SAML configuration issues connecting to Keycloak


I tried posting this earlier but somehow my post disappeared so I will try again. I am having an issue when enabling SAML in SuiteCRM and connecting it to Keycloak SAML client.I am not sure if I am missing something in my configuration or if there is an actual issue with this. Unfortunately documentation for SAML configuration of SuiteCRM is very limited.

SuiteCRM version is 7.10.9

Most configuration pasted below is a bit anonymized - IPs, URLs, Certs are not the real ones

SAML is enabled with this configuration :

$sugar_config['authenticationClass'] = 'SAML2Authenticate';
$sugar_config['SAML_loginurl'] = 'https://keycloak_url/auth/realms/tblue-realm/protocol/saml';
$sugar_config['SAML_logouturl'] = 'https://<keycloak_url>/auth/realms/tblue-realm/protocol/saml';
$sugar_config['SAML_X509Cert'] = 'anonymizedMsdaC3zCCAccCBgFs95pFjjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDDChodHRwOi8vY3JtLnRyYWR1a2V1ci5kZS9pbmRleC5waHA/YWN0aW9uMB4XDTE5MDkwMzE0NDc1OFoXDTI5MDkwMzE0NDkzOFowMzExMC8GA1UEAwwoaHR0cDovL2NybS50cmFkdWtldXIuZGUvaW5kZXgucGhwP2FjdGlvbjCCASIswDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIeotvIVDnzNSnS1aUdDRVce3N02ztYbfLmL2MQtTeg4s5jUCnHAMckO0UssthEkm4LVTJBrPm8bivenJ5sW/nQY4mor2y0a4Qx9gg6OMOQAWzMguUtOP/Tb+U0tV5zDdA0StckfHLiTO3WSui/D8e9UokSBOilugpKgizZB5N2XQy55u0XP76V5xOl2WS5n36qTzeY0DwiRiuVchR6FSTQ9OdasjUdasLy6YpJS2y6ZitrAP1McUIQdxE/VbwhSugbiBxWaRHWiQdFXJgnvJ1ouY4T3lQ4L0Ga8MyUDRf5/HAuU50nrZ31Ohdfwjh3GHdkS0SsdasdasdO0WKcjAk/EtCeL8/O4xUbm7amxvxd+k3yjZf6/+jU7/+RPE5DBfKy5wTX2q2bE+aESzDX8RXP6W7ZvJpAHAa871mvLhgG5/JkOcmsTrWHD58RUAiDWs6BLOlJ7XLzyb2CroPD43d+zYWngasdsssg==';

The SAML Client ID in Keycloak is configured with the same Cert and URLs that are pasted above - and has
“Client Signature Required = true”
“Force POST Binding = true”
“Front Channel Logout = true”

When opening the Site URL of SuiteCRM I get a redirect to Keycloak and an error - “Invalid requester”. And it looks like SuiteCRM is trying to send this as a GET request instead of a POST one

13:00:06,114 ERROR [org.keycloak.protocol.saml.SamlService] (default task-241) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
        at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(
        at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.verifySignature(
        at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(
13:00:06,114 WARN  [] (default task-241) type=LOGIN_ERROR, realmId=Tblue-Realm, clientId=null, userId=null, ipAddress=, error=invalid_signature

I see that three requests when this happens :

  1. GET request to Site URL
Request URL: http://<site_url>/
Request Method: GET
Status Code: 301 Moved Permanently
Remote Address: <external_IP_of_SuiteCRM>:80
Referrer Policy: no-referrer-when-downgrade
  1. GET reqest to Login module
Request URL: http://<site_url>/index.php?action=Login&module=Users
Request Method: GET
Status Code: 302 Found (from prefetch cache)
Remote Address:  <external_IP_of_SuiteCRM>:80
Referrer Policy: no-referrer-when-downgrade
  1. SAML GET request (according to the Keycloak documentation this request should be POST). I will attach to this post also the SAML descriptor that I have from Keycloak which shows we should be expecting a POST request on this URL.
Request URL:<site_url>%2Findex.php
[b]Request Method: GET
Status Code: 400 [/b]
Remote Address:
Referrer Policy: no-referrer-when-downgrade

This gets a response - Invalid Requester - I am guessing because of the GET instead of POST request.

If you think there is something that I have misconfigured would appreciate a SAML configuration guide of some sort as I could not really find one, that showed me what exactly to configure on the SAML client side to make it work with SuiteCRM.

Did you find a solution, because I’m experiencing the same problem?



Did you find any solution for SAML auth?

No, stopped searching


I found this pull request about adding support openid

and trying to connect suitecrm to keycloak via openid
but finally can’t log in, maybe there is my wrong keycloak settings problem

maybe it will be useful to someone