 
HumHub is a free and open-source social network written on top of the Yii2 PHP framework that provides an easy to use toolkit for creating and launching your own social network.
Unauthenticated users may connect using a login form against HumHub local database or a LDAP directory, or choose which authentication service they want to use.
Administrator can configure one or several OAuth, OAuth2 or OIDC authentication services to be displayed as buttons on the login page.
With OpenID Connect authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
First disable LDAP (Administration > Users section) and delete (or migrate) any local users whose username or email are conflicting with the username or email of your OIDC users.
Then install and configure the OIDC connector for humhub extension using composer :
composer global require hirak/prestissimo
wget https://raw.githubusercontent.com/humhub/humhub/v1.3.15/composer.json
composer require --no-update --update-no-dev worteks/humhub-auth-oidc composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv
'components' => [
  'authClientCollection' => [
    'clients' => [
      // ...
      'lemonldapng' => [
        'class' => 'worteks\humhub\authclient\OIDC',
        'domain' => 'https://auth.example.com',
        'clientId' => 'myClientId', // Client ID for this RP in LemonLDAP
        'clientSecret' => 'myClientSecret', // Client secret for this RP in LemonLDAP
        'defaultTitle' => 'auth.example.com', // Text displayed in login button
        'cssIcon' => 'fa fa-lemon-o', // Icon displayed in login button
      ],
    ],
    // ...
]
return [ // ... 'modules' => [ 'user' => [ 'logoutUrl' => 'https://auth.domain.com/?logout=1', ], ] ];
User can now log in through SSO using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through SSO when they first access Humhub, you can set up a redirection in the http server in front of the application :
RewriteEngine On
RewriteCond %{QUERY_STRING} !nosso [NC]
RewriteRule "^/user/auth/login$" "/user/auth/external?authclient=lemonldapng" [L,R=301]
if ($query_string !~ "nosso"){                                                                       
  rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to SSO will be bypassed when a registration error occured. This works for version 1.3.15 :
sed -i "s|return \$this->redirect(\['/user/auth/login'\]);|return \$this->redirect(['/user/auth/login','nosso'=>'showerror']);|" protected/humhub/modules/user/controllers/AuthController.php
If not done yet, configure LemonLDAP::NG as an OpenID Connect service.
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid new OpenID Connect Relying Party using the following parameters:
Configuration sample using CLI:
  $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      addKey \
        oidcRPMetaDataExportedVars/humhub given_name givenName \
        oidcRPMetaDataExportedVars/humhub family_name sn \
        oidcRPMetaDataExportedVars/humhub email mail \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientID myClientId \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientSecret myClientSecret \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsRedirectUris 'https://humhub.example.com/user/auth/external?authclient=lemonldapng'  \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://humhub.example.com' \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
        oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 && \
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
Table "user":
Table "user_auth":
+---------+-------------+-------------+ | user_id | source | source_id | +---------+-------------+-------------+ | 4 | lemonldapng | jdoe |
If LemonLDAP login page freezes because of a browser security blockage, adapt security's CSP Form Action to allow HumHub host :
 $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
      set \
        cspFormAction "'self' https://*.example.com"