首页 文章

带有WSO2 Identity Server Passive STS的SharePoint 2013 SSO

提问于
浏览
0

我正在尝试SSO到Share Point 2013网站使用WSO2 Identity Server被动sts支持 .

以下是Identity Server的SAML响应表单

<Attribute AttributeName="Email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
                                               >
                                            <AttributeValue>admin@wso2.com</AttributeValue>
                                    </Attribute>

我正在关注登录Share Point一侧 .

04/16/2015 11:40:13.61  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           ajau6   Verbose     SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           eu2n    Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'.  6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           fo1t    Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)     at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)  6130fd9c-aa57-b0ac-0000-0c3c2aa42924

以下是我在Sharepoint中的IDP配置 .

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$realm="http://win-3oo8vau2hv9:48077/_trust"

$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1  -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType
single-sign-on sharepoint-2013 saml wso2is

1 回答

  • 0

    Incomming索赔类型应为http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    SAML令牌的到期时间应超过10分钟 .

    SharePoint使用saml令牌有效期来确定生命周期,如果LogonTokenCacheExpirationWindow(默认情况下SharePoint 10分钟内的设置)大于断言的生命周期,则SharePoint将不允许用户登录并将重定向回IdP ,它将在无限循环中重定向回SharePoint .

    SAML响应中的属性应如下所示

    <Attribute AttributeName="email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
                                               >
                                            <AttributeValue>admin@wso2.com</AttributeValue>
                                    </Attribute>
    回复于

相关问题