SuiteCRM – Broken SAML Authentication

Home Software SuiteCRM – Broken SAML Authentication
Posted on by A. Kirillov

PHP SAML Toolkit version has changed in SuiteCRM-7.8.2 which rendered existing SAML configurations broken. I also had the old version patched for SLO support. The patch proved difficult to port due to significant changes in the code and it didn’t make much sense either as the new toolkit version should have supported SLO out of the box.

Below are my short notes on how to migrate relevant SimpleSAMLphp IdP configuration to newer PHP SAML Toolkit version. Also included is SLO patch for SuiteCRM-7.8.18 LTS.

Contents

    IdP configuration

    SP entity ID and endpoint URLs have changed.

    SuiteCRM default SP entity ID has changed from php-saml to <SuiteCRM URL>/index.php?action=Login&module=Users.

    ACS URL has changed from <SuiteCRM URL>/index.php?module=Users&action=Authenticate to <SuiteCRM URL>/index.php?action=Login&module=Users.

    SLS URL should also be set to <SuiteCRM URL>/index.php?action=Login&module=Users.

    Change your configuration accordingly.

    SimpleSAMLphp example

    SAML 2.0 remote SP metadata for SimpleSAMLphp is in metadata/saml20-sp-remote.php. Here is the relevant part:

    ...
$metadata["http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"] = array (

	"NameIDFormat" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",

//	"simplesaml.nameidattribute" => "email",
	"simplesaml.nameidattribute" => "urn:oid:1.2.840.113549.1.9.1",

//	"simplesaml.nameidattribute" => "uid",
//	"simplesaml.nameidattribute" => "urn:oid:0.9.2342.19200300.100.1.1",

	"AssertionConsumerService"	=> array (
		array (
			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
		)
	),

	"SingleLogoutService"	=> array (
		array (
			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
		)
	)
);
...

    SLO patch

    The included patch is for SuiteCRM-7.8.18 LTS but may also work with newer SuiteCRM versions. It has been tested with SimpleSAMLphp v. 1.13.2 SAML 2.0 IdP.

    NameSizeMD5
    SuiteCRM-7.8.18-SLO.patch2 KB9f95f630f05aef4195b2fd9f0aa7a845

    The patch also includes a fix for an infinite loop which occurs when an authenticated user doesn’t exist in CRM and PHP5 compatibility fix.

    To apply the patch on a Linux system run the following command in the SuiteCRM root:

    # patch -p0 <SuiteCRM-7.8.18-SLO.patch
    Posted in Software Tagged with: , , ,
    Zadarma - недорогие звонки по всему миру
    potato

    Xmas

    Merry Xmas, friend!

    Browser out of date

    You should update your browser. If you continue, some features of this site may not work as intended.

    No cookies

    You have to enable cookies for this site to work properly.

    No JavaScript

    You need to enable JavaScript to access all features of this site.

    About cookies

    By using this website you consent to the use of cookies. This is necessary for normal operation of the site, targeted advertising and traffic analysis. Read our full Privacy notice.