[英]Identity Server 3 as Ws-Fed Identity Provider for SharePoint 2013/2016
我正在嘗試使用 SharePoint 2016 設置 [Thinktecture] Identity Server 3。但是,在用戶通過身份驗證后,我遇到了SharePoint 和 Identity Server 3 之間的無限循環。 IdServer 日志中沒有錯誤。 如果有人能查看我下面的步驟,我將不勝感激。
我從帶有WS-Federation 示例的Self-Host開始,並進行了修改以添加一個新的依賴方。 Identity Server 本身運行在與 SharePoint 完全不同的服務器上,通過 Internet 使用公共 DNS 注冊主機名:
const string url = "https://mydevserver.example.com:44333/core";
using (WebApp.Start<Startup>(url))
{
Console.WriteLine("\n\nServer listening at {0}. Press enter to stop", url);
Console.ReadLine();
}
new RelyingParty
{
Name = "SharePoint 2016 Trial",
Realm = "urn:idserver:sp16trial",
Enabled = true,
ReplyUrl = "https://mysharepointserver.example.com/_trust/",
TokenType = TokenTypes.Saml11TokenProfile11,
TokenLifeTime = 1,
ClaimMappings = new Dictionary<string, string>
{
{ "email", ClaimTypes.Email },
{ "sub", ClaimTypes.NameIdentifier },
{ "name", ClaimTypes.Name },
{ "given_name", ClaimTypes.GivenName },
{ "surname", ClaimTypes.Surname }
}
}
我導航到https://mydevserver.example.com:44333/core/wsfed/metadata
並將其另存為 XML 文件,然后將其臨時放置到 SharePoint 服務器上。 從 XML 文件中,我提取公共 X509 證書並將其保存為temp.cer
文件,與下面的 Powershell 腳本位於同一文件夾中。
$realm = "urn:idserver:sp16trial"
$signinurl = "https://mydevserver.example.com:44333/core/wsfed"
$description ="My Test Identity Server 3"
[xml]$fedmdXml = Get-Content metadata.xml
$cert = Get-PfxCertificate -FilePath temp.cer
asnp *sh*
$name = "IdSrv"
New-SPTrustedRootAuthority -Name $name -Certificate $cert | Out-Null
$map1 = New-SPClaimTypeMapping "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" –SameAsIncoming
$map2 = New-SPClaimTypeMapping "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" -SameAsIncoming
New-SPTrustedIdentityTokenIssuer -Name $name -Description $description -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
我導航到SharePoint 中央管理並將新的受信任提供程序連接到 Web 應用程序。
在 Sharepoint 中央管理中,我通過Sharepoint 用戶策略授權用戶“bobsmith@example.com”。
我導航到https://mysharepointserver.example.com
並按預期重定向到登錄頁面https://mydevserver.example.com:44333/core/login?signin=<guidhere>
。
我以用戶bob
登錄,但隨后在 SharePoint 和 Identity Server 之間觸發了無限循環。 這是來自 IdSvr 日志:
Server listening at https://mydevserver.example.com:44333/core. Press enter to stop
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
Start WS-Federation request
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
WsFederation signin request
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
Start WS-Federation signin request validation
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
Redirecting to login page
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.Core.Configuration.Hosting.MessageCookie`1)
Protecting message: {"ReturnUrl":"https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fS
ource%3d%252F","AcrValues":[],"Created":636237737932988392}
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
Login page requested
02/26/2017 22:29:53 -08:00 [DBG] (IdentityServer3.Core.Endpoints.AuthenticationController)
signin message passed to login: {
"ReturnUrl": "https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F",
"ClientId": null,
"IdP": null,
"Tenant": null,
"LoginHint": null,
"DisplayMode": null,
"UiLocales": null,
"AcrValues": [],
"Created": 636237737932988392
}
02/26/2017 22:29:53 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
rendering login page
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
Login page submitted
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
Login credentials successfully validated by user service
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
Calling PostAuthenticateAsync on the user service
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
issuing primary signin cookie
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.Core.Endpoints.AuthenticationController)
redirecting to: https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
Start WS-Federation request
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
WsFederation signin request
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
Start WS-Federation signin request validation
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
End WS-Federation signin request validation
{
"Realm": "urn:idserver:sp16trial",
"RelyingPartyName": "SharePoint 2016 Trial",
"ReplyUrl": "https://mysharepointserver.example.com/_trust/"
}
02/26/2017 22:30:01 -08:00 [INF] (IdentityServer3.WsFederation.ResponseHandling.SignInResponseGenerator)
Creating WS-Federation signin response
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
Retrieving values of cookie IdSvr.WsFedTracking
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
Cookie IdSvr.WsFedTracking does not exist
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
Adding https://mysharepointserver.example.com/_trust/ to IdSvr.WsFedTracking cookie
02/26/2017 22:30:01 -08:00 [DBG] (IdentityServer3.WsFederation.Results.SignInResult)
Returning WS-Federation signin response
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
Start WS-Federation request
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
AbsoluteUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn%3aidserver%3asp16trial&wctx=https%3a%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.WsFederationController)
PublicUri: [https://mydevserver.example.com:44333/core/wsfed?wa=wsignin1.0&wtrealm=urn:idserver:sp16trial&wctx=https:%2f%2fmysharepointserver.example.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F]
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
WsFederation signin request
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
Start WS-Federation signin request validation
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.Validation.SignInValidator)
End WS-Federation signin request validation
{
"Realm": "urn:idserver:sp16trial",
"RelyingPartyName": "SharePoint 2016 Trial",
"ReplyUrl": "https://mysharepointserver.example.com/_trust/"
}
02/26/2017 22:30:02 -08:00 [INF] (IdentityServer3.WsFederation.ResponseHandling.SignInResponseGenerator)
Creating WS-Federation signin response
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
Retrieving values of cookie IdSvr.WsFedTracking
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Hosting.CookieMiddlewareTrackingCookieService)
https://mysharepointserver.example.com/_trust/ already exists in IdSvr.WsFedTracking cookie
02/26/2017 22:30:02 -08:00 [DBG] (IdentityServer3.WsFederation.Results.SignInResult)
Returning WS-Federation signin response
02/26/2017 22:30:03 -08:00 [INF] (IdentityServer3.WsFederation.WsFederationController)
Start WS-Federation request
知道我缺少什么嗎?
您正面臨無限重定向,因為您將信賴方的 ReplyUrl 設置為信任頁面,這是不正確的。
ReplyUrl 應該是登錄成功后身份服務器將重定向到的 URL。
這應該是您信賴方的正確邏輯:
ReplyUrl = "https://mysharepointserver.example.com/"
您需要在 Clients 類中設置信任 URL:
RedirectUris = { "https://mysharepointserver.example.com/_trust/" },
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.