Entra ID integration with SuiteCRM 8

Good Day,

I would like to integrate MS Entra ID with SuiteCRM for SSO. Please provide some links / documentation on how to do this.

Thanks!

Hello @jomelp

While a direct integration between Entra ID (formerly Azure AD) and SuiteCRM 8 for Single Sign-On (SSO) isn’t available, here are two effective approaches to achieve similar functionality:

1. SAML 2.0 Integration:

  • SuiteCRM 8 supports SAML 2.0 for SSO, and Entra ID also offers SAML connectivity. Follow these steps:

SuiteCRM Configuration:

  • Refer to the module’s documentation for SAML setup, including defining Identity Provider (IdP) details like Entity ID and Single Sign-On URL (obtain these from your Entra ID tenant settings).

Entra ID Configuration:

  • In your Entra ID tenant, navigate to “Enterprise Applications” and create a new application for SuiteCRM.

  • Select “SAML 2.0” as the sign-on method and configure settings based on SuiteCRM’s SAML configuration (Entity ID, SSO URL, etc.).

  • Provide SuiteCRM with the necessary SAML attributes (e.g., username) for user identification.

2. Third-Party Integration Tool:

  • Several tools simplify integrating applications with SSO providers like Entra ID. These tools often offer pre-built connectors for both SuiteCRM and Entra ID:
  • OneLogin: Easy configuration and SSO setup with pre-built connectors.
  • Ping Identity: Integrates various applications, including SuiteCRM and Entra ID, with SSO capabilities.
  • Okta: Streamlined integration with pre-built connectors for SuiteCRM and Entra ID.

Resources:

  1. SuiteCRM SAML Authentication Module Documentation
  2. Entra ID SAML 2.0 Documentation
  3. OneLogin SuiteCRM Connector
  4. Ping Identity SuiteCRM Integration
  5. Okta SuiteCRM Integration

I hope this comprehensive response assists you in achieving SSO between Entra ID and SuiteCRM 8!

Thank you.

Hi @chirag_biz309 ,

I can’t find the “SAML Authentication” module in the official SuiteCRM store.

Hello @jomelp

Please check How to enable SAML authentication, no need to install or find SAML Authentication in the official SuiteCRM store.

I hope this helps!

Thanks.

Hi. I also have the same issue. I looked at the documentation you provided, but it seems I’m missing some configuration.

Would anyone know what this error log means? Somehow I’m confused as to where should the yaml files be located or how to configure IDP and SP settings.

[2024-02-05 07:00:42] request.CRITICAL: Uncaught PHP Exception OneLogin\Saml2\Error: "Invalid array settings: sp_acs_url_invalid, sp_sls_url_invalid, idp_sso_url_invalid, idp_slo_url_invalid, idp_cert_or_fingerprint_not_found_and_required" at /bitnami/suitecrm/vendor/onelogin/php-saml/src/Saml2/Settings.php line 149 {"exception":"[object] (OneLogin\\Saml2\\Error(code: 2): Invalid array settings: sp_acs_url_invalid, sp_sls_url_invalid, idp_sso_url_invalid, idp_slo_url_invalid, idp_cert_or_fingerprint_not_found_and_required at /bitnami/suitecrm/vendor/onelogin/php-saml/src/Saml2/Settings.php:149)"} []

Hello @Aftershow76,

Perhaps this topic will be helpful for your issue.

Let me know, if you’ve any concerns.

Thanks.

Thank you. That helped alot. Would you know what might be missing? When I try to clear the cache, it displays an error regarding security.firewalls.

In PrototypedArrayNode.php line 288:

You are not allowed to define new elements for path “security.firewalls”. Please define all elements for this path in on
e config file.

Here are the contents of security.yaml based on the topic you provided.

security:
# …

providers:
    saml_provider:
        # Basic provider instantiates a user with default roles
        saml:
            user_class: 'AppBundle\Entity\User'
            default_roles: ['ROLE_USER']

firewalls:
    app:
        pattern: ^/
        saml:
            # Match SAML attribute 'uid' with username.
            # Uses getNameId() method by default.
            username_attribute: uid
            # Use the attribute's friendlyName instead of the name
            use_attribute_friendly_name: true
            check_path: saml_acs
            login_path: saml_login
        logout:
            path: saml_logout

access_control:
    - { path: ^/saml/login, roles: PUBLIC_ACCESS }
    - { path: ^/saml/metadata, roles: PUBLIC_ACCESS }
    - { path: ^/, roles: ROLE_USER }

Hello @Aftershow76

Let’s break down the issues and provide comprehensive solutions:

Understanding the “Invalid array settings” Error:

  • This error indicates missing or incorrect values in your SAML configuration, specifically related to Entra ID integration. Key missing settings include:
  1. sp_acs_url: URL for Entra ID to send authentication responses (Assertion Consumer Service).
  2. sp_sls_url: URL for Single Logout Service in SuiteCRM (typically /saml/logout ).
  3. idp_sso_url: URL for Entra ID’s Single Sign-On endpoint.
  4. idp_slo_url: URL for Entra ID’s Single Logout endpoint.
  5. idp_cert_or_fingerprint: Entra ID’s signing certificate (entire certificate or its SHA-256 fingerprint).

Resolving the “security.firewalls” Conflict:

  • The separate “security.firewalls” error you mentioned suggests a conflict in defining firewall configurations. To address this:

1. Consolidate Firewall Configuration:

  • Locate all configuration files containing definitions for “security.firewalls.”
  • Merge those definitions into a single file, typically config/packages/security.yaml .
  • Ensure no duplicate definitions exist.

2. Clear Cache and Regenerate Configurations:

  • After consolidation, clear the cache using:
  • bin/console cache:clear --no-warmup
  • If applicable, regenerate security-related configurations according to SuiteCRM or Symfony directives.

By following these steps and carefully verifying your configuration, you should be able to successfully resolve the errors and establish a seamless Entra ID integration for your SuiteCRM 8 users.

I hope this helps!

Thanks.

Every time I do the bin/console cache:clear --no-warmup the CRM server login page is inaccessible and throws out server error 500.

When I copy back the backup of the cache folder, the page loads properly.

Is there any other way to load symphony changes aside from clearing the cache ?

SAML still doesn’t work. I do not see any logs on saml on prod.log or crm.log

Hello @pgr and @rsp,

Could you kindly assist with this matter?

Sorry, I don’t have any idea about it

Me neither… :man_shrugging:

I never used SAML