SharePoint 2013 SSO with WSO2 Identity Server Passive STS

0
votes

I'm trying to SSO to Share Point 2013 website usin WSO2 Identity Server passive sts support.

Following is the SAML response form Identity Server

<Attribute AttributeName="Email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
                                               >
                                            <AttributeValue>[email protected]</AttributeValue>
                                    </Attribute>

I am getting following log in Share Point side.

04/16/2015 11:40:13.61  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           ajau6   Verbose     SPSecurityTokenServiceManager!GetProviderByName: Returning Trusted Login Provider for input WSO2PassiveSTS1 6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.63  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           eu2n    Monitorable Trusted login provider 'WSO2PassiveSTS1' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'.  6130fd9c-aa57-b0ac-0000-0c3c2aa42924
04/16/2015 11:40:13.65  w3wp.exe (0x0B18)                           0x0640  SharePoint Foundation           Claims Authentication           fo1t    Monitorable STS Call: Failed to issue new security token. Exception: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest(SPRequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)     at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)     at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)  6130fd9c-aa57-b0ac-0000-0c3c2aa42924

Follows is my IDP configuration in Sharepoint.

$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming

$realm="http://win-3oo8vau2hv9:48077/_trust"

$ap=New-SPTrustedIdentityTokenIssuer -Name "WSO2PassiveSTS1" -Description "WSO2 Identity Server1" –Realm $realm -ClaimsMappings $map1  -ImportTrustCertificate $cert -SignInUrl "https://localhost:9443/passivests" -IdentifierClaim $map1.InputClaimType
1
single-sign-onsharepoint-2013samlwso2is

1 Answers

0
votes

Incomming claim type should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email

NOT http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

SAML Token should have a expiry time longer than 10 minutes.

SharePoint uses saml token validity period to determine the lifetime and if the LogonTokenCacheExpirationWindow (which is a setting in SharePoint 10 minutes default) is larger than the lifetime of the assertion, then SharePoint will not allow a user to logon and will redirect back to the IdP, which will redirect back to SharePoint in an endless loop.

Attribute in the SAML response should look like follows 

<Attribute AttributeName="email"
                                               AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims"
                                               >
                                            <AttributeValue>[email protected]</AttributeValue>
                                    </Attribute>