SAML redirect loop when user does not exists in CRM

[vladaman]

Issue

When using SAML and providing non-existing email address via SAML Indentty provider the auth gets into loop. User is returned back to SuiteCRM and then back to Identity provider. This continues.

Expected Behavior

Display error message that the user account does not exists.

Actual Behavior

Notice from logs the rapid log events

Sat Dec 15 20:05:04 2018 [22415][-none-][FATAL] SECURITY: User authentication for info@xxxx.cz failed
Sat Dec 15 20:05:06 2018 [10283][-none-][FATAL] SECURITY: User authentication for info@xxxx.cz failed
Sat Dec 15 20:05:06 2018 [22544][-none-][FATAL] SECURITY: User authentication for info@xxxx.cz failed

Steps to Reproduce

1. Enable SAML
2. Integrate with SAML Identity provider (I tested miniorange)
3. Enter CRM site and you will get redirected to provider
4. Authorize with non-existing account which exists in identity provider but not in CRM

Your Environment

• SuiteCRM Version used: 7.10.11

[willrennie]

@vladaman I'll add the suggestion label here as it does throw an error in the logs and detail that the authentication fails, so there is error handling here. It simply needs improvement to catch the loop and return suitable errors/logs to the user in the UI.

[markvp]

+1.
In reference to the suggestion label by @willrennie ... in terms of administrator experience, this may be a simple improvement as the error is displayed in the logs, but in terms of end-user experience, this is more than a mere suggestion, this is a bug, as they are left in a state in which they get no feedback and can not proceed.

[dagostinelli]

+1 I just ran into this one again. We added a new employee (it's been a while) and then told them to go to the CRM. It gets into a SAML redirect loops infinitely. The log is filled with:

Thu Oct 10 17:55:44 2019 [1246][-none-][FATAL] SECURITY: User authentication for <email address> failed

This needs better error handling. I ended up spinning my wheels on this until I realized that the account was not properly provisioned in SuiteCRM.

[tsmgeek]

I think this no longer happens when I just tested it, no longer is auth against email but instead username anyway.
If user does not exist it redirects to LoggedOut, so its not very clear anyway.

I would close this ticket and propose opening a new one that allows more config of the saml driver to have fallback for standard login as well. There may be times this would be useful, ie we have staff that access our CRM via SSO but we want external users to also use it but as they are not in our AD/Keycloak etc it would just be easier to implement direct login.

[chris001]

When the user logs in successfully to the IDP SAML auth provider, sometimes you want the CRM to then auto create a CRM account if one does not already exist - their view might be restricted to seeing little to nothing (only records they have read access to in the ACL). Other times, you want to send a notification to some other CRM user/team leader/group owner, to authorize the creation of this new user's CRM account.

[DerpgonCz]

I would also love to see user creation, the same way LDAP login does that.

[simao-silva]

Any updates?