Forums - Thread Details
  • State Verified Answer
  • Replies 11 replies
  • Subscribers 320 subscribers
  • Views 2181 views
  • Users 0 members are here
Related

Best way to log in a Sugar User from an in-house application via LDAP

Francesca Shiekh

Premise: I don't understand the first thing about how authentication really works.

We have our own in-house ERP application. (https://sugarclub.sugarcrm.com/engage/it-operations/b/share-your-story/posts/ah-the-possibilities)

Our ERP users are a subset of the our Sugar Users.

Our ERP uses LDAP for authentication.

Our sugar instance is set up to use LDAP for authentication.

Our ERP uses the Contacts, Accounts, Addresses etc from Sugar. So the ERP will be using SugarAPIs in the background to retrieve and sometimes upsert records.

We want our user on the in-house application to log into the in-house application AND get a Sugar API token at the same time (authenticating with their LDAP credentials and using a custom platform so they don't get kicked out of their regular Sugar session). And we want to preserve that token for the duration of their ERP session.

Any tips I can pass on to our ERP team on how to achieve this?

thank you,

FrancescaS

Parents
  • +1

    Hey ,

    Let me attempt to rephrase the requirements, to make sure I understood your needs. 

    1. You would like the ERP integration to act on behalf of every single user, when connecting to Sugar
    2. Both ERP and Sugar use LDAP credentials (either via Sugar LDAP integration or other means)
    3. The integration from ERP to Sugar should not logout the Sugar users that might be logged-in to the ui and the users should not enter twice their password

    Would the above three items cover your requirements?

    The first question I have is: are you asking the question because the integration has no access to the credentials input by the user within the ERP? Otherwise probably there would not be a problem at all, as you could gain a token to Sugar there, as you would gain access to the ERP as well, and then keep the token refreshed. I assume this is the reason.

    You could definitely try the sudo api with a POC. For v10.0 the documentation link is here https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_10.0/Integration/Web_Services/REST_API/Endpoints/oauth2sudouser_name_POST/ 

    I recall it won't give you the exact same structure as a regular token AND user, so you might have to try it out first (hence why I suggested a POC). As you see from the guide, the sudoed token won't have a refresh token either, so you will have to gain a new one after expiration.

    What you would do from the integration perspective is to login as the integration admin user to Sugar, with a separate platform, keep the token alive and then impersonate the users as needed. I can't recall now if the admin user is getting invalidated, or not, which will change the mechanics but the end-result would be similar.

    Give that a go, and let us know how you went

    --

    Enrico Simonetti

    Sugar veteran (from 2007)

    www.naonis.tech


    Feel free to reach out for consulting regarding:

    • API Integration and Automation Services
    • Sugar Architecture
    • Sugar Performance Optimisation
    • Sugar Consulting, Best Practices and Technical Training
    • AWS and Sugar Technical Help
    • CTO-as-a-service
    • Solutions-as-a-service
    • and more!

    All active SugarCRM certifications

    Actively working remotely with customers based in APAC and in the United States

  • 0 in reply to Enrico Simonetti

    Enrico,

    You are quite right about the issue arising if the ERP does not have access to the credentials. In my reply I made the assumption (I know the old adage about assuming things!!!) that as LDAP requires the password to be sent in clear text to the server for authentication, the ERP (being developed in-house as per OP) would at least have this to be able to pass it to Sugar as well - even if it is not displayed / stored anywhere else.

    I was hoping the solution can be as easy as that for Francesca's dev team. Fingers crossed :)

    Thanks,

    JH.

Reply
  • 0 in reply to Enrico Simonetti

    Enrico,

    You are quite right about the issue arising if the ERP does not have access to the credentials. In my reply I made the assumption (I know the old adage about assuming things!!!) that as LDAP requires the password to be sent in clear text to the server for authentication, the ERP (being developed in-house as per OP) would at least have this to be able to pass it to Sugar as well - even if it is not displayed / stored anywhere else.

    I was hoping the solution can be as easy as that for Francesca's dev team. Fingers crossed :)

    Thanks,

    JH.

Children
No Data