Commit 0546303d authored by Christophe Maudoux's avatar Christophe Maudoux 🐛

Merge branch 'v2.0'

parents ff095ca1 f37c2399
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1953: Outgoing emails are missing a Date: field
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #813: Provide refresh tokens in OpenID Connect
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #1998: Misleading token ID format
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
lemonldap-ng (2.0.6) stable; urgency=medium lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs: * Bugs:
......
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sat, 21 Dec 2019 17:00:00 +0100
lemonldap-ng (2.0.6-1) unstable; urgency=medium lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website: * New release. See changes on our website:
......
...@@ -90,7 +90,7 @@ ...@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form> <form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav"> <ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul> <li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div> </div>
...@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio ...@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site --> </div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1569271173" width="2" height="1" alt="" /></div> <div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1576942824" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no"> <div id="screen__mode" class="no">
<span class="visible-xs"></span> <span class="visible-xs"></span>
<span class="visible-sm"></span> <span class="visible-sm"></span>
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
<meta charset="utf-8" /> <meta charset="utf-8" />
<title>documentation:2.0:applications</title> <title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/> <meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/> <meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications"/> <meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/> <link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/> <link rel="start" href="applications.html"/>
......
...@@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t ...@@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/s<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span> <span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
...@@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes. ...@@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes.
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>. <div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div> </div>
</div> </div>
<!-- EDIT4 SECTION "Alfresco" [457-3157] --> <!-- EDIT4 SECTION "Alfresco" [457-3155] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3> <h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3"> <div class="level3">
...@@ -217,12 +217,12 @@ Other rules: ...@@ -217,12 +217,12 @@ Other rules:
</ul> </ul>
</div> </div>
<!-- EDIT5 SECTION "LL::NG" [3158-3497] --> <!-- EDIT5 SECTION "LL::NG" [3156-3495] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2> <h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2"> <div class="level2">
</div> </div>
<!-- EDIT6 SECTION "SAML2" [3498-3517] --> <!-- EDIT6 SECTION "SAML2" [3496-3515] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3> <h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3"> <div class="level3">
...@@ -521,7 +521,7 @@ To finish with Alfresco configuration, tick the “Enable <abbr title="Security ...@@ -521,7 +521,7 @@ To finish with Alfresco configuration, tick the “Enable <abbr title="Security
</p> </p>
</div> </div>
<!-- EDIT7 SECTION "Alfresco" [3518-14174] --> <!-- EDIT7 SECTION "Alfresco" [3516-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3> <h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3"> <div class="level3">
...@@ -556,7 +556,7 @@ And you can define these exported attributes: ...@@ -556,7 +556,7 @@ And you can define these exported attributes:
</ul> </ul>
</div> </div>
<!-- EDIT8 SECTION "LL::NG" [14175-14553] --> <!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2> <h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2"> <div class="level2">
<ul> <ul>
...@@ -567,6 +567,6 @@ And you can define these exported attributes: ...@@ -567,6 +567,6 @@ And you can define these exported attributes:
</ul> </ul>
</div> </div>
<!-- EDIT9 SECTION "Other resources" [14554-] --></div> <!-- EDIT9 SECTION "Other resources" [14552-] --></div>
</body> </body>
</html> </html>
...@@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S ...@@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
<p> <p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../passwordstore.html" class="wikilink1" title="documentation:2.0:passwordstore">password is stored in session</a>): For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../passwordstore.html" class="wikilink1" title="documentation:2.0:passwordstore">password is stored in session</a>):
</p> </p>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;)</pre> <pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;, &quot;&quot;)</pre>
<p> <p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> provides a special function named <a href="../extendedfunctions.html#basic" class="wikilink1" title="documentation:2.0:extendedfunctions">basic</a> to build this header. <abbr title="LemonLDAP::NG">LL::NG</abbr> provides a special function named <a href="../extendedfunctions.html#basic" class="wikilink1" title="documentation:2.0:extendedfunctions">basic</a> to build this header.
......
