SAML configuration in versions 8.X

simaosilva · 4 January 2023 11:21

I am using bitnami docker version of SuiteCRM 8.2.1 with MariaDB 10.6 and I have followed the official documentation on how to configure SAML without success. No matter what I do, the login page does not redirect to the SAML provider and always shows the native SuiteCRM login.
This is my .env.local file:

SUITECRM_DATABASE_HOST=mariadb
SUITECRM_DATABASE_PORT_NUMBER=3306
SUITECRM_DATABASE_USER=******
SUITECRM_DATABASE_NAME=suitecrm
SUITECRM_DATABASE_PASSWORD=******
ALLOW_EMPTY_PASSWORD=no
SUITECRM_USERNAME=******
SUITECRM_PASSWORD=******

AUTH_TYPE=saml
SAML_USERNAME_ATTRIBUTE=username
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=false
SAML_SP_CERT=MII******
SAML_SP_PRIVATE_KEY=MIIE******
SAML_AUTO_CREATE=enabled

And this my hslavich_onelogin_saml.yaml file located at /bitnami/suitecrm/extensions/custom/config/packages/:

hslavich_onelogin_saml:
  # Basic settings

  idp:
    # entity id of your idp
    entityId: 'https://<KEYCLOAK URL>/auth/realms/master'  # e.g.: 'http://saml-idp-host/realms/master'


    singleSignOnService:
      # single sign on url your IDP
      url: 'https://<KEYCLOAK URL>/auth/realms/master/protocol/saml' # e.g.: 'http://saml-idp-host/realms/master/protocol/saml'
      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    singleLogoutService:
      # single logout service url of your IDP
      url: 'https://<KEYCLOAK URL>/auth/realms/master/protocol/saml' # e.g.: 'http://saml-idp-host/realms/master/protocol/saml'
      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    # IDP certificate
    x509cert: 'MIICmzCCA*************************************' # e.g. 'MIICmzCCAYMCBgGC1LTnr ... =''


  # The SP in this case is your SuiteCRM instance
  sp:

    # SP entity id. Use your SuiteCRM instance url
    entityId: 'https://<SUITECRM URL>' # e.g. 'https://<your-suitecrm-instance>'

    assertionConsumerService:
      # The path to SuiteCRM's acs service
      url: 'https://<SUITECRM URL>/saml/acs'
      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'

    singleLogoutService:
      # The path to SuiteCRM's SAML logout service
      url: 'https://<SUITECRM URL>/saml/logout'
      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

    # SuiteCRM's private key for SAML (sp)
    privateKey: '%env(SAML_SP_PRIVATE_KEY)%' # e.g. 'MIIEoAIBAAKCAQEAx ...'

    # SuiteCRM's certificate for SAML (sp)
    x509cert: '%env(SAML_SP_CERT)%' # e.g. 'MIIC1zCCAb8CBgGC1awPM ... ='


  # Optional settings

  # SuiteCRM's base url for SAML
  baseurl: 'https://<SUITECRM URL>/saml'

  ######
  # NOTE : The values for the following settings will depend on how the IDP is setup
  ######
  strict: true
  debug: true
  security:
    nameIdEncrypted: false
    authnRequestsSigned: true
    logoutRequestSigned: true
    logoutResponseSigned: false
    wantMessagesSigned: false
    wantAssertionsSigned: false
    wantNameIdEncrypted: false
    requestedAuthnContext: false
    signMetadata: false
    wantXMLValidation: true
    signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
    digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
  contactPerson:
    technical:
      givenName: 'Tech User'
      emailAddress: 'techuser@example.com'
    support:
      givenName: 'Support User'
      emailAddress: 'supportuser@example.com'
  organization:
    en:
      name: 'Example'
      displayname: 'Example'
      url: 'http://example.com'

I am using Keycloak v20.0 as my SAML provider. Am I doing something wrong?

Quentin · 4 January 2023 13:11

It may be necessary to clear the cache

bin/console cache:clear

You can refer to the following section Clear Symfony cache

clemente.raposo · 4 January 2023 14:34

Hi @simaosilva,

I noticed you have the SAML_AUTO_CREATE set to enabled.

That requires configuring the field mapping between the saml reponse and user fields. There are some instructions here: Configuring user auto creation

Have you added this mapping t saml.yaml, which should looks similar to the following:

File: extensions/<your-package>/config/services/saml/saml.yaml

parameters:
  saml.autocreate.attributes_map:
    email: email1
    'urn:oid:2.5.4.4': last_name
    'urn:oid:2.5.4.42': first_name

simaosilva · 5 January 2023 23:28

I was indeed forgetting the mapping in saml.yaml. After adding that and clear the cache I am redirected to Keycloak but got the error Invalid Request and the logs show the following:

type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=172.21.0.1, error=client_not_found, reason=Cannot_match_source_hash

I have set this:

Signature Algorithm: RSA_SHA256
SAML Signature Key Name: KEY_ID
Canonicalization Method: EXCLUSIVE

Do you know what it could be or do you have a Keycloak configuration sample on how the configuration should be?

simaosilva · 12 January 2023 21:14

Is it possible to provide an example of a Keycloak configuration?

simaosilva · 4 February 2023 02:00

For anyone facing a similar problem there is this GIthub issue that might help.

Aftershow76 · 4 February 2024 09:54

Hi. Were you able to make this work ? I also have the same setup, but cannot make it work. Probably incorrect configuration on my suitecrm 8 instance.