Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:latest:applications:humhub [2019/09/26 09:41]
soifro [Configuring LemonLDAP]
documentation:latest:applications:humhub [2019/10/18 11:15] (current)
soifro [Configuring HumHub]
Line 14: Line 14:
  
 <note warning> <note warning>
-HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.+HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. ​See [[#​migrate_former_local_or_ldap_humhub_account_to_connect_through_sso | Migrate former local or ldap Humhub account to connect through SSO]]
 </​note>​ </​note>​
  
 ===== OpenID Connect ===== ===== OpenID Connect =====
 +<note info> 
 +This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite URL in Humhub HTTP server and allowed redirect URL in LemonLDAP needs to be adapted to work with the non pretty URL format. 
 +</​note>​
 ==== Configuring HumHub ==== ==== Configuring HumHub ====
  
-First disable LDAP (Administration > Users section) and delete (or migrate ​source) any local users whose username or email are conflicting with the username or email of your OIDC users.+First disable LDAP (Administration > Users section) and delete (or [[#​migrate_former_local_or_ldap_humhub_account_to_connect_through_sso | migrate]]) any local users whose username or email are conflicting with the username or email of your OIDC users.
  
 Then install and configure the [[ https://​github.com/​Worteks/​humhub-auth-oidc | OIDC connector for humhub ]] extension using composer : Then install and configure the [[ https://​github.com/​Worteks/​humhub-auth-oidc | OIDC connector for humhub ]] extension using composer :
  
-  * Install composer ​and php-tokenizer.+  * Install composer.
  
   * Consider using prestissimo,​ to speed up composer update command (4x faster):   * Consider using prestissimo,​ to speed up composer update command (4x faster):
Line 32: Line 34:
 </​code>​ </​code>​
  
-  * Go to {humhub_home} folder ​(containing humhub'​s ​composer.json file and execute+  * Go to {humhub_home} folder 
 + 
 +  * Check if composer.json file is present. If not, download it for your current version: 
 +<​code>​ 
 +wget https://​raw.githubusercontent.com/​humhub/​humhub/​v1.3.15/​composer.json 
 +</​code>​ 
 + 
 +  * Install the connector as a dependency: ​
  
 <​code>​ <​code>​
Line 38: Line 47:
 composer update worteks/​humhub-auth-oidc ​ --no-dev --prefer-dist -vvv composer update worteks/​humhub-auth-oidc ​ --no-dev --prefer-dist -vvv
 </​code>​ </​code>​
 +
 +<note info>
 +If you just need to update the connector, change its version in composer.json and run the above composer update command.
 +</​note>​
  
   * Edit {humhub_home}/​protected/​config/​common.php with the client configuration :   * Edit {humhub_home}/​protected/​config/​common.php with the client configuration :
Line 58: Line 71:
 ] ]
 </​code>​ </​code>​
-            ​+ 
 +  * Edit {humhub_home}/​protected/​config/​web.php to disconnect users from LemonLDAP::​NG after they logged out of Humhub: 
 + 
 +<​code>​ 
 +return [ 
 + // ... 
 + '​modules'​ => [ 
 +  '​user'​ => [ 
 +   '​logoutUrl'​ => '​https://​auth.domain.com/?​logout=1',​ 
 +  ], 
 + ] 
 +]; 
 +</​code>​ 
 + 
 +User can now log in through SSO using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through SSO when they first access Humhub, you can set up a redirection in the http server in front of the application : 
 + 
 +  * Example in apache 
 + 
 +<​code>​ 
 +RewriteEngine On 
 +RewriteCond %{QUERY_STRING} !nosso [NC] 
 +RewriteRule "​^/​user/​auth/​login$"​ "/​user/​auth/​external?​authclient=lemonldapng"​ [L,R=301] 
 +</​code>​ 
 + 
 +  * Example in nginx 
 + 
 +<​code>​ 
 +if ($query_string !~ "​nosso"​){ ​                                                                       
 +  rewrite ^/​user/​auth/​login$ /​user/​auth/​external?​authclient=lemonldapng permanent;​ 
 +
 +</​code>​ 
 + 
 +If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed. 
 + 
 +To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to SSO will be bypassed when a registration error occured. This works for version 1.3.15 : 
 + 
 +   * Go to {humhub_home} folder 
 +   * Execute 
 +<​code>​ 
 +sed -i "​s|return \$this->​redirect(\['/​user/​auth/​login'​\]);​|return \$this->​redirect(['/​user/​auth/​login','​nosso'​=>'​showerror'​]);​|"​ protected/​humhub/​modules/​user/​controllers/​AuthController.php 
 +</​code>​ 
 + 
 ==== Configuring LemonLDAP ==== ==== Configuring LemonLDAP ====
  
Line 88: Line 143:
         oidcRPMetaDataOptions/​humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \         oidcRPMetaDataOptions/​humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
         oidcRPMetaDataOptions/​humhub oidcRPMetaDataOptionsBypassConsent 1 && \         oidcRPMetaDataOptions/​humhub oidcRPMetaDataOptionsBypassConsent 1 && \
 +</​code>​
 +
 +==== Migrate former local or ldap Humhub account to connect through SSO ====
 +
 +You need to manually update Humhub database to swith authentication mode to LemonLDAP::​NG.
 +
 +Table "​user": ​
 +   * Columns "​username"​ and "​email"​ should match exactly OIDC sub and email attributes ;
 +   * If former ldap user, change column "​auth_mode"​ to "​local"​.
 +Table "​user_auth":​
 +   * Add an entry with user_id, username and "​lemonldapng"​ as source (or the name you chose in your connector configuration) :
 +<​code>​
 ++---------+-------------+-------------+
 +| user_id | source ​     | source_id ​  |
 ++---------+-------------+-------------+
 +|       4 | lemonldapng | jdoe        |
 </​code>​ </​code>​