Problems configuring authentication with SAML

ntjkazim · 22 October 2025 12:48

Dear all,

I am trying to set up authentication with SAML in my SuiteCRM installation, using an external IDP (DAASI/didmos).

It works so far, that when I enter the URL of my SuiteCRM instance, I am being forwarded to the IDP’s service dialog page, which after entering the proper institution opens the SSO page of my host institution. There I complete the 2FA but then I am immediately forwarded to the page

[suitecrm-instance]/auth#/logged-out

and see the message

“You have been logged out
To login again Click here”

SuiteCRM is built and deployed as part of a docker container setup:

SuiteCRM v8.9.0
OS: Debian GNU/Linux 13 (trixie)
Webserver: Apache/2.4.65 (Debian)
PHP: v8.3.26

I am the admin of that system and it is a new installation.

I enabled SAML authentication with the following configuration in my .env.local file:

AUTH_TYPE=saml

SAML_SP_PRIVATE_KEY=[path to my ssl key]
SAML_SP_CERT=[path to  ssl certificate]

SAML_IDP_ENTITY_ID='https://auth.didmos.nfdi-aai.de/Saml2Frontend/saml2_frontend.xml'
SAML_IDP_SSO_URL='https://auth.didmos.nfdi-aai.de/Saml2/sso/post'
SAML_IDP_X509CERT=[Certificate]
SAML_ORGANIZATION_NAME=[Org]
SAML_ORGANIZATION_DISPLAY_NAME=[Org]
SAML_ORGANIZATION_URL=[Org URL]

SAML_CONTACT_TECHNICAL_GIVEN_NAME=[Example Contact Name]
SAML_CONTACT_TECHNICAL_EMAIL_ADDRESS=[Example E-Mail]

# User mapping options
SAML_USERNAME_ATTRIBUTE=urn:oid:0.9.2342.19200300.100.1.3
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=false

SAML_AUTO_CREATE=enabled

SAML_DEBUG=true

SAML_AUTOCREATE_ATTRIBUTES_MAP='
    {
        "urn:oid:0.9.2342.19200300.100.1.3": "user_name",
        "urn:oid:2.5.4.4": "last_name",
        "urn:oid:2.5.4.42": "first_name"
    }'

Is there anything I need to configure besides these variable in the .env.local file? Should I better try to create separate certificates, not using the ones I use for my HTTPS/SSL Setup.

I was not able to configure a separate log for authentication yet and did not find anything helpful in the system settings log file in the admin panel when I search for auth.

I believe i saw very shortly the message “unable to extract public key” in the browser before I was being logged out when I just tried it again.

Any help is much appreciated.

Thanks,
Antje

rsp · 26 October 2025 02:01

https://docs.suitecrm.com/8.x/admin/configuration/saml/8.7.0-saml-configuration/

ntjkazim · 29 October 2025 12:43

Thanks for pointing me to the documentation page, which I checked. I did not find all the answers to my questions there, but with the help of this post

I was able to resolve my issues. Mainly it helped to create a SP certificate and key file for SAML only and not using my webserver’s SSL cert and key files. Also setting up the logs like it’s described in the post above helps getting meaningful logs with authentication errors.