SAML - SSO
Integrate your existing Single-Sign-On (SSO) solution using the SAML protocol and provide your users with a convenient way to log in.
Tested SAML Identity Providers
SimpleSAML
No known limitations.
Active Directory Federation Services (ADFS)
In AD FS Management:
- Adding a Relying Party Trust "HumHub"
- Import
metadata.xml(Downloaded from SAML Module Settings) - Add transformation claim rules "AD-Mapping"
Attribute Store: Active Directory
| LDAP Attribute | Outgoing Claim Type |
|---|---|
| SAM Account name | Name ID |
| E-Mail Address | |
| SAM Account name | username |
- URL rewriting must be activated.
Make also sure the checkbox SP: Use deprecated entity ID in the SAML configuration is not checked!
Keycloak
- Install client using Metadata File
- Disable: (Realm) -> Client Scopes -> role_list (saml) -> Mappers tab -> role list -> 'Single Role Attribute'.
Okta
Currently, the SLO (Single Logout) does not work correctly.
Advanced SAML settings
In addition to the settings possible in the SAML configuration dialog, further settings can also be made in the configuration file.
The used OneLogin SAML library offers a wide range of additional configuration options.
An example overview of possible settings can be found here:
- https://github.com/onelogin/php-saml/blob/master/advanced_settings_example.php
- https://github.com/onelogin/php-saml/blob/master/settings_example.php
HumHub Configuration file (protected/config/common.php):
<?php
return [
// ...
'modules' => [
'saml-sso' => [
'advancedSettings' => [
// Begin: Custom Settings ****************************************************************
'compress' => [
// ...
],
'security' => [
// ...
]
// End: Custom Settings *******************************************************************
],
]
],
// ...
];
Encrypted and Signed SP messages
Create a self-signed certificate.
openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Add the contents of the file
`saml.pemin the input fieldSP: Private key``saml.crtin the input fieldSP: X.509 certificate`
of the SAML configuration.
Cookie Configuration
We recommend that you disable the feature for SameSite cookies at this time, otherwise you may experience problems with some older Safari browsers.
Example of @humhub/protected/config/web.php:
<?php
//...
$config => [
// ...
'components' => [
'session' => [
'cookieParams' => [
'sameSite' => null,
],
],
],
//...
];
Dependencies / Module Requirements
php >= 5.3.3and some core extensions likephp-xml,php-date,php-zlib.openssl. Install the openssl library. It handles x509 certificates.mcrypt. Install that library and its php driver if you're going to handle encrypted data (nameID,assertions).gettext. Install that library and its php driver. It handles translations.curl. Install that library and its php driver if you plan to use the IdP Metadata parser.
Since PHP 5.3 is officially unsupported we recommend you to use a newer PHP version.