Best way to authenticate user without show login page


I have this needed:
In our external application we would like to integrate an iframe that opens our SuiteCRM in a particular URL (for example in a contact detail or account detail), but we would like to login user into CRM before to show the iframe and without that the user must insert username and password manually into login page.

Our users log in into SuiteCRM using LDAP access.

How can I implement this flow?
Has anyone already had this need?

Thank you in advice,

Any suggestions? :confused:


Have you tried emulating the SuiteCRM login page POST request programmatically? Passing the variables for user and password, and getting the session started without user intervention.

Thank you for the answer. Unfortunately, we haven’t available the SuiteCRM password into our application; we know only the username.
Is there the possibility to use for example an access key or similar and make programmatically login request (how you suggest, but without username and password parameters)?
I seen into users table, that there is “authenticate_id” column (but with null value for all users). Can this column helps?

Thank you so much,

How complicated is what you want to show inside the iframe?

Because the correct way to do this would be to access via de API, and get only the data from SuiteCRM, and render the page yourself in your own site…

You’re fighting the against the (correct) architecture…

I don’t know about the authenticate_id, i guess you could go look inside the code for this. Other than that, you could use a standard (always the same) user_id/password pair, but I doubt you could make that secure…

In the first instance, I would like show the detail of contact/account, but then the user can edit the record, navigate other instances: for example if the user is in the account detail, he can visit the contacts of the account, add contacts etc… potentially the user can works with the CRM into iframe like works with CRM open in a browser tab


You can always emulate what the SuiteCRM login process is doing, with your own custom code, your own entrypoint… but I don’t know this process to help you with this task, you’ll have to step through the code and see how it works…

Thank you for your reply.
Thus, the only way to programmatically authenticate a user is through a login request with a plaintext username and password; otherwise build a custom authentication process.
That’s right?


I think so, but I haven’t studied this in depth.

Note that your case is a bit special, wanting a user to navigate the site inside an iframe, instead of using the API…

The “login request with plaintext username and password” can happen with POST parameters (not in the URL) or in a nAuthorization header and with HTTPS to encrypt traffic to server. So that “plaintext” might not be a problem if you take the necessary care.

With some luck, even “building a custom authentication process” won’t be too hard, because you’ll be able to quickly call into the existing functions and reuse all existing code.

Is it possible to use oauth also outside of API requests?

From what I understand, no, correct?
Thank you

You’re asking beyond my knowledge, I’m afraid can’t help you very much… I guess the best thing (unless somebody else answers here) is to search the code.

I know there are other ways to login as sometimes I see mentions of terms like SAML, LDAP, etc., but not having any experience with this I am not the best person to advise…

Thank you for your support and your tips.
Hope someone can help me. At the moment, the only way that I see, is create a custom login.

Good morning,
I made my custom Entry Point, that invoke my custom Authentication.
If I try to call my entry point directly into a tab of the browser, and then into other tab go to suite CRM, all done correctly.
If I try to call my entry point into my application, when I open the iframe, it shows me the login page with message “You have been logged out because your session has expired.” In my application’s console, I have this error: “Blocked autofocusing on a form control in a cross-origin subframe.”
How can I check what is wrong?
I tried to open our suiteCRM from our application, that made the custom authentication, in a new tab, but I receive the same message: shows me the login page with message “You have been logged out because your session has expired.”

Thank you for advice,

Hhmm this is uncharted territory for me.

How did you set up your entry-point, did you register it, and start your code with this?

if (!defined('sugarEntry') || !sugarEntry) {
    die('Not A Valid Entry Point');

I am not sure you should do that, I am just asking.

I think you need to see how the SuiteCRM authentication occurs, and which signs of it happen - a php session file in the server, a cookie in the client, perhaps? You should try to emulate that so that SuiteCRM is convinced that you are already authenticated.

Yes, my entry point starts with che code that you wrote.

Have you tried removing that part?

Yes, I do in this moment, but I have the same result :frowning_face:

in my entry point, I invoke my custom Authentication and set variables needed (I follow the sugar authenticate to set correct variables).


Are you using an IDE like PHPStorm or Eclipse, and have you set up XDEBUG so you can step through the process?

No, I haven’t… I found something:
In network --> request for authentication --> cookies tab, I found that Request Cookies section empty and Response Cookies 2 entries with “PHPSESSID” with different values andh sugar_user_theme. So I think that this is my problem, but I don’t know how to solve this.

Somebody mentioned a ck_login_id_20 login cookie the other day, have a look around that code:


I’m just speculating here, not sure if this is relevant or not