使用 WSO2 身份服务器被动 STS 的 SharePoint 2013 SSO
SharePoint 2013 SSO with WSO2 Identity Server Passive STS
我正在尝试使用 WSO2 Identity Server 被动 sts 支持 SSO 到 Share Point 2013 网站。
以下是身份服务器的 SAML 响应
<Attribute AttributeName="Email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>
我正在关注分享点端的登录。
04/16/2015 11:40:13.61 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication ajau6 Verbose SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication eu2n Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'. 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
以下是我在 Sharepoint 中的 IDP 配置。
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm="http://win-3oo8vau2hv9:48077/_trust"
$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1 -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType
传入的声明类型应为 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
不是http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
SAML 令牌的到期时间应超过 10 分钟。
SharePoint 使用 saml 令牌有效期来确定生命周期,如果 LogonTokenCacheExpirationWindow(这是 SharePoint 中的默认设置 10 分钟)大于断言的生命周期,则 SharePoint 将不允许用户登录并将重定向回 IdP,后者将在无限循环中重定向回 SharePoint。
SAML 响应中的属性应如下所示
<Attribute AttributeName="email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>
我正在尝试使用 WSO2 Identity Server 被动 sts 支持 SSO 到 Share Point 2013 网站。
以下是身份服务器的 SAML 响应
<Attribute AttributeName="Email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>
我正在关注分享点端的登录。
04/16/2015 11:40:13.61 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication ajau6 Verbose SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication eu2n Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'. 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
以下是我在 Sharepoint 中的 IDP 配置。
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm="http://win-3oo8vau2hv9:48077/_trust"
$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1 -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType
传入的声明类型应为 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
不是http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
SAML 令牌的到期时间应超过 10 分钟。
SharePoint 使用 saml 令牌有效期来确定生命周期,如果 LogonTokenCacheExpirationWindow(这是 SharePoint 中的默认设置 10 分钟)大于断言的生命周期,则 SharePoint 将不允许用户登录并将重定向回 IdP,后者将在无限循环中重定向回 SharePoint。
SAML 响应中的属性应如下所示
<Attribute AttributeName="email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>