Best way to log in a Sugar User from an in-house application via LDAP

Question

Premise: I don't understand the first thing about how authentication really works. 
 We have our own in-house ERP application. ( https://sugarclub.sugarcrm.com/engage/it-operations/b/share-your-story/posts/ah-the-possibilities ) 
 Our ERP users are a subset of the our Sugar Users. 
 Our ERP uses LDAP for authentication. 
 Our sugar instance is set up to use LDAP for authentication. 
 Our ERP uses the Contacts, Accounts, Addresses etc from Sugar. So the ERP will be using SugarAPIs in the background to retrieve and sometimes upsert records. 
 We want our user on the in-house application to log into the in-house application AND get a Sugar API token at the same time (authenticating with their LDAP credentials and using a custom platform so they don't get kicked out of their regular Sugar session). And we want to preserve that token for the duration of their ERP session. 
 Any tips I can pass on to our ERP team on how to achieve this? 
 thank you, 
 FrancescaS

Francesca Shiekh · Accepted Answer

Hey Francesca Shiekh , 
 Let me attempt to rephrase the requirements, to make sure I understood your needs. 
 
 You would like the ERP integration to act on behalf of every single user, when connecting to Sugar 
 Both ERP and Sugar use LDAP credentials (either via Sugar LDAP integration or other means) 
 The integration from ERP to Sugar should not logout the Sugar users that might be logged-in to the ui and the users should not enter twice their password 
 
 Would the above three items cover your requirements? 
 The first question I have is: are you asking the question because the integration has no access to the credentials input by the user within the ERP? Otherwise probably there would not be a problem at all, as you could gain a token to Sugar there, as you would gain access to the ERP as well, and then keep the token refreshed. I assume this is the reason. 
 
 You could definitely try the sudo api with a POC. For v10.0 the documentation link is here https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_10.0/Integration/Web_Services/REST_API/Endpoints/oauth2sudouser_name_POST/ 
 I recall it won't give you the exact same structure as a regular token AND user, so you might have to try it out first (hence why I suggested a POC). As you see from the guide, the sudoed token won't have a refresh token either, so you will have to gain a new one after expiration. 
 What you would do from the integration perspective is to login as the integration admin user to Sugar, with a separate platform, keep the token alive and then impersonate the users as needed. I can't recall now if the admin user is getting invalidated, or not, which will change the mechanics but the end-result would be similar. 
 Give that a go, and let us know how you went