<liclass="level2"><divclass="li"><ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</a></div></li>
<ahref="https://humhub.org/"class="urlextern"title="https://humhub.org/"rel="nofollow">HumHub</a> is a free and open-source social network written on top of the <ahref="https://www.yiiframework.com/"class="urlextern"title="https://www.yiiframework.com/"rel="nofollow">Yii2 PHP framework</a> that provides an easy to use toolkit for creating and launching your own social network.
</p>
<p>
Unauthenticated users may connect using a login form against HumHub local database or a LDAP directory, or choose which authentication service they want to use.
</p>
<p>
Administrator can configure one or several OAuth, OAuth2 or OIDC authentication services to be displayed as buttons on the login page.
</p>
<p>
With <ahref="#openid_connect"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
<divclass="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. See <ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> Migrate former local or ldap Humhub account to connect through SSO</a>
<divclass="noteclassic">This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite <abbrtitle="Uniform Resource Locator">URL</abbr> in Humhub HTTP server and allowed redirect <abbrtitle="Uniform Resource Locator">URL</abbr> in LemonLDAP needs to be adapted to work with the non pretty <abbrtitle="Uniform Resource Locator">URL</abbr> format.
First disable LDAP (Administration > Users section) and delete (or <ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> migrate</a>) any local users whose username or email are conflicting with the username or email of your OIDC users.
Then install and configure the <ahref="https://github.com/Worteks/humhub-auth-oidc"class="urlextern"title="https://github.com/Worteks/humhub-auth-oidc"rel="nofollow"> OIDC connector for humhub </a> extension using composer :
<liclass="level1"><divclass="li"> Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:</div>
User can now log in through <abbrtitle="Single Sign On">SSO</abbr> using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through <abbrtitle="Single Sign On">SSO</abbr> when they first access Humhub, you can set up a redirection in the http server in front of the application :
</p>
<ul>
<liclass="level1"><divclass="li"> Example in apache</div>
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
</p>
<p>
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to <abbrtitle="Single Sign On">SSO</abbr> will be bypassed when a registration error occured. This works for version 1.3.15 :
</p>
<ul>
<liclass="level1"><divclass="li"> Go to {humhub_home} folder</div>
If not done yet, configure LemonLDAP::NG as an <ahref="../openidconnectservice.html"class="wikilink1"title="documentation:2.0:openidconnectservice"> OpenID Connect service</a>.
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <ahref="../idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect"> new OpenID Connect Relying Party </a> using the following parameters:
<h3class="sectionedit6"id="migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</h3>
<divclass="level3">
<p>
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
</p>
<p>
Table "user":
</p>
<ul>
<liclass="level1"><divclass="li"> Columns "username" and "email" should match exactly OIDC sub and email attributes ;</div>
</li>
<liclass="level1"><divclass="li"> If former ldap user, change column "auth_mode" to "local".</div>
</li>
</ul>
<p>
Table "user_auth":
</p>
<ul>
<liclass="level1"><divclass="li"> Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :</div>