通过 OKTA 从后端服务向 SharePoint 进行身份验证 [英] authenticate to SharePoint through OKTA from back-end service
问题描述
我需要以编程方式连接到使用 OKTA 进行身份验证的客户 SharePoint 服务器.我看到了这个帖子,看起来很有希望,但似乎无法从 OKTA 获得有效的会话 cookie.
I have a need to programmatically connect to a customer's SharePoint server that uses OKTA for authentication. I saw this post which looked promising, but cannot seem to get a valid session cookie back from OKTA.
我可以成功调用/api/v1/authn 端点并取回 sessionToken,但是当我转身使用该会话令牌调用/api/v1/sessions?additionalFields=cookieToken 时,我总是收到 403 - Forbidden, 带有以下 json:
I can successfully call the /api/v1/authn endpoint and get back a sessionToken, but when I turn around and call /api/v1/sessions?additionalFields=cookieToken with that session token, I always received a 403 - Forbidden, with the following json:
{
"errorCode": "E0000005",
"errorSummary": "Invalid Session",
"errorLink": "E0000005",
"errorId": "oaew0udr2ElRfCnZvBFt075SA",
"errorCauses": []
}
假设我可以解决这个问题,我不确定我应该使用 cookieToken 调用的 URL.该 url 是将重定向到 SharePoint 的 OKTA 端点还是将使用 cookie 设置会话的 SharePoint 端点?
Assuming I can get this resolved, I'm not sure of the URL I should call with the cookieToken. Is the url an OKTA endpoint that will redirect to SharePoint or is it an SharePoint endpoint that will setup the session with the cookie?
更新:我可以使用我的用户凭据作为 json 调用此 okta 端点 ->/api/v1/sessions?additionalFields=cookieToken
Update: I am able to call this okta endpoint -> /api/v1/sessions?additionalFields=cookieToken with my user credentials as json
{
"username": "user@email.com",
"password": "P@ssw0rd"
}
并且能够检索一次性 cookie 令牌,该令牌可与此链接一起使用以在浏览器中启动 SAML 会话:
And am able to retrieve a one-time cookie token that can be used with this link to start a SAML session in a browser:
https://[mydomain].okta.com/login/sessionCookieRedirect?redirectUrl=[sharepoint site url]&token=[cookie token]
这在浏览器中有效,用户会自动通过身份验证并最终进入 SharePoint.然而,这个会话设置"似乎至少部分是通过 javascript 实现的,因为在编程 HTTP 客户端(例如 Apache HTTP 客户端)中执行相同的链接不起作用.http 客户端通过几个重定向发送并最终进入 SharePoint 站点,但用户未经过身份验证.响应是 403 - Forbidden 带有以下标头:
That works in a browser, the user is automatically authenticated and ends up in SharePoint. However, it seems that this session "setup" is at least partly achieved through javascript as executing the same link in a programmatic HTTP client (such as Apache HTTP Client) does not work. The http client is sent through a couple of redirects and ends up in the SharePoint site, but the user is not authenticated. The response is 403 - Forbidden with the following headers:
403 - 禁止
Content-Type -> text/plain; charset=utf-8
Server -> Microsoft-IIS/8.5
X-SharePointHealthScore -> 0
SPRequestGuid -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
request-id -> 0ecd7b9d-c346-9081-cac4-43e41f3b159a
X-Forms_Based_Auth_Required -> https://[sharepoint site]/_login/autosignin.aspx?ReturnUrl=/_layouts/15/error.aspx
X-Forms_Based_Auth_Return_Url -> https://[sharepoint site]/_layouts/15/error.aspx
X-MSDAVEXT_Error -> 917656; Access denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.
X-Powered-By -> ASP.NET
MicrosoftSharePointTeamServices -> 15.0.0.4709
X-Content-Type-Options -> nosniff
X-MS-InvokeApp -> 1; RequireReadOnly
Date -> Fri, 13 May 2016 15:02:38 GMT
Content-Length -> 13
我开始怀疑这是否是一个失败的原因,OKTA 或 SharePoint 不支持通过 SAML 的程序化身份验证.
I'm starting to wonder if this is a lost cause, that OKTA or SharePoint doesn't support programmatic authentication via SAML.
推荐答案
有可能.
这就是我所做的.1) 从 Okta 获取您的 sessionToken.为此,您需要一个 okta 授权令牌.
Here is what I did. 1) Get your sessionToken from Okta. You'll need an okta authorization token for that.
2) 做一个 HttpGet(sharepointEmbeddedLink + "?onetimetoken=" + sessionToken)还要添加这个标题: new BasicHeader(AUTHORIZATION, String.format("SSWS %s", OKTA_AUTHORIZATION_TOKEN);
2) Do a HttpGet(sharepointEmbeddedLink + "?onetimetoken=" + sessionToken) Also add this header: new BasicHeader(AUTHORIZATION, String.format("SSWS %s", OKTA_AUTHORIZATION_TOKEN);
3) 接下来,您必须解析 html 响应并获取 SAML 参数:WRESULT、WCTX、WA
3) Next you'll have to parse the html response and get the SAML Arguments: WRESULT, WCTX, WA
4) 接下来执行此操作 - 取这 3 个并以application/x-www-form-urlencoded"格式创建一个字符串.它将类似于wa=wsign1.0&wctx=somevalue&wresult=somevalue".
4) Next do this - take those 3 and create a string in this format "application/x-www-form-urlencoded". It will be something like this "wa=wsign1.0&wctx=somevalue&wresult=somevalue".
byte[] out = theStringAbove.getBytes;
int length = out.length;
URL url = new URL("https://login.microsoftonline.com/login.srf");
URLConnection con = url.openConnection();
HttpURLConnection http = (HttpURLConnection) con;
http.setRequestMethod("POST"); // PUT is another valid option
http.setDoOutput(true);
http.setInstanceFollowRedirects(true);
http.setFixedLengthStreamingMode(length);
http.setRequestProperty("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
http.setRequestProperty("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");
http.connect();
http.getOutputStream().write(out);
5) 您将在响应中包含 saml 令牌.您将不得不再次解析 html 文件.
5) You'll have the saml Token in the response. You'll have to parse an html file again.
6) 您将在第 3 步或第 4 步中获得共享点 siteUrl,然后执行此操作 :)
6) You'll get the sharepoint siteUrl in step3 or 4 and do this next :)
HttpPost httpPost = new HttpPost(siteUrl + "_forms/default.aspx?wa=wsignin1.0");
byte[] utf8TokenStringBytes = ("t=" + samlToken).getBytes(StandardCharsets.UTF_8);
HttpEntity entity = new ByteArrayEntity(utf8TokenStringBytes);
httpPost.setEntity(entity);
httpPost.setHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
httpPost.setHeader("User-agent", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1");
HttpResponse response = httpclient.execute(httpPost, httpContext);
如果一切正常,您将拥有一些可以使用的 cookie 标头:D
If everyting is ok, you'll have some cookie headers that you can use :D
这篇关于通过 OKTA 从后端服务向 SharePoint 进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
