Hello,
I tried posting this earlier but somehow my post disappeared so I will try again. I am having an issue when enabling SAML in SuiteCRM and connecting it to Keycloak SAML client.I am not sure if I am missing something in my configuration or if there is an actual issue with this. Unfortunately documentation for SAML configuration of SuiteCRM is very limited.
SuiteCRM version is 7.10.9
Most configuration pasted below is a bit anonymized - IPs, URLs, Certs are not the real ones
SAML is enabled with this configuration :
$sugar_config['authenticationClass'] = 'SAML2Authenticate';
$sugar_config['SAML_loginurl'] = 'https://keycloak_url/auth/realms/tblue-realm/protocol/saml';
$sugar_config['SAML_logouturl'] = 'https://<keycloak_url>/auth/realms/tblue-realm/protocol/saml';
$sugar_config['SAML_X509Cert'] = 'anonymizedMsdaC3zCCAccCBgFs95pFjjANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDDChodHRwOi8vY3JtLnRyYWR1a2V1ci5kZS9pbmRleC5waHA/YWN0aW9uMB4XDTE5MDkwMzE0NDc1OFoXDTI5MDkwMzE0NDkzOFowMzExMC8GA1UEAwwoaHR0cDovL2NybS50cmFkdWtldXIuZGUvaW5kZXgucGhwP2FjdGlvbjCCASIswDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIeotvIVDnzNSnS1aUdDRVce3N02ztYbfLmL2MQtTeg4s5jUCnHAMckO0UssthEkm4LVTJBrPm8bivenJ5sW/nQY4mor2y0a4Qx9gg6OMOQAWzMguUtOP/Tb+U0tV5zDdA0StckfHLiTO3WSui/D8e9UokSBOilugpKgizZB5N2XQy55u0XP76V5xOl2WS5n36qTzeY0DwiRiuVchR6FSTQ9OdasjUdasLy6YpJS2y6ZitrAP1McUIQdxE/VbwhSugbiBxWaRHWiQdFXJgnvJ1ouY4T3lQ4L0Ga8MyUDRf5/HAuU50nrZ31Ohdfwjh3GHdkS0SsdasdasdO0WKcjAk/EtCeL8/O4xUbm7amxvxd+k3yjZf6/+jU7/+RPE5DBfKy5wTX2q2bE+aESzDX8RXP6W7ZvJpAHAa871mvLhgG5/JkOcmsTrWHD58RUAiDWs6BLOlJ7XLzyb2CroPD43d+zYWngasdsssg==';The SAML Client ID in Keycloak is configured with the same Cert and URLs that are pasted above - and has
“Client Signature Required = true”
“Force POST Binding = true”
“Front Channel Logout = true”
When opening the Site URL of SuiteCRM I get a redirect to Keycloak and an error - “Invalid requester”. And it looks like SuiteCRM is trying to send this as a GET request instead of a POST one
13:00:06,114 ERROR [org.keycloak.protocol.saml.SamlService] (default task-241) request validation failed: org.keycloak.common.VerificationException: SigAlg was null
at org.keycloak.protocol.saml.SamlProtocolUtils.verifyRedirectSignature(SamlProtocolUtils.java:138)
at org.keycloak.protocol.saml.SamlService$RedirectBindingProtocol.verifySignature(SamlService.java:535)
at org.keycloak.protocol.saml.SamlService$BindingProtocol.handleSamlRequest(SamlService.java:248)
13:00:06,114 WARN [org.keycloak.events] (default task-241) type=LOGIN_ERROR, realmId=Tblue-Realm, clientId=null, userId=null, ipAddress=10.10.128.7, error=invalid_signatureI see that three requests when this happens :
- GET request to Site URL
Request URL: http://<site_url>/
Request Method: GET
Status Code: 301 Moved Permanently
Remote Address: <external_IP_of_SuiteCRM>:80
Referrer Policy: no-referrer-when-downgrade- GET reqest to Login module
Request URL: http://<site_url>/index.php?action=Login&module=Users
Request Method: GET
Status Code: 302 Found (from prefetch cache)
Remote Address: <external_IP_of_SuiteCRM>:80
Referrer Policy: no-referrer-when-downgrade- SAML GET request (according to the Keycloak documentation this request should be POST). I will attach to this post also the SAML descriptor that I have from Keycloak which shows we should be expecting a POST request on this URL.
Request URL: https://keycloak.tradukeur.de/auth/realms/tblue-realm/protocol/saml?SAMLRequest=anonymizedpVNNj9owFLzzK1AOvUESst0tLkmVQj%2BQKCDI9tBLZeyXxcIfqZ%2FTZf99nQS6bNVyqRUpyvOb8cz4ZYJUyYrktdvrDfyoAV2v79dRSY2k3UyD2mpiKAokmipA4hjZ5lsadasdOvNmhaauhe%2Bdq5CE4QGemDT0MHSW8voAtR1yCKnPJ7RApcLQ7WQNg%2FYjPLsPG8sd6%2FpUei80F%2Frheg67rgnJ56JYD9arbdGR5Od8pkZjrcBuwf4UDO43i06qV8qseinSc8FasdsdasEA2%2Fn22fp4Oj6U6MqagU21w5Hb%2ByUyHMql%2B1T6Yd1A2V2dZ4ZYU2fL6%2F969FY3swBMH92YanGylh3Sumv5J3q8IrsrHfevvxZs18%3D&RelayState=http%3A%2F%2F<site_url>%2Findex.php
[b]Request Method: GET
Status Code: 400 [/b]
Remote Address: 35.157.47.39:443
Referrer Policy: no-referrer-when-downgradeThis gets a response - Invalid Requester - I am guessing because of the GET instead of POST request.
If you think there is something that I have misconfigured would appreciate a SAML configuration guide of some sort as I could not really find one, that showed me what exactly to configure on the SAML client side to make it work with SuiteCRM.