...@@ -198,7 +198,7 @@ Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1 ...@@ -198,7 +198,7 @@ Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1
</li> </li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div> <li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li> </li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div> <li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&quot;&quot;)</div>
</li> </li>
</ul> </ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>. <div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
<meta charset="utf-8" /> <meta charset="utf-8" />
<title>documentation:2.0:applications:humhub</title> <title>documentation:2.0:applications:humhub</title>
<meta name="generator" content="DokuWiki"/> <meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/> <meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,humhub"/> <meta name="keywords" content="documentation,2.0,applications,humhub"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/> <link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="humhub.html"/> <link rel="start" href="humhub.html"/>
...@@ -54,6 +54,7 @@ ...@@ -54,6 +54,7 @@
<ul class="toc"> <ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li> <li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li> <li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li> <li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li> </ul></li>
</ul> </ul>
...@@ -88,28 +89,30 @@ Administrator can configure one or several OAuth, OAuth2 or OIDC authentication ...@@ -88,28 +89,30 @@ Administrator can configure one or several OAuth, OAuth2 or OIDC authentication
<p> <p>
With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login. With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p> </p>
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. <div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. See <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> Migrate former local or ldap Humhub account to connect through SSO</a>
</div> </div>
</div> </div>
<!-- EDIT2 SECTION "Présentation" [68-1041] --> <!-- EDIT2 SECTION "Présentation" [68-1186] -->
<h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2> <h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2>
<div class="level2"> <div class="level2">
<div class="noteclassic">This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite <abbr title="Uniform Resource Locator">URL</abbr> in Humhub HTTP server and allowed redirect <abbr title="Uniform Resource Locator">URL</abbr> in LemonLDAP needs to be adapted to work with the non pretty <abbr title="Uniform Resource Locator">URL</abbr> format.
</div> </div>
<!-- EDIT3 SECTION "OpenID Connect" [1042-1069] --> </div>
<!-- EDIT3 SECTION "OpenID Connect" [1187-1450] -->
<h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3> <h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3>
<div class="level3"> <div class="level3">
<p> <p>
First disable LDAP (Administration &gt; Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users. First disable LDAP (Administration &gt; Users section) and delete (or <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> migrate</a>) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p> </p>
<p> <p>
Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer : Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p> </p>
<ul> <ul>
<li class="level1"><div class="li"> Install composer and php-tokenizer.</div> <li class="level1"><div class="li"> Install composer.</div>
</li> </li>
</ul> </ul>
<ul> <ul>
...@@ -118,34 +121,89 @@ Then install and configure the <a href="https://github.com/Worteks/humhub-auth-o ...@@ -118,34 +121,89 @@ Then install and configure the <a href="https://github.com/Worteks/humhub-auth-o
</ul> </ul>
<pre class="code">composer global require hirak/prestissimo</pre> <pre class="code">composer global require hirak/prestissimo</pre>
<ul> <ul>
<li class="level1"><div class="li"> Go to {humhumb_home} folder (containing humhub&#039;s composer.json file) and execute</div> <li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Check if composer.json file is present. If not, download it for your current version:</div>
</li>
</ul>
<pre class="code">wget https://raw.githubusercontent.com/humhub/humhub/v1.3.15/composer.json</pre>
<ul>
<li class="level1"><div class="li"> Install the connector as a dependency: </div>
</li> </li>
</ul> </ul>
<pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc <pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre> composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre>
<ul> <div class="noteclassic">If you just need to update the connector, change its version in composer.json and run the above composer update command.
<li class="level1"><div class="li"> Edit {humhumb_home}/protected/config/common.php with the client configuration :</div>
</div><ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/common.php with the client configuration :</div>
</li> </li>
</ul> </ul>
<pre class="code">&#039;components&#039; =&gt; [ <pre class="code">&#039;components&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [ &#039;authClientCollection&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [ &#039;clients&#039; =&gt; [
&#039;clients&#039; =&gt; [ // ...
// ... &#039;lemonldapng&#039; =&gt; [
&#039;lemonldapng&#039; =&gt; [ &#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;, &#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;, &#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP &#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP &#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button &#039;cssIcon&#039; =&gt; &#039;fa fa-lemon-o&#039;, // Icon displayed in login button
], ],
], ],
],
// ... // ...
]</pre> ]</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:</div>
</li>
</ul>
<pre class="code">return [
// ...
