SuiteCRM SAML configuration

Hi Guys,

Exactly the same issue as Boris - Error 403 app_not_configured_for_user

7.11.8

I’m able to get to the accounts.google.com… login screen, but after logging, It does not redirect back to suitecrm.

When bypassing the saml, logging in is fine, then logging out also work properly and sends me to the SLO.

So the disconnect is an authentication mishap happening between accounts.google.com… and suitecrm .

There is an update that is quite critical to apply if you’re running 7.11.8:

https://github.com/salesagility/SuiteCRM/pull/7762/files

And then run a Admin / Repairs / Rebuild .htaccess

Tell me if that fixes anything.

Thanks for getting back to me so quickly.

I ended up replacing the entire /modules/Users/authentication/SAML2Authenticate directory with the most recent version (updated 2 months ago as of this post I believe) last night, as well as re-updating config_override.php with the x509 cert hash. And it worked!

I have also updated the UpgradeAccess.php as per your suggestion (looks much cleaner).

Thanks for your help

Hi,

I upgraded to 7.11.10 and SAML is broken again. Can’t figure out what’s going on.

This is what my server log is saying:

[error] 4231#4231: 211 FastCGI sent in stderr: “PHP message: PHP Warning: session_destroy(): Trying to destroy uninitialized session in …/include/MVC/SugarApplication.php on line 172” while reading response header from upstream, client: ***.**.***.***, server: ***.***.***.***, request: “GET / HTTP/2.0”, upstream: “fastcgi://unix:/run/php/php7.2-fpm.sock:”,

Thank You

That is strange :huh:

Can you try the htaccess repair again? But I don’t see why that should be necessary, I am just trying to find some workaround…

Our SAML SSO with Azure AD also broke after updating fron 7.11.8 to 7.11.10, though I’m not certain that update to 7.11.8 had been completed – the installation process first wanted to finish that one, even though I think I had completed when upgrading from 7.11.7.

On Azure’s side of things, I get the following error:
AADSTS750054: SAMLRequest or SAMLResponse must be present as query string parameters in HTTP request for SAML Redirect binding.

On SuiteCRM’s, I’m getting the following in Apache’s errorlog:
[spoiler][Mon Nov 18 12:49:23.582981 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Auth, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583125 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_AuthnRequest, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583182 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Constants, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583207 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Error, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583230 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_ValidationError, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583254 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_IdPMetadataParser, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583276 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_LogoutRequest, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583298 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_LogoutResponse, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583320 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Metadata, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583342 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Response, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583363 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Settings, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:23.583384 2019] [php7:warn] [pid 25059] [client 94.199.113.150:60157] PHP Warning: Cannot declare class OneLogin_Saml2_Utils, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Administration&action=index
[Mon Nov 18 12:49:24.289891 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Auth, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290029 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_AuthnRequest, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290058 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Constants, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290083 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Error, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290107 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_ValidationError, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290131 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_IdPMetadataParser, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290154 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_LogoutRequest, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290177 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_LogoutResponse, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290199 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Metadata, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290222 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Response, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290245 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Settings, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[Mon Nov 18 12:49:24.290267 2019] [php7:warn] [pid 25060] [client 94.199.113.150:51193] PHP Warning: Cannot declare class OneLogin_Saml2_Utils, because the name is already in use in crmdir/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php on line 55, referer: https://domain.crm/index.php?module=Home&action=index
[/spoiler]
This gets repeated over and over again. Nothing in SuiteCRM’s own logfile.

Any ideas?

Thanks for you quick reply. I tried rebuilding htaccess and I’ve run the quick repair after each attempt to rebuild either the vendor or the SAML files.

