我正在尝试使用WSO2 Identity Server被动sts支持SSO到Share Point 2013网站。
以下是身份服务器的SAML响应
<Attribute AttributeName="Email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>
我正在跟踪Share Point方面的登录。
04/16/2015 11:40:13.61 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication ajau6 Verbose SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication eu2n Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'. 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65 w3wp.exe (0x0B18) 0x0640 SharePoint Foundation Claims Authentication fo1t Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm. at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request) 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
以下是我在Sharepoint中的IDP配置。
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$realm="http://win-3oo8vau2hv9:48077/_trust"
$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1 -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType
答案 0 :(得分:0)
Incomming声明类型应为http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
不http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&#34;
SAML令牌的到期时间应超过10分钟。
SharePoint使用saml令牌有效期来确定生命周期,如果LogonTokenCacheExpirationWindow(默认情况下SharePoint 10分钟内的设置)大于断言的生命周期,则SharePoint将不允许用户登录并将重定向回到IdP,它将在无限循环中重定向回SharePoint。
SAML响应中的属性应如下所示
<Attribute AttributeName="email"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
>
<AttributeValue>admin@wso2.com</AttributeValue>
</Attribute>