SAML config for SuiteCRM 8.9 with FusionAuth as idP

Hi there,

I am new to the forum and have running self hosted instance of version 8.9. I am having issues getting SAML working to use FusionAuth as the idP.

My .env.local is:

AUTH_TYPE=saml
SAML_USERNAME_ATTRIBUTE='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=false
SAML_IDP_ENTITY_ID='http://localhost:9013/samlv2/ee0d98b5-0d7c-11f1-8200-364d3bfc89af'
SAML_IDP_SSO_URL='http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af'
SAML_IDP_SLO_URL='http://localhost:9013/samlv2/logout/ee0d98b5-0d7c-11f1-8200-364d3bfc89af'
SAML_IDP_X509CERT='MII.......<SHORTENED FOR POST>'
SAML_SP_ENTITY_ID='http://localhost/saml/login'

I am being redirected to the idP but FusionAuth is throwing an error that the AuthnRequest is invalid:

image775×511 23.6 KB

If I use the OneLogin validation tool the request seems to be valid though.

It is worth pointing out that I have tried numerous versions of FusionAuth and we have a SAML integration working with Adobe Commerce from FusionAuth so am pretty confident that this is OK.

The AuthnRequest XML is:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_9b5743f10f44e4ec43dce285674b5caef1a4ea3e"
    Version="2.0"
    ProviderName="Example"
    IssueInstant="2026-02-19T14:07:51Z"
    Destination="http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://localhost/saml/acs">
    <saml:Issuer>http://localhost/saml/login</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        AllowCreate="true" />
</samlp:AuthnRequest>

and the SAML metadat from fusionauth is:

<ns2:EntityDescriptor xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" entityID="http://localhost:9013/samlv2/ee0d98b5-0d7c-11f1-8200-364d3bfc89af" ID="_ee0d98b5-0d7c-11f1-8200-364d3bfc89af">
<ns2:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ns2:KeyDescriptor use="signing">
<KeyInfo>
<X509Data>
<X509Certificate>MIIC........SHORTENED_FOR_POST</X509Certificate>
</X509Data>
</KeyInfo>
</ns2:KeyDescriptor>
<ns2:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9013/samlv2/logout/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"/>
<ns2:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9013/samlv2/logout/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"/>
<ns2:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"/>
<ns2:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af"/>
</ns2:IDPSSODescriptor>
</ns2:EntityDescriptor>

Any help would be appreciated or suggestions on what I am doing wrong.

Has anyone else done an implementation using FusionAuth as the Identity Provider?

Related Topic:

1. SAML message was not properly DEFLATE-encoded - #5 by Rolustech

2. Problems configuring authentication with SAML - #3 by ntjkazim

Topics:

1. Search results for 'SAML order:latest' - SuiteCRM

Thanks, this set me off in the correct direction eventually, and I never had any error that mentioned compression or certificate errors. It was the compression configs that were causing my issue.

So, the .env.local setup for a Fusionauth IDP that got it going for me (did not need the auto create & user mapping for it to work but have added these since). No other changes were required.

Thanks.

###> SAML CONFIG ###

# User mapping options

SAML_USERNAME_ATTRIBUTE=‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’

SAML_USE_ATTRIBUTE_FRIENDLY_NAME=false

# Auto create options

SAML_AUTO_CREATE=enabled

SAML_AUTOCREATE_ATTRIBUTES_MAP='{

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "email1",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "first_name",

"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "last_name"

}’

# Connection options

SAML_IDP_ENTITY_ID=‘http://localhost:9013/samlv2/ee0d98b5-0d7c-11f1-8200-364d3bfc89af’

SAML_IDP_SSO_URL=‘http://localhost:9013/samlv2/login/ee0d98b5-0d7c-11f1-8200-364d3bfc89af’

SAML_IDP_SLO_URL=‘http://localhost:9013/samlv2/logout/ee0d98b5-0d7c-11f1-8200-364d3bfc89af’

SAML_IDP_X509CERT=‘MIICuzCCAaOgAwIBAQIRAMvSSP9YyEChq7XCtuAw6nwwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAxMObG9jYWxob3N0OjkwMTMwHhcNMjYwMjE5MTUxMDI2WhcNMzYwMjE5MTUxMDI2WjAZMRcwFQYDVQQDEw5sb2NhbGhvc3Q6OTAxMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxXkMuH2yWWCaJ7TNj4fDDrgkv27i3+leUtQTQigyDWD0qi+WiAC5xJR35/zTzbdLrit4AVh86PnZzqjoz5gGkkeU9OlxQF8yvz7/tEMvpgsaBLdLdlzW2DkwlO11/gnZ2h81TUHxPXicfD1H80kPLDJcLwdd/6KXZlLUosRPVrfoAvbbFC6ijC5qnPoToT1ZRNpy2rmmic4AIHJUWaBrlZcAAnLenNCVMtOavdkt/adotHmB/6BQNHpnKiji8NWVTeppQxtJAOwZSIFgIkbKu2lyBEBhcxbCEtyyVGgyX7BZ2ngbHMPr7xxzbZUEQ4sbwMIvlfHuu2RoF2HS5N3bECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAjBGx+4/sbghOWThnH33YlnIiUgB/FVj2CY1RJ0XYAqQajGOTPx05izBS2hG6an9fV4D8S82VxNmKPmlY5duh8NGWWxR51W7O4F3Q4II/1oQ9LFrIL7MKD+0ql2c3UP4xwFB/gk/FSDk+hZ0iG1NDSOWfLX13jAzEJhJ7L5j3g52Fx+mdbsbXB9IBrxmFFOjk1sE3y7aaVK8KPzKki+IzvUVMEkm0c09iE9m2mUcqXqpO593OJXYgfxjwxRCsf3fl6jKcI7hwZJPbs5IMA2cJ/5cKDQ4F9gjHiboSJKEoJczr1hZGkBPY9Hyk16EUxAIMIjo/s4uWPcOKfiwLGZNXcg==’

SAML_SP_ENTITY_ID=‘http://localhost/index.php?action=Login&module=Users’

SAML_SP_PRIVATE_KEY=‘../extensions/defaultExt/config/packages/key.pem’

SAML_SP_CERT=‘../extensions/defaultExt/config/packages/cert.pem’

SAML_STRICT=false

SAML_DEBUG=true

# Compression

SAML_COMPRESS_REQUESTS=true

SAML_COMPRESS_RESPONSES=true