SugarIdentity can be configured to accept Security Assertion Markup Language (SAML) for single sign-on if it is implemented at your organization. If you use SAML and would like to have SAML attributes (e.g. email) map to the SugarIdentity user fields (e.g. email), you will need to set up the attribute mapping in the identity provider (e.g. Okta) using the SAML attribute values listed in the table below. Once the attribute mapping is configured, going forward, when a new SAML user is created or the SAML attributes (e.g. email, title) are modified in the identity provider (e.g. Okta), these changes will sync to SugarIdentity when the user logs into Sugar. This article covers how to configure the SAML attribute mapping for Okta and ADFS.
Note: Only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.
|SAML Attributes||SugarIdentity User Fields|
- Your organization must have an active Okta account. For information on setting up an Okta account for your organization, please refer to their website at https://www.okta.com/.
- You must have access to an Okta administrator account and be familiar with Okta in order to set up the attribute mapping. For more information regarding the administrator role, please refer to this Okta documentation.
- You must have administrator access to the ADFS server in order to set up the attribute mapping.
To set up the attribute mapping in Okta, you must have already created the SAML integration for SugarIdentity using the steps in the Configuring SSO With Okta article. Once the SAML integration has been configured in Okta, you can proceed with setting up the attribute mapping using the following steps:
- Follow steps 1-3 under the Profile Editor section of the “Attribute Statements (Optional)” bullet in the Using the App Integration Wizard documentation in Okta.
Note: When adding the attributes, leave the Data Type field as “string” and populate the “Display Name” and “Variable Name” fields. Be sure to populate the Variable Name field using the SAML attribute values listed in the section above. Click “Save and Add Another” to add additional attributes.
- After creating the attributes, click the Mappings button and follow steps 3-7 in the Map Profile Attributes section of the Work with Okta user profiles and attributes documentation in Okta to map the attributes.
- For step 3, select the “Okta to <App Name>” tab at the top of the window.
- For step 5, select the “Apply mapping on user create and update” option (green arrow) for the profile push frequency.
- For step 7, once you click “Save Mappings”, click the “Apply updates now” button.
- Once the mapping is complete, follow steps 4-8 under the Profile Editor section of the “Attribute Statements (Optional)” bullet in the Using the App Integration Wizard documentation in Okta. For step 7, populate the Name and Value fields for each of the attributes as follows:
- Name : Type the variable name (e.g. firstName, lastName) for each attribute you added in step 1.
- Value : Type “user.<variable name>” (e.g. user.firstName).
Once the attribute mapping has been set up, you will need to assign the SugarCRM app to your Okta users if you have not done so already. For more information on assigning the app to Okta users, refer to the Configuring SSO With Okta article.
Once you have configured SAML in SugarIdentity as well as configured a new trust relationship between SugarIdentity and ADFS, you can set up the attribute mapping in ADFS using the following steps:
- Follow the instructions in the Mapping attributes from Active Directory with ADFS and SAML (Professional and Enterprise) article on Zendesk. For the purpose of this article, please refer to the steps in the Full Name section of the Zendesk article.
- Enter the following values in the table below for the “LDAP Attribute” and “Outgoing Claim Type” in the claim rule.
Note: You can select the LDAP attribute values (e.g. Given-Name) from the dropdown list but will need to manually enter the values for city (i.e. I), zip code (i.e. postalCode), and country code (i.e. co) as they are not available values to select.
LDAP AttributeOutgoing Claim Type Given-NamefirstNameSurnamelastNameE-Mail-AddressesemailTelephone-NumbertelephoneNumberTitletitleDepartmentdepartmentstreetAddressstreetAddressState-Or-Province-NamestateIcitypostalCodezipCodecocountryCode
- Click “OK” to save your settings.