Active Directory (ADFS) SSO Configuration with Sugar 8.0

Dear All,

We are using Sugar 8.0.0 and trying to configure Microsoft's Active Directory Federation Services for SSO implementation.

We followed Configuring SSO With Active Directory's ADFS in Sugar 7.10 and Higher knowledge base article and configured successfully.

If we clicks on the Login Button, its redirecting to our ADFS Server's login page and prompting for Username/Password.  Once i entered the credentials, its redirecting back to Sugar and throwing error like "Invalid Credentials Inactive user" (see screenshot).

ADFS Error

Also, there is no error logs generated in ./sugarcrm.log file.

Is there any other way to debug this issue?

Alex Nassi Francesca Shiekh

  • Hi guys,

    Any luck with this issue? We're facing the same problem where the user can do a SSO on other applications but not in Sugar.

    Appreciate any feedback.

    Thanks!

  • Hi Kaizer,

    Can you post a screenshot or share the payload of SSO server submitting data to Sugar after authentication? The problem could be identified using that payload, and what Sugar returns in response. You can look for POST to this endpoint, for example, and see what is the content being submitted from chrome network tab.

    index.php?module=Users&action=Authenticate&platform=base

  • Hi All - there are two common reasons why SSO authentication fails. 

    #1 There is some misconfiguration in either ADFS or Sugar where the Entity ID doesn't match up, the ACS URL doesn't match up (note that in ADFS, these have slightly different terms), or potentially even the certificate doesn't match up. I strongly recommend to download the metadata for both Sugar and ADFS, and to import the two files into the other systems (so download metadata for Sugar from the Sugarcloud console and import it into ADFS, and vice versa).

    #2 Users aren't setup with emails as their unique identifiers. This could be either because there is more than one user in the Sugar system with a particular email address, or because ADFS is not set up to use email addresses as the unique identifier. 

    In terms of troubleshooting this, I recommend to capture the SAML exchange between Sugar and ADFS, and to check the SAML payload during each part of the SAML handshake. You can use an extension such as SAML-tracer to track the communication between Sugar and ADFS, and automatically decode the SAML parts. You can then post that information here for additional help.

  • Thanks for all the help. However, we didn't see any unusual errors in ADFS but we managed to find and solve the issue.

    The thing is there was an old user that was deleted but having the same email address of the active user who's having the issue. So to solve it we have to delete that deleted user's email mapping from the email_addr_bean_rel table. That just explains why the error being thrown in Sugar is about the user being inactive.

    It's just strange that Sugar looks through that table but never consult whether the user is still active or not or even marks the deleted user's email relationship after getting deleted.

    I hope this can help other users having the same scenario.