SharePoint 2010和.NET Web App之间的单一登录（均使用声明） [英] Single Sign On between SharePoint 2010 and .NET Web App (both using Claims)

问题描述

我们正在使用ADFS和外部IdP测试不同Web应用程序和Sharepoint 2010之间的SSO方案。 SSO在WFE之间以及从WFE到Sharepoint之间都能正常工作。然而，似乎SharePoint使用自己的FedAuth cookie破坏FedAuth cookie，之后
和SSO不再起作用。我们得到的错误是$
ID4230：SecurityToken没有很好地形成。期望元素名称'SecurityContextToken'，找到'SP'。

We are testing an SSO scenario between diferent Web Apps and Sharepoint 2010 using ADFS and external IdP's. SSO works fine between WFE and also from WFE to Sharepoint. However it seems that SharePoint clobbers the FedAuth cookie with its own FedAuth cookie, and SSO afterwards does not work anymore. The error we got is
ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.

堆栈跟踪：



[SecurityTokenException：ID4230：SecurityToken是没有很好的形成。期待元素名称'SecurityContextToken'，找到'SP'。]
$
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken（XmlReader reader，SecurityTokenResolver tokenResolver）+1537

   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken（Byte [] token，SecurityTokenResolver tokenResolver）+118

   Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie（Byte [] sessionCookie）+316

   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie（SessionSecurityToken& sessionToken）+124

   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest（Object sender，EventArgs eventArgs）+61

   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute（）+80

   System.Web.HttpApplication.ExecuteStep（IExecutionStep step，Boolean& completedSynchronously）+266



为SharePoint站点使用单独的URL是一种解决此冲突的方法吗？

Stack Trace:

[SecurityTokenException: ID4230: The SecurityToken was not well formed. Expecting element name 'SecurityContextToken', found 'SP'.]
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +1537
   Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +118
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +316
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +124
   Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +61
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +266

Using a separate URL for SharePoint site is a way to resolve this conflict?

推荐答案

您能解释一下您的URL结构和cookie路径结构吗？重要的是要知道每个RP都有自己的令牌，它将被应用程序序列化为一个唯一的cookie，但可能具有相同的名称。如果你的饼干重叠，那么就会产生混乱。因此，
你必须确保他们不这样做。您通常通过为所有应用程序使用唯一的主机名来实现此目的，或者禁止这样做，具有非重叠路径并仔细设置cookie路径。您也不应该在cookie上设置域以将其范围限定为其他RP的DNS
域。这通常非常糟糕。

Can you explain your URL structure and cookie path structure? It is important to know that every RP gets its own token that will get serialized into a unique cookie by the app but will likely have the same name. If your cookies overlap, mayhem ensues. Thus, you must ensure that they do not. You typically do this by using unique host names for all of your apps or barring that, have non-overlapping paths and carefully set cookie paths. You also should not set the domain on the cookie to scope it to the same DNS domain of other RPs. That is generally very bad.

我希望有所帮助！

这篇关于SharePoint 2010和.NET Web App之间的单一登录（均使用声明）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！