@@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t
<spanclass="sc3"><spanclass="re1"><name<spanclass="re2">></span></span></span>Alfresco - user access<spanclass="sc3"><spanclass="re1"></name<spanclass="re2">></span></span></span>
<spanclass="sc3"><spanclass="re1"><description<spanclass="re2">></span></span></span>Access to Alfresco Repository WebScripts that require user authentication<spanclass="sc3"><spanclass="re1"></description<spanclass="re2">></span></span></span>
@@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes.
<divclass="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
@@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
<p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <ahref="../passwordstore.html"class="wikilink1"title="documentation:2.0:passwordstore">password is stored in session</a>):
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> provides a special function named <ahref="../extendedfunctions.html#basic"class="wikilink1"title="documentation:2.0:extendedfunctions">basic</a> to build this header.
<divclass="noteimportant">To allow execution of encode_base64() method, you must deactivate the <ahref="../safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>.
<liclass="level2"><divclass="li"><ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</a></div></li>
@@ -88,28 +89,30 @@ Administrator can configure one or several OAuth, OAuth2 or OIDC authentication
<p>
With <ahref="#openid_connect"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p>
<divclass="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.
<divclass="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. See <ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> Migrate former local or ldap Humhub account to connect through SSO</a>
<divclass="noteclassic">This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite <abbrtitle="Uniform Resource Locator">URL</abbr> in Humhub HTTP server and allowed redirect <abbrtitle="Uniform Resource Locator">URL</abbr> in LemonLDAP needs to be adapted to work with the non pretty <abbrtitle="Uniform Resource Locator">URL</abbr> format.
First disable LDAP (Administration > Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.
First disable LDAP (Administration > Users section) and delete (or <ahref="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso"title="documentation:2.0:applications:humhub ↵"class="wikilink1"> migrate</a>) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p>
<p>
Then install and configure the <ahref="https://github.com/Worteks/humhub-auth-oidc"class="urlextern"title="https://github.com/Worteks/humhub-auth-oidc"rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p>
<ul>
<liclass="level1"><divclass="li"> Install composer and php-tokenizer.</div>
'clientId' =>'myClientId', // Client ID for this RP in LemonLDAP
'clientSecret' =>'myClientSecret', // Client secret for this RP in LemonLDAP
'defaultTitle' =>'auth.example.com', // Text displayed in login button
'cssIcon' =>'fa fa-lemon-o', // Icon displayed in login button
],
],
// ...
]</pre>
<ul>
<liclass="level1"><divclass="li"> Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:</div>
User can now log in through <abbrtitle="Single Sign On">SSO</abbr> using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through <abbrtitle="Single Sign On">SSO</abbr> when they first access Humhub, you can set up a redirection in the http server in front of the application :
</p>
<ul>
<liclass="level1"><divclass="li"> Example in apache</div>
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
</p>
<p>
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to <abbrtitle="Single Sign On">SSO</abbr> will be bypassed when a registration error occured. This works for version 1.3.15 :
</p>
<ul>
<liclass="level1"><divclass="li"> Go to {humhub_home} folder</div>
@@ -154,7 +212,7 @@ If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.
</p>
<p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <ahref="../idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters:
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <ahref="../idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect"> new OpenID Connect Relying Party </a> using the following parameters:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Client ID</strong>: the same you set in HumHub configuration</div>
...
...
@@ -193,8 +251,39 @@ Configuration sample using CLI:
<h3class="sectionedit6"id="migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</h3>
<divclass="level3">
<p>
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
</p>
<p>
Table "user":
</p>
<ul>
<liclass="level1"><divclass="li"> Columns "username" and "email" should match exactly OIDC sub and email attributes ;</div>
</li>
<liclass="level1"><divclass="li"> If former ldap user, change column "auth_mode" to "local".</div>
</li>
</ul>
<p>
Table "user_auth":
</p>
<ul>
<liclass="level1"><divclass="li"> Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :</div>
<liclass="level1"><divclass="li"> generated for one zimbra domain only</div>
</li>
<liclass="level1"><divclass="li"> declared globally for every LemonLDAP::NG virtual hosts.</div>
</li>
</ul>
<p>
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won't be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
</p>
<p>
We are going to use the first key (the domain1 one) for every domain.
