How to configure single sign-on for SugarCRM

ADSelfService Plus supports Active Directory (AD)-based single sign-on (SSO) for SugarCRM and any other SAML-enabled application. Upon enabling SSO for SugarCRM in ADSelfService Plus, all users have to do is simply log in to their Windows machines using their AD domain credentials. Once logged in, users can securely access SugarCRM in one click without having to enter their username and password again.

ADSelfService Plus supports both Identity Provider (IdP) and Service Provider (SP)-initiated SSO for SugarCRM.

IdP-initiated SSO for SugarCRM: Users need to log in to the ADSelfService Plus self-service portal first, and then click on the SugarCRM icon on the Applications dashboard to access SugarCRM.

SP-initiated SSO for SugarCRM: Users can access their SugarCRM domain via a URL or bookmark. They will automatically be redirected to the ADSelfService Plus portal for login. Once they've signed on, they'll be automatically redirected and logged into the SugarCRM portal.

Follow the step-by-step guide given below for SugarCRM SSO

Before you begin

Download and install ADSelfService Plus if you haven’t already.

Configuring your Active Directory domain in ADSelfService Plus

With ADSelfService Plus, you can use the existing AD domain credentials of users for authentication during SSO. So, first you need to configure an AD domain in ADSelfService Plus to enable SSO for SugarCRM.

ADSelfService Plus will try to automatically add all the domains that it can discover in your network. If your domains are automatically added, skip to Step 9; otherwise, follow Steps 1-8 to add them manually.

1. Launch the ADSelfService Plus web console and log in using admin credentials.
2. Click the Domain Settings link available on the top-right corner of the application.
3. An Add Domain Details window will appear.
4. In the Domain Name field, enter the name of the domain you want to add.
5. In the Add Domain Controllers field, click Discover. ADSelfService Plus will try to automatically discover the domain controllers associated with the domain.
6. If the domains are not auto-discovered, then enter the domain controller name in the field provided, and click Add.
7. You can leave the authentication fields empty if you're not going to use the end user self-service features of ADSelfService Plus.
8. Back in the Add Domain Details window, click Add to complete adding the Active Directory domain in ADSelfService Plus.

Getting the SAML details from ADSelfService Plus

9. Navigate to Configuration → Self-service → Password Sync/Single Sign On.
10. Click SugarCRM in the list of applications provided.
11. Click Download SSO Certificate in the top-right corner of the screen.
12. In the pop-up that appears, copy the Login URL, and download the SSO certificate by clicking on the Download SSO Certificate button.

Configuring SSO settings in SugarCRM

13. Log into SugarCRM with administrator credentials.
14. Navigate to Your profile → Administration.

    

15. Click Password Management.

    

16. Under SAML Authentication, select the Enable SAML Authentication check box.
17. In the Login URL field, enter the login URL value from Step 12.
18. In the X.509 Certificate field, paste the content of the SSO certificate from Step 12.

    

19. Click Save to save the configuration.

Adding your SugarCRM domain in ADSelfService Plus and enabling SSO.

20. Now, switch to ADSelfService Plus’ SugarCRM configuration page.
21. Choose Single sign-on from the Modules drop down box.
22. In the Domain Name field, enter the domain name for which you just enabled SSO.  For example, if you use johndoe@thinktodaytech.com to log in to SugarCRM, then thinktodaytech.com is the domain name.
23. In the Display Name field, provide an appropriate display name.
24. In the SAML Redirect URL field, enter your SugarCRM’s login URL. For example: http://{your-sugar-url}/index.php?module=Users&action=Authenticate, (replace your-sugar-url with your SugarCRM’s domain).
25. In the Available Policies field, click the drop-down box and select the policies for which you wish to enable SSO. The policy you select will determine which users have the SSO feature enabled.

    Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration → Self-Service → Policy Configuration → Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

26. Click Save.

Your users can now log into their SugarCRM accounts automatically using single sign-on.