Hi Community,
I have been investigating SSO with Azure AD from SuiteCRM 7.10.29.
I use the Enterprise Application from SugarCRM which creates the login & logout URL’s along with the certificate in Base64.
I can only get the SSO process to work if within the settings.php file in /modules/Users/authentication/SAML2Authenticate/lib/onelogin and set the following:
‘strict’ => false
I stumbled across an older post where it recommends to set this value to false:
However on further investigation the onelogin README.md file in /vendor/onelogin/php-saml says this:
Security warning
----------------
In production, the strict
parameter MUST be set as "true"
and the
signatureAlgorithm
and digestAlgorithm
under security
must be set to
something other than SHA1 (see https://shattered.io/ ). Otherwise your
environment is not secure and will be exposed to attacks.
My question is, what does the strict mode enforce and why when its disabled does Azure accept the SSO connection?
Many thanks,
Steve.