentation?

Hi Thanks for getting back to me. I have looked at these secctions in the documentation. Its a little different than what Im doing. My authentication provider is Auth0 by OKta. This link is more or less what I setup on my provider for suitecrm instad of SugarCRM: Configuring SSO With Auth0 Using OIDC - Sugar Support

So if I follow the Microsoft doc I kind of skip down to this part:

*Click on the “External OAuth Providers”, that should take you to the module list view

    • the connector type is Generic instead of Microsoft but the rest is the same clientid, secret callback and endpoints I get from Auth0. Save. Is there anything else that I need to configure for the login to use Auth0 instead. Shouldnt there be a setting that says use This provider instead of standard login?

So I agot a little closer but still no go. I setup SAML authentication on my provider and tried to configure it under passwords. I finally got the correct screen to log in and once I select my email it gives me this funky error:

Possible Cross Site Request Forgery (XSRF) Attack Detected

If you think this is a mistake please ask your administrator to add the following site to the acceptable referer list

You can set the SuiteCRM acceptable referer list by modifying a configuration file.

It’s recommended to involve your SuiteCRM administrator for this change.

Here’s how to set the acceptable referer list:

  1. Your administrator will need to access the base directory of your SuiteCRM installation on the server. This can be done through FTP, SSH, or a control panel file manager.

  2. Locate the file named config_override.php. If it doesn’t exist, you’ll need to create a new blank file with that name.

  3. Open the config_override.php file in a text editor.
    Add the following line to the file:

$sugar_config['http_referer']['list'][] = '';

Use code with caution.

Make sure this line starts at the beginning of a new line and there are no spaces before or after it.

  1. Save the config_override.php file.

  2. You might need to restart your SuiteCRM instance for the new configuration to take effect. The specific way to restart SuiteCRM will depend on your hosting environment. Your admin should be familiar with this process.

1 Like

Hi Chris, yes I tried that but it logs me out after selecting the email - its possible I have something misconfigured on Okta. I did set this up on EspoCRM without any issues but they have OIDC support in the Admin panel - its similiar to suiteCRM but with a few different params -seems like Suite only supports SAML and not OIDC - am I wrong? The Authentication redirect does work but I just can’t log in. Wanted to see if suite crm supports OIDC. I have to look at this in more detail - because I have multiple apps setup in Auth0 maybe the crosscripting kicks in - not sure Im just guessing at this point. If anybody has had success with OKTA -Auth0 please let me know.

Directly, no, there is currently no built-in support for OpenID Connect (OIDC) authentication in SuiteCRM. This means you cannot today directly log in to SuiteCRM using Auth0’s OIDC flow.

However, there is 2 workarounds possibly:

  1. Implement a similar OIDC user interface to SugarCRM, the commercial offering based on the open source SugarCRM 6.5 CE which SuiteCRM is based on. It offers OIDC authentication through its SugarIdentity feature. Configuring SugarIdentity with Auth0’s OIDC allows for Single Sign-On (SSO) functionality. While the specific steps might differ slightly, the general process for SugarCRM might be applicable to SuiteCRM.

Here’s a high-level overview:
a. Create an OIDC application in Auth0 and obtain the necessary credentials like Client ID, Client Secret, and Domain.
b. Configure SugarIdentity (or the equivalent functionality in SuiteCRM) to use these credentials and define the allowed callback URLs.

  1. The espocrm implementation of OIDC authentication is open source!

    a. The code for OIDC functionality is included within the main EspoCRM codebase
    b. There’s an active GitHub issue specifically discussing OIDC authentication in EspoCRM OIDC authentication · Issue #2455 · espocrm/espocrm · GitHub.
    c. This OpenID Connect login code should be simple to bring over to SuiteCRM.

Thanks Chris for the insights. These are good suggestions. Sugar only supported OIDC later on I think v12
so don’t think that code is available as open source (but I could be wrong about that - I havent looked just noticed that OIDC is upported in v12+). As for Espo- just did a quick comparison of the two codebases (espo and suite) they are structured very differently so it would take a bit of work I think. I am going to do a deeper dive into the each code base to see which is worth customizing. It looks like suite8 has shifted their tech stack significantly but I will take a look.

Suite 8 has shiny new Angular front end, with back end APIs same as Suite 7.