通过后端服务的OKTA向SharePoint进行身份验证

时间:2016-05-10 14:07:46

标签: sharepoint saml okta okta-api

我需要以编程方式连接到使用OKTA进行身份验证的客户的SharePoint服务器。我看到这个post看起来很有前景,但似乎无法从OKTA获得有效的会话cookie。

我可以成功调用/ api / v1 / authn端点并返回sessionToken,但是当我转身调用/ api / v1 / sessions?additionalFields =带有该会话令牌的cookieToken时,我总是收到403 - Forbidden ,使用以下json:

{ 
"errorCode": "E0000005", 
"errorSummary": "Invalid Session", 
"errorLink": "E0000005", 
"errorId": "oaew0udr2ElRfCnZvBFt075SA", 
"errorCauses": [] 
}

假设我可以解决这个问题,我不确定应该使用cookieToken调用的URL。该URL是一个将重定向到SharePoint的OKTA端点,还是一个将使用cookie设置会话的SharePoint端点?

更新 我可以称之为okta端点 - > / api / v1 / sessions?additionalFields = cookieToken,我的用户凭据为json

{ 
"username": "user@email.com",
"password": "P@ssw0rd"
}

我能够检索可与此链接一起使用的一次性Cookie令牌,以便在浏览器中启动SAML会话:

https://[mydomain].okta.com/login/sessionCookieRedirect?redirectUrl=[sharepoint site url]&token=[cookie token]

在浏览器中有效,用户会自动进行身份验证并最终在SharePoint中运行。但是,似乎这个会议"设置"至少部分是通过javascript实现的,因为在程序化HTTP客户端(例如Apache HTTP Client)中执行相同的链接不起作用。 http客户端通过几个重定向发送,最终在SharePoint站点中,但用户未经过身份验证。响应是403 - 禁止使用以下标题:

403 - FORBIDDEN

Content-Type -> text/plain; charset=utf-8
Server -> Microsoft-IIS/8.5
X-SharePointHealthScore -> 0
SPRequestGuid -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
request-id -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
X-Forms_Based_Auth_Required -> https://[sharepoint site]/_login/autosignin.aspx?ReturnUrl=/_layouts/15/error.aspx
X-Forms_Based_Auth_Return_Url -> https://[sharepoint site]/_layouts/15/error.aspx
X-MSDAVEXT_Error -> 917656; Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.
X-Powered-By -> ASP.NET
MicrosoftSharePointTeamServices -> 15.0.0.4709
X-Content-Type-Options -> nosniff
X-MS-InvokeApp -> 1; RequireReadOnly
Date -> Fri, 13 May 2016 15:02:38 GMT
Content-Length -> 13

我开始怀疑这是否是一个失败的原因,OKTA或SharePoint不支持通过SAML进行编程身份验证。

1 个答案:

答案 0 :(得分:0)

这是可能的。

这就是我所做的。 1)从Okta获取你的sessionToken。你需要一个okta授权令牌。

2)做一个HttpGet(sharepointEmbeddedLink +"?onetimetoken =" + sessionToken)    同时添加此标题:new BasicHeader(AUTHORIZATION,String.format(" SSWS%s",OKTA_AUTHORIZATION_TOKEN);

3)接下来,您必须解析html响应并获取SAML参数:WRESULT,WCTX,WA

4)接下来这样做 - 拿出那些3并以这种格式创建一个字符串" application / x-www-form-urlencoded"。它将是这样的" wa = wsign1.0& wctx = somevalue& wresult = somevalue"。

        byte[] out = theStringAbove.getBytes;
        int length = out.length;

        URL url = new URL("https://login.microsoftonline.com/login.srf");
        URLConnection con = url.openConnection();
        HttpURLConnection http = (HttpURLConnection) con;

        http.setRequestMethod("POST"); // PUT is another valid option
        http.setDoOutput(true);
        http.setInstanceFollowRedirects(true);
        http.setFixedLengthStreamingMode(length);
        http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
        http.setRequestProperty("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");
        http.connect();
        http.getOutputStream().write(out);

5)你将在响应中拥有saml令牌。您将不得不再次解析html文件。

6)您将在步骤3或4中获得sharepoint siteUrl,然后执行此操作:)

    HttpPost httpPost = new HttpPost(siteUrl + "_forms/default.aspx?wa=wsignin1.0");
    byte[] utf8TokenStringBytes = ("t=" + samlToken).getBytes(StandardCharsets.UTF_8);
    HttpEntity entity = new ByteArrayEntity(utf8TokenStringBytes);
    httpPost.setEntity(entity);
    httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    httpPost.setHeader("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");

    HttpResponse response = httpclient.execute(httpPost, httpContext);

如果一切正常,您可以使用一些Cookie标题:D