Configuring. SugarCRM. Chapter 121

Chapter 121

Con

Con

Con

Configuring

figuring

figuring SugarCRM

figuring

SugarCRM

SugarCRM

SugarCRM

The following is an overview of the steps required to configure the SugarCRM Web application for single sign-on (SSO) via SAML. SugarCRM offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile applications) and SP-initiated SAML SSO (for SSO access directly through the SugarCRM web application). You can configure SugarCRM for either or both types of SSO. Enabling both methods ensures that users can log in to SugarCRM in different situations such as clicking through a notification email.

Note Note Note

Note SP-initiated SSO for SugarCRM is automatically enabled when the SAML feature is

activated.

1111 Prepare SugarCRM for single sign-on (see "SugarCRM requirements for SSO" on page 121-2).

2222 In the Centrify Cloud Manager, add the application and configure application settings.

Once the application settings are configured, complete the user account mapping and assign the application to one or more roles. For details, see "Configuring SugarCRM in Cloud Manager" on page 121-3.

3333 Configure the SugarCRM application for single sign-on.

You will need to copy some settings from Application Settings in Centrify Cloud Manager and paste them into fields on the SugarCRM website. For details, "Configuring SugarCRM on its web site" on page 121-6

Preparing for Configuration

Preparing for Configuration

Preparing for Configuration

Preparing for Configuration

SugarCRM

SugarCRM

SugarCRM

SugarCRM requirements for SSO

requirements for SSO

requirements for SSO

requirements for SSO

Before you configure the SugarCRM web application for SSO, you need the following:

An active SugarCRM account with administratorrights for your organization.
A signed certificate.

You can either download one from Cloud Manager or use your organization’s trusted certificate.

Contact SugarCRM to request that they add cloud.centrify.com to the domain in

config_override.php.

Setting up the certificates for SSO

Setting up the certificates for SSO

Setting up the certificates for SSO

Setting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, you need to have the same signing certificate in both the application and the application settings in Cloud Manager.

If you use your own certificate, you upload the signing certificate and its private key in a .pfx or .p12 file to the application settings in Cloud Manager. You also upload the public key certificate in a .cer or .pem file to the web application.

To download an application certificate from Cloud Manager (overview): 1111 In the Apps page, add the application.

2222 Click the application to open the application details.

3333 In the Application Settings tab, click Download Signing Certificate to download and save the certificate.

What you need to know about

What you need to know about

What you need to know about

What you need to know about SugarCRM

SugarCRM

SugarCRM

SugarCRM

Each SAML application is different. The following table lists features and functionality specific to SugarCRM.

Capability Capability Capability

Capability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details Web browser client Yes

Mobile client Yes iOS and Android.

SAML 2.0 Yes

Configuring SugarCRM in Cloud Manager

Configuring

Configuring

Configuring

Configuring SugarCRM

SugarCRM

SugarCRM in

SugarCRM

in

in

in Cloud Manager

Cloud Manager

Cloud Manager

Cloud Manager

To add and configure the SugarCRM application in Cloud Manager: 1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.

7777 Configure the following:

IdP-initiated SSO Yes Force user login via SSO only Yes Separate administrator login after SSO is enabled

Yes Only administrators can log in.

User or Administrator lockout risk Yes After SAML settings are enabled and saved, there is no back door to login to SugarCRM by username-password.

Automatic user provisioning No

Multiple User Types Yes Admin user End users

Self-service password Yes Users can reset their own passwords. Resetting another user’s password requires administrator rights.

Access restriction using a corporate IP range

Yes You can specify an IP Range in the Cloud Manager Policy page to restrict access to the application.

Field FieldField

Field Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do Your SugarCRM sub-domain Your company name,

domain, or ID

Enter the part of the URL specific to your SugarCRM account. If your SugarCRM URL is https://acme.sugarondemand.com/ Capability

Capability Capability

8888 Copy the Login URL and save it so that you can access it when "Configuring SugarCRM on its web site" on page 121-6.

9999 Click Download Signing Certificate.

Save this file so that you can access it when "Configuring SugarCRM on its web site" on page 121-6.

10 10 10

10 On the Application Settings page, expand the Additional Options section and specify the following settings:

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

Security Certificate These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate.

• Use existing certificateUse existing certificateUse existing certificate displays beneath it the certificate currently in Use existing certificate use. The DownloadDownloadDownload button below the certificate name downloads the Download current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO

configuration. It’s not necessary to select this option—it’s present to display current status.

• Use the default tenant signing certificate Use the default tenant signing certificate Use the default tenant signing certificate selects the cloud service Use the default tenant signing certificate standard certificate for use. This is the default setting.

Configuring SugarCRM in Cloud Manager

11 11 11

11 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

12 12 12

12 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional

Install:

Select Automatic Install for applications that you want to appear automatically for

users.

If you select Optional Install, the application doesn’t automatically appear in the

user portal and users have the option to add the application.

13 13 13

13 (Optional) On the Policy page, specify additional authentication control for this application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to

prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate

using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

14 14 14

14 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

Everybody shares a single user name: Use this option if you want to share access

to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the cloud service uses

[email protected]. For more information about writing a script to map user accounts, see the SAML application scripting guide.

15 15 15

15 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting guide.

Note NoteNote

Note On the Changelog page, you can see recent changes that have been made to the

application settings, by date, user, and the type of change that was made.

16 16 16

16 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. See Configuring Workflow for more information.

17 17 17

17 Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

Configuring

Configuring

Configuring

Configuring SugarCRM

SugarCRM

SugarCRM on its web site

SugarCRM

on its web site

on its web site

on its web site

To configure the SugarCRM application on its web site:

1111 In your web browser, go to the following URL and sign in:

https://<your_subdomain>.sugarondemand.com

2222 Click the arrow next to the avatar at the top of the page and select Admin.

3333 Click Password Management.

4444 Select the Enable SAML Authentication check box.

5555 Enter the Login URL you saved in "Configuring SugarCRM in Cloud Manager" on page 121-3.

6666 (Optional) Enter a logout URL in the SLO URL field.

7777 Open the certificate file you downloaded in "Configuring SugarCRM in Cloud Manager" on page 121-3.

8888 Copy the contents of the certificate file and paste it in the X509 Certificate field.

For more information about SugarCRM

For more information about

For more information about

For more information about

For more information about SugarCRM

SugarCRM

SugarCRM

SugarCRM