What file to customize to change the way sugar does login?

Hello. I am working on a user synchronization system from our companies main product, Workspace. I have made a REST api that inserts users into CRM, triggered from Workspace. Now, I want to customize sugar login the following way: Do the regular stuff and check username and password. If there is a match, cool, do as usual. If not, instead of directly jumping out with the "invalid credentials" message contact Workspace with the hashed password and username and if there is a match there, do as if the hash was correct in the first place. PS: This is a mock-up replacement for single sign on, until we develop that properly, using SAML and open ID connect. That means the user is present in the CRM system but I am failing to match the way workspace hashes the password with the way sugar hashes the password. The result is if I try to log into CRM, I get the "invalid credentials" error. So what file and method I would need to customize?

  • The endpoint to be customized/extended is the oauth2/token

    André Lopes
    Lampada Global
    Skype: andre.lampada
  • We don't have Oauth YET, it is in course of being built, long process. Until then I want to change the "target" part of the regular basic login form you see. When Oauth and SAML will be done, we will switch again. But until then I need the change as advertised in my original post. So.. knowing this.. what has to be customized and HOW? Cause documentation is a but hazy, I tried creating a custom/modules/Users but got lost in the horde of files there

  • You can create a custom user authentication. Have a look on modules/Users/authentication/, here you find different authentication methods. You can write your own files in custom/modules/Users/authentication/CustomSugarAuthenticate/ and custom/modules/Users/authentication/SugarAuthenticate/ to create an own SSO mechanism together with an own view in custom/modules/Users/views/view.authenticate.php

    For this you need some entry like $sugar_config['authenticationClass'] = 'CustomSugarAuthenticate'; 
    in config.php (not in config_override.php!)

    It's not simple, but doable.

    See here for current implementation: https://support.sugarcrm.com/Knowledge_Base/Password_Management/Security_Layers_for_User_Authentication_in_Sugar/

    Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

  • hi
    very usfule information from you as alwyas.

    Excuse my ignorance on one point, would this be considered 'upgrade safe' or because it requires change to config.php (not in config_override.php) it is not?

  • Most likely not, but this is not intended to survive multiple upgrades ( on my end).. This is to get things moving until SSO is finished in our company

  • Can you please elaborate/detail how this should happen? It is very promising, but I never touched this area, so I am unfamiliar. I customized quotes and accounts usually

  • The solution itself is upgrade safe.

    If you run the instance in the sugar cloud you have to write a ticket for config.php.

    Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

  • You need a clear specification how the SSO should work.

    One possible scenario could be that Sugar Authentication has to call an external tool which creates a session and returns the session_id back to Sugar, perhaps by another service call from sugar to this tool. 

    So, the first thing is to know the details  of the used SSO tool, some kind of information flow.

    Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

  • Oooh.. you mean it is possible to DIRECTLY implement SSO? We use Open ID connect, SAML is not yet available.

  • Harald Kuske
    Principal Solution Architect – Professional Services, EMEA
    hkuske@sugarcrm.com
    SugarCRM Deutschland GmbH

1 2