I am using bitnami docker version of SuiteCRM 8.2.1 with MariaDB 10.6 and I have followed the official documentation on how to configure SAML without success. No matter what I do, the login page does not redirect to the SAML provider and always shows the native SuiteCRM login.
This is my .env.local
file:
SUITECRM_DATABASE_HOST=mariadb
SUITECRM_DATABASE_PORT_NUMBER=3306
SUITECRM_DATABASE_USER=******
SUITECRM_DATABASE_NAME=suitecrm
SUITECRM_DATABASE_PASSWORD=******
ALLOW_EMPTY_PASSWORD=no
SUITECRM_USERNAME=******
SUITECRM_PASSWORD=******
AUTH_TYPE=saml
SAML_USERNAME_ATTRIBUTE=username
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=false
SAML_SP_CERT=MII******
SAML_SP_PRIVATE_KEY=MIIE******
SAML_AUTO_CREATE=enabled
And this my hslavich_onelogin_saml.yaml
file located at /bitnami/suitecrm/extensions/custom/config/packages/
:
hslavich_onelogin_saml:
# Basic settings
idp:
# entity id of your idp
entityId: 'https://<KEYCLOAK URL>/auth/realms/master' # e.g.: 'http://saml-idp-host/realms/master'
singleSignOnService:
# single sign on url your IDP
url: 'https://<KEYCLOAK URL>/auth/realms/master/protocol/saml' # e.g.: 'http://saml-idp-host/realms/master/protocol/saml'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
# single logout service url of your IDP
url: 'https://<KEYCLOAK URL>/auth/realms/master/protocol/saml' # e.g.: 'http://saml-idp-host/realms/master/protocol/saml'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
# IDP certificate
x509cert: 'MIICmzCCA*************************************' # e.g. 'MIICmzCCAYMCBgGC1LTnr ... =''
# The SP in this case is your SuiteCRM instance
sp:
# SP entity id. Use your SuiteCRM instance url
entityId: 'https://<SUITECRM URL>' # e.g. 'https://<your-suitecrm-instance>'
assertionConsumerService:
# The path to SuiteCRM's acs service
url: 'https://<SUITECRM URL>/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
# The path to SuiteCRM's SAML logout service
url: 'https://<SUITECRM URL>/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
# SuiteCRM's private key for SAML (sp)
privateKey: '%env(SAML_SP_PRIVATE_KEY)%' # e.g. 'MIIEoAIBAAKCAQEAx ...'
# SuiteCRM's certificate for SAML (sp)
x509cert: '%env(SAML_SP_CERT)%' # e.g. 'MIIC1zCCAb8CBgGC1awPM ... ='
# Optional settings
# SuiteCRM's base url for SAML
baseurl: 'https://<SUITECRM URL>/saml'
######
# NOTE : The values for the following settings will depend on how the IDP is setup
######
strict: true
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: true
logoutRequestSigned: true
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: false
signMetadata: false
wantXMLValidation: true
signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
contactPerson:
technical:
givenName: 'Tech User'
emailAddress: 'techuser@example.com'
support:
givenName: 'Support User'
emailAddress: 'supportuser@example.com'
organization:
en:
name: 'Example'
displayname: 'Example'
url: 'http://example.com'
I am using Keycloak v20.0 as my SAML provider. Am I doing something wrong?