HumHub

HumHub is a free and open-source social network written on top of the Yii2 PHP framework that provides an easy to use toolkit for creating and launching your own social network.

Unauthenticated users may connect using a login form against HumHub local database or a LDAP directory, or choose which authentication service they want to use.

Administrator can configure one or several OAuth, OAuth2 or OIDC authentication services to be displayed as buttons on the login page.

With OpenID Connect authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.

First disable LDAP (Administration > Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.

Then install and configure the OIDC connector for humhub extension using composer :

• Install composer and php-tokenizer.

• Consider using prestissimo, to speed up composer update command (4x faster):

composer global require hirak/prestissimo

• Go to {humhumb_home} folder (containing humhub's composer.json file) and execute

composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc  --no-dev --prefer-dist -vvv

• Edit {humhumb_home}/protected/config/common.php with the client configuration :

'components' => [
   'authClientCollection' => [
     'authClientCollection' => [
       'clients' => [
          // ...
          'lemonldapng' => [ 
            'class' => 'worteks\humhub\authclient\OIDC',
            'domain' => 'https://auth.example.com',
            'clientId' => 'myClientId',	// Client ID for this RP in LemonLDAP
            'clientSecret' => 'myClientSecret', // Client secret for this RP in LemonLDAP
            'defaultTitle' => 'auth.example.com', // Text displayed in login button
          ],
       ],
     ],
    // ...
]

If not done yet, configure LemonLDAP::NG as an OpenID Connect service.

Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid new OpenID Connect relaying party using the following parameters:

• Client ID: the same you set in HumHub configuration
• Client Secret: the same you set in HumHub configuration
• Add the following exported attributes
  • given_name: user's givenName attribute
  • family_name: user's sn attribute
  • email: user's mail attribute
• Redirect URIs containing your Yii2 auth client ID.

Configuration sample using CLI:

  $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
        oidcRPMetaDataExportedVars/humhub given_name givenName \
        oidcRPMetaDataExportedVars/humhub family_name sn \
        oidcRPMetaDataExportedVars/humhub email mail \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientID myClientId \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientSecret myClientSecret \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsRedirectUris 'https://humhub.example.com/user/auth/external?authclient=lemonldapng'  \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://humhub.example.com' \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 && \

If LemonLDAP login page freezes because of a browser security blockage, adapt security's CSP Form Action to allow HumHub host :

 $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      set \
        cspFormAction "'self' https://*.example.com"