&#039;modules&#039; =&gt; [
&#039;user&#039; =&gt; [
&#039;logoutUrl&#039; =&gt; &#039;https://auth.domain.com/?logout=1&#039;,
],
]
];</pre>
<p>
User can now log in through <abbr title="Single Sign On">SSO</abbr> using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through <abbr title="Single Sign On">SSO</abbr> when they first access Humhub, you can set up a redirection in the http server in front of the application :
</p>
<ul>
<li class="level1"><div class="li"> Example in apache</div>
</li>
</ul>
<pre class="code">RewriteEngine On
RewriteCond %{QUERY_STRING} !nosso [NC]
RewriteRule &quot;^/user/auth/login$&quot; &quot;/user/auth/external?authclient=lemonldapng&quot; [L,R=301]</pre>
<ul>
<li class="level1"><div class="li"> Example in nginx</div>
</li>
</ul>
<pre class="code">if ($query_string !~ &quot;nosso&quot;){
rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}</pre>
<p>
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
</p>
<p>
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to <abbr title="Single Sign On">SSO</abbr> will be bypassed when a registration error occured. This works for version 1.3.15 :
</p>
<ul>
<li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
<li class="level1"><div class="li"> Execute</div>
</li>
</ul>
<pre class="code">sed -i &quot;s|return \$this-&gt;redirect(\[&#039;/user/auth/login&#039;\]);|return \$this-&gt;redirect([&#039;/user/auth/login&#039;,&#039;nosso&#039;=&gt;&#039;showerror&#039;]);|&quot; protected/humhub/modules/user/controllers/AuthController.php</pre>
</div> </div>
<!-- EDIT4 SECTION "Configuring HumHub" [1070-2515] --> <!-- EDIT4 SECTION "Configuring HumHub" [1451-4994] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3> <h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3"> <div class="level3">
...@@ -154,7 +212,7 @@ If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice. ...@@ -154,7 +212,7 @@ If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.
</p> </p>
<p> <p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters: Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect Relying Party </a> using the following parameters:
</p> </p>
<ul> <ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div> <li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div>
...@@ -193,8 +251,39 @@ Configuration sample using CLI: ...@@ -193,8 +251,39 @@ Configuration sample using CLI:
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre> oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre>
</div> </div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2516-4258] --> <!-- EDIT5 SECTION "Configuring LemonLDAP" [4995-6736] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3> <h3 class="sectionedit6" id="migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</h3>
<div class="level3">
<p>
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
</p>
<p>
Table &quot;user&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Columns &quot;username&quot; and &quot;email&quot; should match exactly OIDC sub and email attributes ;</div>
</li>
<li class="level1"><div class="li"> If former ldap user, change column &quot;auth_mode&quot; to &quot;local&quot;.</div>
</li>
</ul>
<p>
Table &quot;user_auth&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Add an entry with user_id, username and &quot;lemonldapng&quot; as source (or the name you chose in your connector configuration) :</div>
</li>
</ul>
<pre class="code">+---------+-------------+-------------+
| user_id | source | source_id |
+---------+-------------+-------------+
| 4 | lemonldapng | jdoe |</pre>
</div>
<!-- EDIT6 SECTION "Migrate former local or ldap Humhub account to connect through SSO" [6737-7396] -->
<h3 class="sectionedit7" id="troubleshooting">Troubleshooting</h3>
<div class="level3"> <div class="level3">
<p> <p>
...@@ -205,6 +294,6 @@ If LemonLDAP login page freezes because of a browser security blockage, adapt se ...@@ -205,6 +294,6 @@ If LemonLDAP login page freezes because of a browser security blockage, adapt se
cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre> cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre>
</div> </div>
<!-- EDIT6 SECTION "Troubleshooting" [4259-] --></div> <!-- EDIT7 SECTION "Troubleshooting" [7397-] --></div>
</body> </body>
</html> </html>
...@@ -90,7 +90,7 @@ ...@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form> <form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav"> <ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul> <li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div> </div>
...@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio ...@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site --> </div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div> <div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no"> <div id="screen__mode" class="no">
<span class="visible-xs"></span> <span class="visible-xs"></span>
<span class="visible-sm"></span> <span class="visible-sm"></span>
......
...@@ -90,7 +90,7 @@ ...@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form> <form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav"> <ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul> <li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div> </div>
...@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio ...@@ -272,7 +272,7 @@ You&#039;ve followed a link t