Is there a configuration within Sugar 7 that would:
- Prevent SAML JIT Provisioning
- If/When using SAML JIT Provisioning, not to create a new user when an existing user can be located
- Mapping of attributes
Is there a configuration within Sugar 7 that would:
- Prevent SAML JIT Provisioning
- If/When using SAML JIT Provisioning, not to create a new user when an existing user can be located
- Mapping of attributes
We use a PHP library from OneLogin in order to support SAML in Sugar 7. This is stored under the vendor/onelogin/ directory.
There’s only a couple of SAML settings that can be configured directly via Sugar Config. These are documented in the Developer Guide
For additional settings, it requires some code customizations in order to change default behaviors used with the OneLogin library such as JIT (Just In Time) provisioning and attribute mappings. You can set your Sugar application log level to DEBUG and you’ll see more details on what’s going on during user provisioning in the sugarcrm.log file.
The settings file that is used by Sugar SAML implementation is located at modules/Users/authentication/SAMLAuthenticate/settings.php
If you wanted to customize it, you’d need to copy that file, make your customizations, and place it at custom/modules/Users/authentication/SAMLAuthenticate/settings.php
OneLogin whitepaper on SugarCRML SAML for reference.
http://resources.onelogin.com/d/PFpwD/DG-OneLogin-for-SugarCRM
App Ecosystem @ SugarCRM
Via onelogin SSO if passing the email address, the existing users get logged in properly. if the email address miss matched, the new user gets created.
i really want the way to disable JIT user provisioning. can u please help.
Hi Ashish,
The OneLogin SAML settings are configured at modules/Users/authentication/SAMLAuthenticate/settings.php
That's where JIT provisioning is set by default, etc. You can override this file using the custom/ directory.
// Should new users be provisioned? $settings->provisionUsers = true;
App Ecosystem @ SugarCRM
Just a quick update here, as of 7.7.x you can now also configure this through a config parameter:
$sugar_config['SAML_provisionUser'] = false;
Hi Matt Marum, Have you heard of anyone implementing the opposite via SAML: allowing users to log into Sugar, click a link and automatically be logged into an external system?
OpenID Connect is a protocol designed to allow you to do this. Basically, to treat Sugar as an identity provider.
This is definitely something we are looking at doing. It is not available yet.
App Ecosystem @ SugarCRM