Details about this thread
  • State Suggested Answer
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 304 subscribers
  • Views 495 views
  • Users 0 members are here
Related content from around SugarClub

How to force Google SSO (SAML) only?

Manuel M

Good evening, 

Currently we're on sugar sell 14 migrated from a Sugar Pro OnPrem. 

On the OnPrem, the Sugar login Form was Off. So the users could access the system only via Google SSO (SAML). 
We'd like the same config on Cloud but it seems that we can't disable the Sugar login Form. 
The user can also reset its password. 

A workaround I found is removing the Local Authentication Username leaving only the Saml Authentication one (the mail).
It works: the user cannot log using the Sugar password neither he can't reset it. 
I'm not sure we want to lose an information like the username tho. 

Any advice? 

Thanks

Parents
  • 0 Sugar Employee Badge

    Hi Manuel! 

    It is a bit confusing, but when external authentication is configured in Sugar Identity, the username field is not required. Removing this attribute from Identity will prevent users from using their local username and password to authenticate to Sugar -- this is the only way to force users to use external authentication. A support agent should be able to help you perform a mass update in Sugar Identity to remove the local username attribute from all users, though we would recommend keeping at least one admin user who can authenticate directly in case of issues with your external auth provider. 

    The username field that was previously synced to SugarCRM will still be in place -- for instance, in our own Sugar instance I login with Okta using my email address, but reports in Sugar still show "bmartin" as my username.

    Hope that helps!

Reply
  • 0 Sugar Employee Badge

    Hi Manuel! 

    It is a bit confusing, but when external authentication is configured in Sugar Identity, the username field is not required. Removing this attribute from Identity will prevent users from using their local username and password to authenticate to Sugar -- this is the only way to force users to use external authentication. A support agent should be able to help you perform a mass update in Sugar Identity to remove the local username attribute from all users, though we would recommend keeping at least one admin user who can authenticate directly in case of issues with your external auth provider. 

    The username field that was previously synced to SugarCRM will still be in place -- for instance, in our own Sugar instance I login with Okta using my email address, but reports in Sugar still show "bmartin" as my username.

    Hope that helps!

Children
  • 0 in reply to Elizabeth Martin

    Hello, 

    I was coming back to this topic because I've just tried to create a user without username (Saml email only) in Sugar identity.
    The result is that a user has been created in the Users module with username = email.
    So the problem remain because the user can reset its password providing the email and then he can access the system by Sugar Credentials instead of SSO Google.
    How to remove the Password Reset feature for standard user? Only admins have to enabled to password resets.
    Any other alternatives?