Sugarcrm and Auth0 SSO enabling - single-sign-on

I have one sugarcrm application and Web application. For user login purpose i am using Auth0 in my web Application. When user logged into my application, the same user want to login in sugarcrm.
Is it possible by using SSO? or do we need to pass the corresponding logged in user details to sugarcrm for login?
Please suggest the better option

Yes this is possible. You need to enable SAML in SugarCRM. In Auth0 you would add SugarCRM as any other app (Dashboard > Apps/API > NEW), then configure it for SAML (Addons > SAML).
The parameters in Auth0's SAML config are app dependent (whatever SugarCRM expects). The most important parameters are:
The "ACS". This is the URL where the SAML Response is sent to (this is a location in Sugar)
The signing certificate (you will find this on the Usage section of Auth0's SAML config). This is the certificate the SAMLResponse is signed with.

Related

Do not show ANY login form in keycloak but call directly the custom IDP authentication endpoint

We have our own CRM portals and we want to offer OpenID based User authentication and authorization.
To achieve this we have decided to use Keycloak.
The flow we formalized is below and we are stuck due to may be not knowing much of the configurations inside Keycloak or may be its not possible.
User visits our existing CRM login page where he/she provides the username and password.
On click of Login the keycloak custom Identity provider should authenticate the user
Keycloak should receive the authentication success response and generate the JWT token
User is redirected back to CRM dashboard with the help of redirect_url configured in custom IDP.
What we have done till now,
Created a custom IDP inside Keycloak.
Configured all endpoints in this custom IDP
No custom authentication flow yet, all defaults i.e. First login flow is set to 'first broker login'
Challenges we are facing currently,
User on our CRM login page (Not the keycloak login form) and click on login button
The Keycloak login form is shown to user. We dont want any keycloak login pages. but instead the custom IDP endpoints should be executed and a JWT is returned back to redirected CRM application.
Is this possible to achieve the flow I mentioned above?
You need to adapt the browser Authentication Flow
Authentication -> Flows -> Browser
There you find the Identity Provider Redirector. Click Configure and specify a Default Identity Provider (you need the alias of your IDP there)
Normally all available IdentityProviders are listed beside the login form. But if a DefaultIdentityProvider is configured, KC immediately redirects to the external IDP.

Keycloak - allow linking of 2 accounts with different emails

I need to implement a login flow with KeyCloak where a user will be prompted to reauthenticate with an existing account (by email/password or via social IdP) after authentication with a non-existing social  account OR choose to create a new KeyCloak account.
Something like on the picture below:
Is it possible to implement such a flow with KeyCloak?
It is possible that flow with regular Identity Providers feature in Keycloak
Overview Steps
detail information here
1. IDP URL
{keyclaok URL}/realms/{realm}/broker/{idp name}/endpoint
example:
http://localhost:8180/auth/realms/test/broker/stackoverflow/endpoint
2. Register Application at Social App
example: StackOverflow https://stackapps.com/
3. Get Client Information from Social App
example: StackOverflow
4. Set IDP at Keycloak
5. Test
5.1 Before add user
5.2 login by Social
5.3 Update user account (set password and e-mail)
5.4 check added user
5.5 Test added user login by username/password OR
Social Icon Click without credential
5.6 logged in test by both ways
5.7 Picked up e-mail from Facebook and detect e-mail already exists.
5.8 I select "Add to existing account" then filled out e-mail and password from Keycloak.
The authentication flows within Keycloak can be customized (virtually all of the flows can be customized or extended). I believe you'll need to implement a custom Authentication SPI (Service Provider Interface). This will be a JAR that you can add custom logic upon account creation.
Here's the Keycloak documentation for SPIs.

