SuiteCRM – Broken SAML Authentication

Accueil Software SuiteCRM – Broken SAML Authentication
Posté le par A. Kirillov

PHP SAML Toolkit version has changed in SuiteCRM-7.8.2 which rendered existing SAML configurations broken. I also had the old version patched for SLO support. The patch proved difficult to port due to significant changes in the code and it didn’t make much sense either as the new toolkit version should have supported SLO out of the box.

Below are my short notes on how to migrate relevant SimpleSAMLphp IdP configuration to newer PHP SAML Toolkit version. Also included is SLO patch for SuiteCRM-7.8.18 LTS.

Contents

IdP configuration

SP entity ID and endpoint URLs have changed.

SuiteCRM default SP entity ID has changed from php-saml to <SuiteCRM URL>/index.php?action=Login&module=Users.

ACS URL has changed from <SuiteCRM URL>/index.php?module=Users&action=Authenticate to <SuiteCRM URL>/index.php?action=Login&module=Users.

SLS URL should also be set to <SuiteCRM URL>/index.php?action=Login&module=Users.

Change your configuration accordingly.

SimpleSAMLphp example

SAML 2.0 remote SP metadata for SimpleSAMLphp is in metadata/saml20-sp-remote.php. Here is the relevant part:

...
$metadata["http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"] = array (

	"NameIDFormat" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",

//	"simplesaml.nameidattribute" => "email",
	"simplesaml.nameidattribute" => "urn:oid:1.2.840.113549.1.9.1",

//	"simplesaml.nameidattribute" => "uid",
//	"simplesaml.nameidattribute" => "urn:oid:0.9.2342.19200300.100.1.1",

	"AssertionConsumerService"	=> array (
		array (
			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
		)
	),

	"SingleLogoutService"	=> array (
		array (
			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
		)
	)
);
...

SLO patch

The included patch is for SuiteCRM-7.8.18 LTS but may also work with newer SuiteCRM versions. It has been tested with SimpleSAMLphp v. 1.13.2 SAML 2.0 IdP.

NameSizeMD5
SuiteCRM-7.8.18-SLO.patch2 KB9f95f630f05aef4195b2fd9f0aa7a845

The patch also includes a fix for an infinite loop which occurs when an authenticated user doesn’t exist in CRM and PHP5 compatibility fix.

To apply the patch on a Linux system run the following command in the SuiteCRM root:

# patch -p0 <SuiteCRM-7.8.18-SLO.patch
Publié dans Software Tagués avec : , , ,
Zadarma - недорогие звонки по всему миру
potato

Xmas

Merry Xmas, friend!

Browser out of date

You should update your browser. If you continue, some features of this site may not work as intended.

No cookies

You have to enable cookies for this site to work properly.

No JavaScript

You need to enable JavaScript to access all features of this site.

About cookies

By using this website you consent to the use of cookies. This is necessary for normal operation of the site, targeted advertising and traffic analysis. Read our full Privacy notice.