I have been investigating SSO with Azure AD from SuiteCRM 7.10.29.
I use the Enterprise Application from SugarCRM which creates the login & logout URL’s along with the certificate in Base64.
I can only get the SSO process to work if within the settings.php file in /modules/Users/authentication/SAML2Authenticate/lib/onelogin and set the following:
‘strict’ => false
I stumbled across an older post where it recommends to set this value to false:
However on further investigation the onelogin README.md file in /vendor/onelogin/php-saml says this:
In production, the
strict parameter MUST be set as
"true" and the
security must be set to
something other than SHA1 (see https://shattered.io/ ). Otherwise your
environment is not secure and will be exposed to attacks.
My question is, what does the strict mode enforce and why when its disabled does Azure accept the SSO connection?