SuiteCRM – Broken SAML Authentication

PHP SAML Toolkit version has changed in SuiteCRM-7.8.2 which rendered existing SAML configurations broken. I also had the old version patched for SLO support. The patch proved difficult to port due to significant changes in the code and it didn’t make much sense either as the new toolkit version should have supported SLO out of the box. Below are my short notes on how to migrate relevant SimpleSAMLphp IdP configuration to newer PHP SAML Toolkit version. Also included is SLO patch for SuiteCRM-7.8.18 LTS.

Contents

    IdP configuration

    SP entity ID and endpoint URLs have changed.

    SuiteCRM default SP entity ID has changed from php-saml to <SuiteCRM URL>/index.php?action=Login&module=Users.

    ACS URL has changed from <SuiteCRM URL>/index.php?module=Users&action=Authenticate to <SuiteCRM URL>/index.php?action=Login&module=Users.

    SLS URL should also be set to <SuiteCRM URL>/index.php?action=Login&module=Users.

    Change your configuration accordingly.

    SimpleSAMLphp example

    SAML 2.0 remote SP metadata for SimpleSAMLphp is in metadata/saml20-sp-remote.php. Here is the relevant part:

    ...
    $metadata["http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"] = array (
    
    	"NameIDFormat" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    
    //	"simplesaml.nameidattribute" => "email",
    	"simplesaml.nameidattribute" => "urn:oid:1.2.840.113549.1.9.1",
    
    //	"simplesaml.nameidattribute" => "uid",
    //	"simplesaml.nameidattribute" => "urn:oid:0.9.2342.19200300.100.1.1",
    
    	"AssertionConsumerService"	=> array (
    		array (
    			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
    			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
    		)
    	),
    
    	"SingleLogoutService"	=> array (
    		array (
    			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
    		)
    	)
    );
    ...
    
    SLO patch

    The included patch is for SuiteCRM-7.8.18 LTS but may also work with newer SuiteCRM versions. It has been tested with SimpleSAMLphp v. 1.13.2 SAML 2.0 IdP.

    NameSizeMD5
    SuiteCRM-7.8.18-SLO.patch2 KB9f95f630f05aef4195b2fd9f0aa7a845

    The patch also includes a fix for an infinite loop which occurs when an authenticated user doesn’t exist in CRM and PHP5 compatibility fix.

    To apply the patch on a Linux system run the following command in the SuiteCRM root:

    # patch -p0 <SuiteCRM-7.8.18-SLO.patch
    
    Kategória: Software Címke: , , ,

    iPROS24 Notices – Advanced usage and examples

    Contents

      Adding custom conditions

      You may add any number of custom conditions in Dashboard › Settings › Notices. Condition names may contain alphanumeric characters, spaces and underscores and start with a letter or underscore.

      All custom conditions are false by default. You need to add a filter for a server-side condition and set a variable for a client-side one.

      Examples

      Let’s add a server-side condition which is true when a user is logged in and is an administrator.

      • Go to Dashboard › Settings › Notices.
      • Enter Is admin condition name in Custom server-side conditions section.
      • Click Add.

      The name of the filter appears in WordPress filter column.

      • Add the following lines to Server-side script:
      function ipros24_notices_is_admin ()	{
      
      	global $current_user;
      
      	return in_array ("administrator", $current_user->roles);
      }
      
      add_filter ('ipros24_notices_is_admin', 'ipros24_notices_is_admin');
      
      • Click Save Changes.

      Done. Now we have a condition we can use e.g. to preview notices on a production site.

      Now let’s add a client-side condition which is true when it’s Christmas in user’s timezone.

      • Go to Dashboard › Settings › Notices.
      • Enter Is Xmas condition name in Custom client-side conditions section.
      • Click Add.

      The name of the variable appears in JavaScript variable column.

      • Add the following lines to Client-side script:
      $ (window).on ("ipros24-notices-filter", function ()	{
      
      	var today = new Date ();
      
      	ipros24_notices.is_xmas = (today.getMonth () == 11 &&
      		today.getDate () == 25);
      });
      
      • Click Save Changes.

      We have a condition we can use to greet our visitors on a Christmas day.

      Creating notices

      Go to Dashboard › Notices and Add New notice. Notices are implemented as a custom post type so adding a notice is not much different from adding a post.

      After you finish editing select the conditions to be met in Notice Attributes box.

      NB: Use server-side conditions to filter sensitive notices.

      Examples

      Let’s add a warning some features of the site won’t work if cookies are disabled in user’s browser.

      • Go to Dashboard › Notices and click Add New.
      • Enter the notice. E.g. You have to enable cookies for this site to work properly.
      • Select Cookies enabledFalse in Notice Attributes box.
      • Click Update.

      Done.

      Personalising the notices

      There’s a shortcode you can use to personalise your notices. It will be replaced with the user’s display name or the text between the tags if the user hasn’t logged in yet.

      Examples

      Merry Xmas, [ipros24_user]friend[/ipros24_user]!
      
      Notes on security

      Only administrators of single site installations have the capability to edit server-side scripts. In multisite only the Super Admin has this capability. To completely disable server-side scripts editing add to wp-config.php:

      define ('ALLOW_EDIT_SERVER_SIDE_SCRIPTS', FALSE);
      
      Kategória: Software Címke: ,
      potato

      Merry Xmas!

      Merry Xmas, friend!

      Browser out of date

      You should update your browser. If you continue, some features of this site may not work as intended.

      No cookies

      You have to enable cookies for this site to work properly.

      No JavaScript

      You need to enable JavaScript to access all features of this site.

      About cookies

      By using this website you consent to the use of cookies. This is necessary for normal operation of the site, targeted advertising and traffic analysis. Read our full Privacy notice.