SSO with OKTA without creating app on OIN (independent of client id)

We have a web application. We also have a separate customer who already uses Okta to manage his employee's access to various applications. This client wants to use Okta SSO for login to our app.
We created a trial Okta account and integrated a "login with Okta" button based on documentation here for a Node/Angular App https://developer.okta.com/quickstart/#/angular/nodejs/generic
This method allows authentication for users who have an account in our Okta. However, this does not seem right as future customers would have users tied to their own accounts.
How do we solve this? Do we need to register with OIN and only then it is possible for other Okta accounts to enable SSO into our app?
You can enable self-registration for your organization and then people can create their own accounts in Okta if they don’t have one.
https://help.okta.com/en/prod/Content/Topics/Directory/Directory_Self_Service_Registration.htm
It seems to me that your customer is looking for a B2B authentication solution with your service.
To accomplish that you will need to allow a SAML inbound federation between his OKTA tenant and yours. by doing that, any user from his OKTA tenant that will log-in to your service will be created instantly at your OKTA tenant and allowed access.
OKTA have made a great tool for that called OKTA org-2-org which includes both authentication and the feature of synching data about the user from his tenant to yours.
https://saml-doc.okta.com/SAML_Docs/Configure-SAML-2.0-for-Org2Org.html

Configure Okta to handle SAML authentication on behalf of our non-saml web app?

Our company maintains a Web App composed of a front-end and a back-end in (Node.js), and we support the standard username/password login authentication. A couple of our partners have requested we support SAML SSO, so their end-users can access our web app through a link on their respective portals without the need to login again.
Question: Do we need to turn our app into a full-fledged service provider (SP) by implementing a SAML sdk/library in our front-end and back-end?
Or is it possible to use a 3rd party authentication provider like Okta to handle the SAML nitty-gritty behind the scenes and then redirect the end user to our app, with possibly a token (JWT?) so we can retrieve the user info from Okta?
I've read everything I could find on Okta's site, and here, and couldn't find a definitive answer, either yes it's possible (with example) or no you can't do that.
Like you already mentioned in your question, there are 2 possible ways to do it.
Update your application to support SAML login flow with your app as SP, in which case you will not need to use any 3rd party auth provider
If you don't want to get into the SAML nitty-gritty, you can use a 3rd party provider like Okta as an intermediary that will consume the SAML responses from the IdP (used by your external customers) and then convert that assertion into an Open ID token (JWT). In this case, Okta will act as an IdP (Authorization server) to your web app and generate ID tokens.
Your app will then need to implement the Open ID connect login flow.
You can refer to http://developer.okta.com/code/javascript/okta_sign-in_widget_ref for this.

Login to Magento 2.0 from external application

I am into integration with Magento 2.0, however I have a cakePHP 2.0 application and I want the user to be already logged in after he successfully logged into my cakePHP application.
How can I implement such feature?
Thank you in advance
The standard way to SSO between 2 apps that are hosted in different domains is to use SAML2
In that standard there are 2 type of entities:
Identity Provider (IdP). The entity that authenticates the user and send its info to the SP.
Service Provider (SP). The entity that protect the app, is connected with the IdP and can make access control decision.
Since you are using PHP stack I recommend you to use the simpleSAMLphp software to deploy your IdP.
You will need to decide what gonna be your user data source, CakePHP or Magento, and disable registration and password reset on the source not selected.
So in your project you will need:
Deploy an IdP with simplesamlphp and use as authentication source the database of your cakePHP app (if this source is the selected), removing user registration/password on Magento (otherwise connect Magento's database as your main user source and not let users to be registered on cakePHP).
Enable SAML on cakePHP
Enable SAML on Magento2
The advantage of using this standard instead of custom tricky SSOs mechanism is that you will be able to add to your SSO federation any other app (with SAML support) like Salesforce, Wordpress, Google Apps, Drupal, Joomla...
On this video you can see the Magento2 extension in action (I'm using Onelogin as Identity provider). In this other video you can see simpleSAMLphp in action with Magento1.
Note: I'm the author of the Magento2 SAML extension. Right now there is no other option to add SAML to a Magento2 app and is a complex task so I don't recommend to implement it yourself ;)