通过OKTA从后端服务向SharePoint进行身份验证 [英] authenticate to SharePoint through OKTA from back-end service

问题描述

我需要以编程方式连接到使用OKTA进行身份验证的客户的SharePoint服务器.我看到了这条帖子，该帖子看起来很有希望，但似乎无法从OKTA那里获得有效的会话Cookie.

I have a need to programmatically connect to a customer's SharePoint server that uses OKTA for authentication. I saw this post which looked promising, but cannot seem to get a valid session cookie back from OKTA.

我可以成功调用/api/v1/authn端点并获取sessionToken，但是当我转过身来并使用该会话令牌调用/api/v1/sessions?additionalFields = cookieToken时，我总是收到403-禁止访问，并带有以下json:

I can successfully call the /api/v1/authn endpoint and get back a sessionToken, but when I turn around and call /api/v1/sessions?additionalFields=cookieToken with that session token, I always received a 403 - Forbidden, with the following json:

{ 
"errorCode": "E0000005", 
"errorSummary": "Invalid Session", 
"errorLink": "E0000005", 
"errorId": "oaew0udr2ElRfCnZvBFt075SA", 
"errorCauses": [] 
}

假设我可以解决此问题，我不确定应该使用cookieToken调用的URL. url是将重定向到SharePoint的OKTA终结点，还是将使用cookie设置会话的SharePoint终结点?

Assuming I can get this resolved, I'm not sure of the URL I should call with the cookieToken. Is the url an OKTA endpoint that will redirect to SharePoint or is it an SharePoint endpoint that will setup the session with the cookie?

更新: 我可以使用我的用户凭据将其称为okta终结点->/api/v1/sessions?additionalFields = cookieToken

Update: I am able to call this okta endpoint -> /api/v1/sessions?additionalFields=cookieToken with my user credentials as json

{ 
"username": "user@email.com",
"password": "P@ssw0rd"
}

并且能够检索一次性cookie令牌，该令牌可与此链接一起在浏览器中启动SAML会话:

And am able to retrieve a one-time cookie token that can be used with this link to start a SAML session in a browser:

https://[mydomain].okta.com/login/sessionCookieRedirect?redirectUrl=[sharepoint site url]&token=[cookie token]

在浏览器中有效，该用户将自动进行身份验证并最终进入SharePoint.但是，似乎此会话设置"至少部分是通过javascript实现的，因为在编程HTTP客户端(例如Apache HTTP客户端)中执行相同的链接不起作用.通过几个重定向发送http客户端，并最终到达SharePoint网站，但是该用户未通过身份验证.响应为403-禁止带有以下标头:

That works in a browser, the user is automatically authenticated and ends up in SharePoint. However, it seems that this session "setup" is at least partly achieved through javascript as executing the same link in a programmatic HTTP client (such as Apache HTTP Client) does not work. The http client is sent through a couple of redirects and ends up in the SharePoint site, but the user is not authenticated. The response is 403 - Forbidden with the following headers:

403-禁止

Content-Type -> text/plain; charset=utf-8
Server -> Microsoft-IIS/8.5
X-SharePointHealthScore -> 0
SPRequestGuid -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
request-id -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
X-Forms_Based_Auth_Required -> https://[sharepoint site]/_login/autosignin.aspx?ReturnUrl=/_layouts/15/error.aspx
X-Forms_Based_Auth_Return_Url -> https://[sharepoint site]/_layouts/15/error.aspx
X-MSDAVEXT_Error -> 917656; Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.
X-Powered-By -> ASP.NET
MicrosoftSharePointTeamServices -> 15.0.0.4709
X-Content-Type-Options -> nosniff
X-MS-InvokeApp -> 1; RequireReadOnly
Date -> Fri, 13 May 2016 15:02:38 GMT
Content-Length -> 13

我开始怀疑这是否是一个丢失的原因，即OKTA或SharePoint不支持通过SAML进行程序验证.

I'm starting to wonder if this is a lost cause, that OKTA or SharePoint doesn't support programmatic authentication via SAML.

推荐答案

有可能.

这就是我所做的. 1)从Okta获取您的sessionToken.为此，您需要一个okta授权令牌.

Here is what I did. 1) Get your sessionToken from Okta. You'll need an okta authorization token for that.

2)执行HttpGet(sharepointEmbeddedLink +?onetimetoken =" + sessionToken) 还要添加此标头:new BasicHeader(AUTHORIZATION，String.format("SSWS％s"，OKTA_AUTHORIZATION_TOKEN);

2) Do a HttpGet(sharepointEmbeddedLink + "?onetimetoken=" + sessionToken) Also add this header: new BasicHeader(AUTHORIZATION, String.format("SSWS %s", OKTA_AUTHORIZATION_TOKEN);

3)接下来，您必须解析html响应并获取SAML参数:WRESULT，WCTX，WA

3) Next you'll have to parse the html response and get the SAML Arguments: WRESULT, WCTX, WA

4)接下来执行此操作-取这3个，并以"application/x-www-form-urlencoded"格式创建一个字符串.类似于"wa = wsign1.0& wctx = somevalue& wresult = somevalue".

4) Next do this - take those 3 and create a string in this format "application/x-www-form-urlencoded". It will be something like this "wa=wsign1.0&wctx=somevalue&wresult=somevalue".

        byte[] out = theStringAbove.getBytes;
        int length = out.length;

        URL url = new URL("https://login.microsoftonline.com/login.srf");
        URLConnection con = url.openConnection();
        HttpURLConnection http = (HttpURLConnection) con;

        http.setRequestMethod("POST"); // PUT is another valid option
        http.setDoOutput(true);
        http.setInstanceFollowRedirects(true);
        http.setFixedLengthStreamingMode(length);
        http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
        http.setRequestProperty("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");
        http.connect();
        http.getOutputStream().write(out);

5)您将在响应中包含saml令牌.您将不得不再次解析html文件.

5) You'll have the saml Token in the response. You'll have to parse an html file again.

6)您将在步骤3或4中获得sharepoint siteUrl，然后下一步:)

6) You'll get the sharepoint siteUrl in step3 or 4 and do this next :)

    HttpPost httpPost = new HttpPost(siteUrl + "_forms/default.aspx?wa=wsignin1.0");
    byte[] utf8TokenStringBytes = ("t=" + samlToken).getBytes(StandardCharsets.UTF_8);
    HttpEntity entity = new ByteArrayEntity(utf8TokenStringBytes);
    httpPost.setEntity(entity);
    httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
    httpPost.setHeader("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");

    HttpResponse response = httpclient.execute(httpPost, httpContext);

如果一切正常，您将拥有一些Cookie标题，可以使用:D

If everyting is ok, you'll have some cookie headers that you can use :D

这篇关于通过OKTA从后端服务向SharePoint进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！