Currently setup a fresh new install on Alma Linux 9.5 with apache 2.4, mariadb 11.x, and php-fpm 8.3.x. I’ve been trying to piece together how to get the SAML authentication working with my Keycloak server. Everything work otherwise. Here are the values I’ve put together:
.env.local:
# SAML
AUTH_TYPE=saml
SAML_AUTO_CREATE=enabled
## Mapping direction: SAML => SuiteCRM User
SAML_AUTOCREATE_ATTRIBUTES_MAP='
{
"email": "email1",
"family name": "last_name",
"given name": "first_name"
}
'
###> SAML CONFIG ###
SAML_USERNAME_ATTRIBUTE=username
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=true
# Connection options
SAML_IDP_ENTITY_ID='https://sso.domain.com/realms/realm'
SAML_IDP_SSO_URL='https://sso.domain.com/realms/realm/protocol/saml'
SAML_IDP_SLO_URL='https://sso.domain.com/realms/realm/protocol/saml'
SAML_IDP_X509CERT='MIIC...'
SAML_SP_PRIVATE_KEY='MHcC...=='
SAML_SP_CERT='/etc/ssl/certs/cert.crt'
# Resquest options
SAML_AUTHN_REQUESTS_SIGNED=true
SAML_LOGOUT_REQUEST_SIGNED=true
SAML_WANT_ASSERTIONS_SIGNED=true
# Compression
SAML_COMPRESS_REQUESTS=true
SAML_COMPRESS_RESPONSES=true
###< SAML CONFIG ###
Domain and realm are, of course, obfuscated. I’ve chopped out the certs as well.
Keycloak config:
All URLs: https://crm.domain.com/
Standard Flow and Direct Access Grants checked.
When I go to run this config, I get a SuiteCRM HTTP 500 error page. I don’t see any errors in the httpd, php-fpm, main SuiteCRM and public/legacy logs. I even enabled php.ini display_error=on. I’m really not sure where to go from here. Can anyone give me some direction? Thanks in advance!
I’m just adding more as I find things out. I’m actively debugging what I can right now. I’ve looked at my ./logs/prod/prod.log and I’m seeing this error now with the HTTP 500 screen:
request.CRITICAL: Uncaught PHP Exception Exception: “Failure Signing Data: error:1E08010C:DECODER routines::unsupported - SHA256” at XMLSecurityKey.php line 564 {“exception”:“[object] (Exception(code: 0): Failure Signing Data: error:1E08010C:DECODER routines::unsupported - SHA256 at /var/www/html/suitecrm/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:564)”}
Perhaps it’s because I’m using my SSL cert from Apache for the site, per my comment above? It looks like the private key isn’t RSA - hence why it doesn’t start with “MIIE”.
I recreated my SSL cert for Apache using RSA-2048 and it looks like progress? I am now getting an error on my Keycloak:
“Invalid Request”
No error log entries on the SuiteCRM side yet.
I should ask this question for clarity as well:
Where should I be getting these values from? There is nothing in the documentation on SuiteCRM that says the SAML_SP_PRIVATE_KEY and SAML_SP_CERT are just the valid SSL cert I use with Apache. Is there another source I should be managing these from? Could someone provide some documentation.
In this day in age, you’d think SuiteCRM would have proper and well-documented SAML and OIDC support. A bit disappointing…
I have no idea, but below info maybe useful:
If you’re using Apache’s SSL cert, you can extract the public part (the certificate) and use that as the SAML_SP_CERT. However, typically the SAML cert should be a separate cert generated specifically for SAML exchanges, not your web server’s SSL cert.
To generate a new SAML certificate for SuiteCRM
openssl req -newkey rsa:2048 -nodes -keyout saml-key.pem -out saml-csr.pem
openssl x509 -req -days 3650 -in saml-csr.pem -signkey saml-key.pem -out saml-cert.pem
- The
saml-cert.pem will be used as the SAML_SP_CERT.
- The
saml-key.pem will be used as SAML_SP_PRIVATE_KEY.
“Invalid Request” on Keycloak Side
Ensure that the SAML_IDP_ENTITY_ID and SAML_IDP_SSO_URL in your .env.local file match the correct URLs from Keycloak. It will be something like:
https://sso.domain.com/realms/realm
The SAML_IDP_SSO_URL would be:
https://sso.domain.com/realms/realm/protocol/saml