SharePoint 集成认证-- 集成 OAuth 2.0 服务登录
这是一个代码实现部分,此处作为实现示例。此文章为转载,作者 张峰
转载地址:https://blog.csdn.net/xiaomifengmaidi1/article/details/83990526
此博客为测试SharePoint与OAuth2.0服务的集成,背景为埃维诺为某大型企业提供SharePoint门户以及整个微服务平台的解决方案,搭建了基于OAuth2.0的SOO。
在https://download.csdn.net/download/xiaomifengmaidi1/10779540下载代码 ,然后做一下修改
public class Config {
public static List<IdentityResource> GetIdentityResources() {
return new List<IdentityResource> {
// The sub/nameid claim
new IdentityResources.OpenId(),
// All claim for user profile info (think name, email, etc.)
new IdentityResources.Profile()
};
}
public static List<Client> GetClients() {
return new List<Client> {
new Client {
// The realm of your RP
ClientId = "urn:sharepoint",
// Required for ws-fed clients
ProtocolType = IdentityServerConstants.ProtocolTypes.WsFederation,
// Trust uri of your SharePoint web application (web app, appended with _trust/default.aspx)
RedirectUris = { "http://SPServer/_trust/default.aspx" },
// SAML token lifetime (in seconds)
IdentityTokenLifetime = 36000,
// Links to configured resources
AllowedScopes = {"openid", "profile"}
}
};
}
public static List<RelyingParty> GetRelyingParties() {
return new List<RelyingParty> {
new RelyingParty {
// Same as ClientId. Used to link config
Realm = "urn:sharepoint",
// SAML 1.1 token type required by SharePoint
TokenType = WsFederationConstants.TokenTypes.Saml11TokenProfile11,
// Transform claim types from oidc standard to xml types
// Only mapped claims will be returned for SAML 1.1 tokens
ClaimMapping = new Dictionary<string, string> {
{JwtClaimTypes.Subject, ClaimTypes.NameIdentifier},
{JwtClaimTypes.Email, ClaimTypes.Email}
},
// Defaults
DigestAlgorithm = SecurityAlgorithms.Sha256Digest,
SignatureAlgorithm = SecurityAlgorithms.RsaSha256Signature,
SamlNameIdentifierFormat = WsFederationConstants.SamlNameIdentifierFormats.UnspecifiedString
}
};
}
}
Users加上如下代码
public static List<TestUser> GetUsers() {
return new List<TestUser> {
new TestUser {
SubjectId = "B9734696-5CC4-45FC-8674-C9340449D082",
Username = "ids4",
Password = "password",
Claims = new List<Claim> {new Claim(JwtClaimTypes.Email, "ids4@app.com"}
}
};
}
在startup中加入如下代码
public void ConfigureServices(IServiceCollection services) {
services.AddMvc();
services.AddIdentityServer()
.AddSigningCredential("CN=ScottBrady91")
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetUsers())
.AddWsFederation()
.AddInMemoryRelyingParties(Config.GetRelyingParties());
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) {
app.UseDeveloperExceptionPage();
app.UseIdentityServer();
app.UseStaticFiles();
app.UseMvcWithDefaultRoute();
}
然后将其发布出去
接下来就是配置SharePoint了,其实和配置ADFS差不多
$realm = "urn:sharepoint"
$identityProviderUrl = "http://ssox.azurewebsites.net/wsfederation"
$rootCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\devroot.cer")
New-SPTrustedRootAuthority -Name "Token Signing Cert Root" -Certificate $rootCert
$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\pub.cer")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $signingCert
$nameIdClaimMap=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" -IncomingClaimTypeDisplayName "NameId" -LocalClaimType "https://identityserver/name"
$emailClaimMap=New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "Email" -SameAsIncoming
这里需要注意的是有根证书的需要将根证书也要加入到SharePoint中,证书的操作可以将代码中的证书导出公钥证书
就配置好了,在手机上测试了下