Hi,
I am using SuiteCRM 8.7.1 (local hosting) and trying to configure SAML but not having success for the I believe the user mapping into SuiteCRM. I followed the below guide as well as the case below that:
https://docs.suitecrm.com/8.x/admin/configuration/saml/8.7.0-saml-configuration/
https://community.suitecrm.com/t/suitecrm-8-saml-azure-hslavich/91960
Authentication is fine at the Azure side with successful logins however at the SuiteCRM side I get the log-out screen. Referring to the guide it mentions a Auth.log but I did not find it. I adjusted the security log to show debugging where I get the following:
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âmainâ,âauthenticatorsâ:2}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Access denied, the user is not fully authenticated; redirecting to authentication entry point. {âexceptionâ:â[object] (Symfony\Component\Security\Core\Exception\AccessDeniedException(code: 403): Access Denied. at /var/www/suitecrm/vendor/symfony/security-http/Firewall/AccessListener.php:87)â}
[2025-01-09 22:55:25] security.DEBUG: Calling Authentication entry point. {âentry_pointâ:â[object] (App\Security\Saml\AppSamlAuthenticator: {})â}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âmainâ,âauthenticatorsâ:2}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âmainâ,âauthenticatorsâ:2}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.INFO: Authenticator failed. {âexceptionâ:â[object] (Symfony\Component\Security\Core\Exception\AuthenticationException(code: 0): Unable to extract public key at /var/www/suitecrm/vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:93)â,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authentication failure, redirect triggered. {âfailure_pathâ:âlogged-outâ}
[2025-01-09 22:55:25] security.DEBUG: The âApp\Security\Saml\AppSamlAuthenticatorâ authenticator set the failure response. {âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: The âApp\Security\Saml\AppSamlAuthenticatorâ authenticator set the response. Any later authenticator will not be called {âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âlogged_outâ,âauthenticatorsâ:1}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âlogged_outâ,âauthenticatorâ:âApp\Security\AppJsonLoginAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âlogged_outâ,âauthenticatorâ:âApp\Security\AppJsonLoginAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âauthâ,âauthenticatorsâ:1}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âauthâ,âauthenticatorâ:âApp\Security\AppJsonLoginAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âauthâ,âauthenticatorâ:âApp\Security\AppJsonLoginAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âmainâ,âauthenticatorsâ:2}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking for authenticator support. {âfirewall_nameâ:âmainâ,âauthenticatorsâ:2}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âApp\Security\Saml\AppSamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Checking support on authenticator. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
[2025-01-09 22:55:25] security.DEBUG: Authenticator does not support the request. {âfirewall_nameâ:âmainâ,âauthenticatorâ:âNbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticatorâ}
Following the sequence of events there is an access denied but there are no mention of which user it is denying access for. My assumption here is that the username attribute map is not working correctly for the configuration in the .env. Below is my configuration summary:
AUTH_TYPE=saml
SAML_USERNAME_ATTRIBUTE=name
SAML_USE_ATTRIBUTE_FRIENDLY_NAME=true
SAML_IDP_ENTITY_ID=âhttps://sts.windows.net/**********************/â
SAML_IDP_SSO_URL=âhttps://login.microsoftonline.com/********************/saml2â
SAML_IDP_SLO_URL=âhttps://login.microsoftonline.com/********************/saml2â
SAML_IDP_X509CERT=â/etc/ssl/certs/idp.cerâ
SAML_SP_ENTITY_ID=â**********************â
SAML_SP_PRIVATE_KEY=â/etc/ssl/private/scrm.keyâ
SAML_SP_CERT=â/etc/ssl/certs/scrm.crtâ
SAML_STRICT=ââ
SAML_DEBUG=true
Resquest options
SAML_NAME_ID_ENCRYPTED=false
SAML_AUTHN_REQUESTS_SIGNED=false
SAML_LOGOUT_REQUEST_SIGNED=false
SAML_LOGOUT_RESPONSE_SIGNED=false
SAML_SIGN_METADATA=false
SAML_WANT_MESSAGES_SIGNED=false
SAML_WANT_ASSERTIONS_ENCRYPTED=false
SAML_WANT_ASSERTIONS_SIGNED=true
SAML_WANT_NAME_ID=false
SAML_WANT_NAME_ID_ENCRYPTED=false
SAML_REQUESTED_AUTHN_CONTEXT=false
SAML_WANT_XML_VALIDATION=false
SAML_RELAX_DESTINATION_VALIDATION=false
SAML_DESTINATION_STRICTLY_MATCHES=false
SAML_ALLOW_REPEAT_ATTRIBUTE_NAME=false
SAML_REJECT_UNSOLICITED_RESPONSES_WITH_IN_RESPONSE_TO=false
SAML_LOWERCASE_URL_ENCODING=false
Compression
SAML_COMPRESS_REQUESTS=true
SAML_COMPRESS_RESPONSES=true
Contact information (this section was left default)
SAML_CONTACT_TECHNICAL_GIVEN_NAME=âTech Userâ
SAML_CONTACT_TECHNICAL_EMAIL_ADDRESS=âtechuser@example.comâ
SAML_CONTACT_SUPPORT_GIVEN_NAME=âSupport Userâ
SAML_CONTACT_SUPPORT_EMAIL_ADDRESS=âsupportuser@example.comâ
SAML_CONTACT_ADMINISTRATIVE_GIVEN_NAME=âAdministrative Userâ
SAML_CONTACT_ADMINISTRATIVE_EMAIL_ADDRESS=âadministrativeuser@example.comâ
SAML_ORGANIZATION_NAME=âExampleâ
SAML_ORGANIZATION_DISPLAY_NAME=âExampleâ
SAML_ORGANIZATION_URL=âhttp://example.comâ
Azure Configuration (relevant users also assigned to enterprise application):
Identifier (Entity ID) https://crm.yourdomain.com
Reply URL (Assertion Consumer Service URL) https://crm.yourdomain.com/saml/acs
Sign on URL Optional
Relay State (Optional) Optional
Logout Url (Optional) Optional
I am a bit stuck as I have tried a few options in the .env file but no dice.
What am I missing in the configuration? Also any recommenctions for the .env is welcome, ie any options that is best practice.