Question

我正在尝试使用WSO2 Identity Server被动sts支持SSO到Share Point 2013网站。

以下是身份服务器的SAML响应

<Attribute AttributeName="Email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
                                               >
                                            <AttributeValue>admin@wso2.com</AttributeValue>
                                    </Attribute>

我正在跟踪Share Point方面的登录。

04/16/2015 11:40:13.61  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           ajau6   Verbose     SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           eu2n    Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'.  6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           fo1t    Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)     at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)  6130fd9c-aa57-b0ac-0000-0c3c2aa42924

以下是我在Sharepoint中的IDP配置。

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$realm="http://win-3oo8vau2hv9:48077/_trust"

$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1  -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType

Answer 1

Incomming声明类型应为http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

不http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress＆＃34;

SAML令牌的到期时间应超过10分钟。

SharePoint使用saml令牌有效期来确定生命周期，如果LogonTokenCacheExpirationWindow（默认情况下SharePoint 10分钟内的设置）大于断言的生命周期，则SharePoint将不允许用户登录并将重定向回到IdP，它将在无限循环中重定向回SharePoint。

SAML响应中的属性应如下所示

<Attribute AttributeName="email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
                                               >
                                            <AttributeValue>admin@wso2.com</AttributeValue>
                                    </Attribute>

带有WSO2 Identity Server Passive STS的SharePoint 2013 SSO

1 个答案: