Identity Server 3作为SharePoint 2013/2016的Ws-Fed身份提供程序

时间:2017-02-27 06:49:06

标签: c# sharepoint saml identityserver3 ws-federation

我尝试使用SharePoint 2016设置[Thinktecture] Identity Server 3.但是,我在用户之后遇到了SharePoint和Identity Server 3之间的无限循环经过身份验证。 IdServer日志中没有错误。如果有人会查看下面的步骤,我将非常感激。

Identity Server 3配置

我从Self-Host with WS-Federation sample开始,并修改为添加新的依赖方。 Identity Server本身使用公共DNS注册的主机名在Internet上通过完全独立的服务器与SharePoint运行:

const string url = "https://mydevserver.example.com:44333/core";
using (WebApp.Start<Startup>(url))
{
    Console.WriteLine("\n\nServer listening at {0}. Press enter to stop", url);
    Console.ReadLine();
}

依赖方

new RelyingParty
{
    Name = "SharePoint 2016 Trial",
    Realm = "urn:idserver:sp16trial",
    Enabled = true,
    ReplyUrl = "https://mysharepointserver.example.com/_trust/",
    TokenType = TokenTypes.Saml11TokenProfile11,
    TokenLifeTime = 1,

    ClaimMappings = new Dictionary<string, string>
    {
        { "email", ClaimTypes.Email },
        { "sub", ClaimTypes.NameIdentifier },
        { "name", ClaimTypes.Name },
        { "given_name", ClaimTypes.GivenName },
        { "surname", ClaimTypes.Surname }
   }
}

SharePoint配置

元数据和证书

我导航到https://mydevserver.example.com:44333/core/wsfed/metadata并将其另存为XML文件,然后暂时将其放在SharePoint服务器上。从XML文件中,我提取公共X509证书并将其作为temp.cer文件保存在与下面的Powershell脚本相同的文件夹中。

Powershell脚本

$realm = "urn:idserver:sp16trial"
$signinurl = "https://mydevserver.example.com:44333/core/wsfed"
$description ="My Test Identity Server 3"

[xml]$fedmdXml = Get-Content metadata.xml
$cert = Get-PfxCertificate -FilePath temp.cer

asnp *sh*
$name = "IdSrv"
New-SPTrustedRootAuthority -Name $name -Certificate $cert | Out-Null

$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" –SameAsIncoming 
$map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

我导航到 SharePoint管理中心,并将新的可信提供商连接到Web应用程序。

在Sharepoint集中管理中,我授权用户&#34; bobsmith@example.com"通过 Sharepoint用户政策

我导航至https://mysharepointserver.example.com,我按预期重定向到登录页面 https://mydevserver.example.com:44333/core/login?signin=<guidhere>

我以用户bob身份登录,但随后在SharePoint和Identity Server之间触发了无限循环。这来自IdSvr日志:

日志

Server listening at https://mydevserver.example.com:44333/core. Press enter to stop
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 Start WS-Federation request
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 WsFederation signin request
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
 Start WS-Federation signin request validation
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 Redirecting to login page
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.Core.Configuration.Hosting.MessageCookie`1)
 Protecting message: {"ReturnUrl":"https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fS
ource%3d%252F","AcrValues":[],"Created":636237737932988392}
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 Login page requested
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.Core.Endpoints.AuthenticationController)
 signin message passed to login: {
  "ReturnUrl": "https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F",
  "ClientId": null,
  "IdP": null,
  "Tenant": null,
  "LoginHint": null,
  "DisplayMode": null,
  "UiLocales": null,
  "AcrValues": [],
  "Created": 636237737932988392
}
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 rendering login page
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 Login page submitted
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 Login credentials successfully validated by user service
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 Calling PostAuthenticateAsync on the user service
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 issuing primary signin cookie
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
 redirecting to: https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 Start WS-Federation request
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 WsFederation signin request
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
 Start WS-Federation signin request validation
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
 End WS-Federation signin request validation
{
  "Realm": "urn:idserver:sp16trial",
  "RelyingPartyName": "SharePoint 2016 Trial",
  "ReplyUrl": "https://mysharepointserver.example.com/_trust/"
}
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.ResponseHandling.SignInResponseGenerator)
 Creating WS-Federation signin response
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
 Retrieving values of cookie IdSvr.WsFedTracking
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
 Cookie IdSvr.WsFedTracking does not exist
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
 Adding https://mysharepointserver.example.com/_trust/ to IdSvr.WsFedTracking cookie
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Results.SignInResult)
 Returning WS-Federation signin response
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 Start WS-Federation request
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
 PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 WsFederation signin request
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
 Start WS-Federation signin request validation
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
 End WS-Federation signin request validation
{
  "Realm": "urn:idserver:sp16trial",
  "RelyingPartyName": "SharePoint 2016 Trial",
  "ReplyUrl": "https://mysharepointserver.example.com/_trust/"
}
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.ResponseHandling.SignInResponseGenerator)
 Creating WS-Federation signin response
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
 Retrieving values of cookie IdSvr.WsFedTracking
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
 https://mysharepointserver.example.com/_trust/ already exists in IdSvr.WsFedTracking cookie
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Results.SignInResult)
 Returning WS-Federation signin response
02/26/2017 22:30:03 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
 Start WS-Federation request

知道我缺少什么吗?

1 个答案:

答案 0 :(得分:3)

您正面临无限重定向,因为您将中继方的ReplyUrl设置为信任页面,这是不正确的。

回复网址应该是登录成功完成后身份服务器重定向到的网址。

这应该是你转发方的正确逻辑

  

ReplyUrl =&#34; https://mysharepointserver.example.com/&#34;

您需要在客户端类中设置信任URL

  

RedirectUris = {&#34; https://mysharepointserver.example.com/_trust/&#34; },