How to force Google SSO (SAML) only?

Good evening, 

Currently we're on sugar sell 14 migrated from a Sugar Pro OnPrem. 

On the OnPrem, the Sugar login Form was Off. So the users could access the system only via Google SSO (SAML). 
We'd like the same config on Cloud but it seems that we can't disable the Sugar login Form. 
The user can also reset its password. 

A workaround I found is removing the Local Authentication Username leaving only the Saml Authentication one (the mail).
It works: the user cannot log using the Sugar password neither he can't reset it. 
I'm not sure we want to lose an information like the username tho. 

Any advice? 

Thanks

Parents
  • Hi Manuel! 

    It is a bit confusing, but when external authentication is configured in Sugar Identity, the username field is not required. Removing this attribute from Identity will prevent users from using their local username and password to authenticate to Sugar -- this is the only way to force users to use external authentication. A support agent should be able to help you perform a mass update in Sugar Identity to remove the local username attribute from all users, though we would recommend keeping at least one admin user who can authenticate directly in case of issues with your external auth provider. 

    The username field that was previously synced to SugarCRM will still be in place -- for instance, in our own Sugar instance I login with Okta using my email address, but reports in Sugar still show "bmartin" as my username.

    Hope that helps!

  • Hello, 

    I was coming back to this topic because I've just tried to create a user without username (Saml email only) in Sugar identity.
    The result is that a user has been created in the Users module with username = email.
    So the problem remain because the user can reset its password providing the email and then he can access the system by Sugar Credentials instead of SSO Google.
    How to remove the Password Reset feature for standard user? Only admins have to enabled to password resets.
    Any other alternatives? 

Reply
  • Hello, 

    I was coming back to this topic because I've just tried to create a user without username (Saml email only) in Sugar identity.
    The result is that a user has been created in the Users module with username = email.
    So the problem remain because the user can reset its password providing the email and then he can access the system by Sugar Credentials instead of SSO Google.
    How to remove the Password Reset feature for standard user? Only admins have to enabled to password resets.
    Any other alternatives? 

Children
  • Hi ,

    I'm not sure if this will be helpful, but you can remove the "Reset Password" option from the login screen by updating the configuration:

    $sugar_config['passwordsetting']['forgotpasswordON'] = false;

    Admins can change this setting when needed and then log in to the instance.


    However, if you want to prevent password resets at a deeper level in the code, you can do this in the PasswordApi class. In the clients/base/api/PasswordApi.php file, you can extend the class and override the following function:

    public function requestPassword(ServiceBase $api, array $args)

    By doing this, you can throw an exception to inform users that they are not allowed to reset their passwords.

    Sugar offers multiple ways to solve problems, and this is the first approach that comes to mind. If I think of something more convenient later, I'll share it. But for now, extending the PasswordApi requestPassword method should solve the issue.

    Let me know if this helps or if you have any questions.

    Tevfik Tümer
    Sr. Developer Support Engineer