Back to overview

SAML - SSO

Add it on-the-fly to your HumHub by activating it in the Modules menu! ("Administration -> Modules")

SAML SSO

With the SAML SSO module, users can be automatically registered and logged into the HumHub installation using a SAML Identity Provider.

Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

Note: This module is currently in beta stage

Cookie Configuration

We recommend that you disable the feature for SameSite cookies at this time, otherwise you may experience problems with some older Safari browsers.

Example of @humhub/protected/config/web.php:

<?php
//...
$config => [
  // ...
  'components' => [  
      'session' => [
            'cookieParams' => [
                'sameSite' => null,
            ],
      ],
  ],
  //...
];

Tested SAML Identity Providers

SimpleSAML

No known limitations.

Active Directory Federation Services (ADFS)

For ADFS as IdP, URL rewriting must be activated.

In addition, the following line must be added to the configuration to avoid a problem with the provided Entity ID:

// /protected/config/common.php
return [
    // ...
    'components' => [
        'urlManager' => [
            'showScriptName' => false,
            'enablePrettyUrl' => true,
            'rules' => [
                'sso-adfs/<authclient>' => 'saml-sso/metadata',
            ]
        ],
    ],
    // ...
];

Keycloak

Install client using Metadata File
Disable: (Realm) -> Client Scopes -> role_list (saml) -> Mappers tab -> role list -> 'Single Role Attribute'.

Okta

Currently the SLO (Single Logout) does not work correctly.

Encrypted and Signed SP messages

Create a self-signed certificate.

openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem

Add the contents of the file

`saml.pem in the input field SP: Private key`
`saml.crt in the input field SP: X.509 certificate`

of the SAML configuration.

Dependencies

php >= 5.3.3 and some core extensions like php-xml, php-date, php-zlib.
openssl. Install the openssl library. It handles x509 certificates.
mcrypt. Install that library and its php driver if you're going to handle encrypted data (nameID, assertions).
gettext. Install that library and its php driver. It handles translations.
curl. Install that library and its php driver if you plan to use the IdP Metadata parser.

Since PHP 5.3 is officially unsupported we recommend you to use a newer PHP version.

Licences

HumHub licences at: https://www.humhub.com/licences
Based on Simple SAML toolkit
Module icon made by Freepik from Flaticon.

1.1.2 (January 25, 2021)

Fix: Improved handling of empty attribute value arrays
Enh: Updated translations

1.1.1 (May 20, 2020)

Fix: Problem with console usage

1.1.0 (May 19, 2020)

Enh: Added "Information" section to SAML configuration

1.0.0 (January 7, 2020)

Enh: Initial commit of first beta version

Version:
1.1.2 (released 6 months ago)

Publisher:
HumHub GmbH & Co. KG

Website:
https://github.com/humhub/humhub-modules-saml-sso

Compatibility:
HumHub 1.4 - Latest

Professional Edition

This module is part of the Professional Edition.