How to force Google SSO (SAML) only?

Good evening, 

Currently we're on sugar sell 14 migrated from a Sugar Pro OnPrem. 

On the OnPrem, the Sugar login Form was Off. So the users could access the system only via Google SSO (SAML). 
We'd like the same config on Cloud but it seems that we can't disable the Sugar login Form. 
The user can also reset its password. 

A workaround I found is removing the Local Authentication Username leaving only the Saml Authentication one (the mail).
It works: the user cannot log using the Sugar password neither he can't reset it. 
I'm not sure we want to lose an information like the username tho. 

Any advice? 

Thanks

  • Hi Manuel! 

    It is a bit confusing, but when external authentication is configured in Sugar Identity, the username field is not required. Removing this attribute from Identity will prevent users from using their local username and password to authenticate to Sugar -- this is the only way to force users to use external authentication. A support agent should be able to help you perform a mass update in Sugar Identity to remove the local username attribute from all users, though we would recommend keeping at least one admin user who can authenticate directly in case of issues with your external auth provider. 

    The username field that was previously synced to SugarCRM will still be in place -- for instance, in our own Sugar instance I login with Okta using my email address, but reports in Sugar still show "bmartin" as my username.

    Hope that helps!

  • Hello, 

    I was coming back to this topic because I've just tried to create a user without username (Saml email only) in Sugar identity.
    The result is that a user has been created in the Users module with username = email.
    So the problem remain because the user can reset its password providing the email and then he can access the system by Sugar Credentials instead of SSO Google.
    How to remove the Password Reset feature for standard user? Only admins have to enabled to password resets.
    Any other alternatives? 

  • Hi ,

    I'm not sure if this will be helpful, but you can remove the "Reset Password" option from the login screen by updating the configuration:

    $sugar_config['passwordsetting']['forgotpasswordON'] = false;

    Admins can change this setting when needed and then log in to the instance.


    However, if you want to prevent password resets at a deeper level in the code, you can do this in the PasswordApi class. In the clients/base/api/PasswordApi.php file, you can extend the class and override the following function:

    public function requestPassword(ServiceBase $api, array $args)

    By doing this, you can throw an exception to inform users that they are not allowed to reset their passwords.

    Sugar offers multiple ways to solve problems, and this is the first approach that comes to mind. If I think of something more convenient later, I'll share it. But for now, extending the PasswordApi requestPassword method should solve the issue.

    Let me know if this helps or if you have any questions.

    Tevfik Tümer
    Sr. Developer Support Engineer  
  • Hi Tevfik, thanks a lot for your contribute.

    When you say "if you want to prevent password resets at a deeper level", what do you mean?

    The first update you suggest could be bypassed? How?

  • Hi ,

    It means you simply extend the Api end point. Here is an example that might need reviewing to make it work but this should give the idea to you.

    <?php
    class CustomPasswordApi extends PasswordApi {
        public function requestPassword(ServiceBase $api, array $args)
        {
            throw new SugarApiException("Reseting password disabled. Please reach to your IT.");
        }
    }


    Once you set this, any api that would hit here will be responded back with Exception therefore reseting completely disabled from the code base. 

    For the first update (removing the Reset Password option via config), of course can be by pass someone would simply hit the API end point via Chrome Developer Console or a Third Party API applications. At the end of the day its a form and you are passing a request.

    If you remove the API that resets the password, you technically remove the problem in the backend. Simply it is not possible to reset the password. 

    Hope it makes more sense. 

    Tevfik Tümer
    Sr. Developer Support Engineer 

  • Thanks a lot for your advice and clarification. 
    Have a nice day.