Also got this feedabck in the suitecrm.log file

#0 …/vendor/onelogin/php-saml/src/Saml2/Auth.php(177): OneLogin\Saml2\Settings->__construct(Array)
#1 …/modules/Users/authentication/SAML2Authenticate/SAML2Authenticate.php(95): OneLogin\Saml2\Auth->__construct(Array)
#2 …/modules/Users/Login.php(46): SAML2Authenticate->pre_login()
#3 …/include/MVC/View/SugarView.php(834): include_once(’/var/www/html/s…’)
#4 …/include/MVC/View/views/view.classic.php(72): SugarView->includeClassicFile(‘modules/Users/L…’)
#5 …/include/MVC/View/SugarView.php(226): ViewClassic->display()
#6 …/include/MVC/Controller/SugarController.php(435): SugarView->process()
#7 …/include/MVC/Controller/SugarController.php(375): SugarController->processView()
#8 …/include/MVC/SugarApplication.php(113): SugarController->execute()
#9 …/index.php(52): SugarApplication->execute()
#10 {main}

Best

Quick update to this. The SSO URL was wrong. I fixed it and I’m back to the 404 error

Hi,

I finally tracked down the issue.

/vendor/onelogin/php-saml/src/Saml2/Auth.php(177): OneLogin\Saml2\Settings->__construct(Array)

I reverted onelogin back to 3.0 from 3.3 and it solved the problem.

Best

@jakeAdmin can you get us a stack trace, or at least the complete error text, of the problem you were getting? If I am understanding your issue correctly and there’s an incompatibility with onelogin v3 we need to fix it right?

We had issues with SAML as well, after upgrading to the latest SuiteCRM versions (7.10.21/22 in our case), which contain php-saml library version 3.3.x or higher.
Due to setting “strict” to “true” as a default, all SAML communications has to be signed. See the release notes: https://github.com/onelogin/php-saml/releases/tag/3.3.0

To disable this check, add “‘strict’ => false,” to “$settingsInfo” in “custom/saml/modules/Users/authentication/SAML2Authenticate/lib/onelogin/settings.php”
Like this, for example.

$settingsInfo = array(
    // Turn off strict mode
    'strict' => false,
    // End
    'sp' => array(

That should restore the functionality to previous versions of the library.

You really shouldn’t downgrade this library to anything lower than 3.3.1, as that version contains a fix for a critical security issue.

@jakeAdmin looking more closely, it seems you were running a version that is ahead of what we specify. This was probably caused by running

composer update

instead of the recommended

composer install --no-dev

After SAML login, I always get logged out after a successful login.

Any clues?

Azure enterprise application configuration:

• Identifier (Entity ID) - hxxxs://sugar.url/index.php?action=Login&module=Users
• Reply URL (Assertion Consumer Service URL)

• hxxxs://sugar.url/index.php?module=Home&action=index

• Sign on URL - hxxxs://sugar.url/index.php?action=Login&module=Users
• Logout Url - hxxxs://sugar.url/index.php?module=Users&action=LoggedOut

I’m using version 7.11.18, Sugar version 6.5.25 (Build 344).

Hey bmommaertins,

Not sure if you’re still having an issue with this but try changing your Reply URL to match your Entity ID: hxxxs://sugar.url/index.phpaction=Login&module=Users

Since @bmomartins probably has this already figured out, I’ll add one more possible cause for later visitors to this thread:

SAML Login will immediately log out if hard disk is full (for (I believe sessions directory is the key part) or (probably) otherwise non-writable.

We found this out recently by having a slight accident with modified backup scripts not cleaning up after themselves (a bug) and filling up hard disk in just a couple of days.

Hello,

I ended up using this plugin:

Thanks!

@bmomartins
Hello!

Thank you for this solution. It’s very helpful for community.

Can you publish it in category Show and Tell (https://community.suitecrm.com/c/show-and-tell)?
This is the special category for new solutions. Community people will be able to find a solution there faster.

It’s already mentioned here by the original author

… although they are different things, one is Google Signin, the other is Azure. But the second one mentions the first one in the credits, so I thought they were the same. It’s probably a derivative work, an adaptation.

It would be great to just turn these into PR’s and merge them into core…

@TLi Have you find the solution of SAML automatically doing logout? In my case its not due to disk full, there is enough size available. Any other reason?