Office365 如何将Okta断言传递给microsoft STS以获取身份验证令牌_Office365_Federated Identity_Sharepoint Online_Ws Federation_Okta

Office365 如何将Okta断言传递给microsoft STS以获取身份验证令牌

office365

Office365 如何将Okta断言传递给microsoft STS以获取身份验证令牌,office365,federated-identity,sharepoint-online,ws-federation,okta,Office365,Federated Identity,Sharepoint Online,Ws Federation,Okta,我们使用Okta作为Microsoft Office 365的IDP和基于PHP的web应用程序。在PHP中，我们需要通过使用Okta身份验证令牌进行身份验证来执行RESTAPI调用以获取sharepoint内容因此，根据，可以向Microsoft online STS发送SAML断言以获取身份验证令牌，该令牌可用于从sharepoint获取身份验证cookie。当我们将Okta断言传递给MicrosoftOnline STS时，它正在引发一个如此无效的断言。找不到断言无效的确切原因用于发送

我们使用Okta作为Microsoft Office 365的IDP和基于PHP的web应用程序。在PHP中，我们需要通过使用Okta身份验证令牌进行身份验证来执行RESTAPI调用以获取sharepoint内容

因此，根据，可以向Microsoft online STS发送SAML断言以获取身份验证令牌，该令牌可用于从sharepoint获取身份验证cookie。当我们将Okta断言传递给MicrosoftOnline STS时，它正在引发一个如此无效的断言。找不到断言无效的确切原因

用于发送给microsoft online STS的SOAP信封是

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" s:mustUnderstand="1">
<o:SecurityTokenReference xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<o:Embedded>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id29170470933790951475177561" IssueInstant="2015-04-27T22:35:53.492Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/issueID</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id29170470933790951475177561">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">email@example.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="" NotOnOrAfter="2015-04-27T22:40:53.492Z" Recipient=""/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2015-04-27T22:30:53.492Z" NotOnOrAfter="2015-04-27T22:40:53.492Z">
<saml2:AudienceRestriction>
<saml2:Audience>...</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2015-04-27T22:35:53.492Z" SessionIndex="">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">email@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</o:Embedded>
</o:SecurityTokenReference>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address/>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>


http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
http://www.w3.org/2005/08/addressing/anonymous
https://login.microsoftonline.com/extSTS.srf
http://www.okta.com/issueID
...
...
...
email@example.com
...
urn:oasis:name:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
email@example.com
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
urn:oasis:names:tc:SAML:2.0:assertion

直到最近，这还是一个没有记录的混乱局面

但SharePoint工程领域的某位人士终于在这里写了一篇有价值的博客：

此博客提供了一个powershell脚本，该脚本可以为用户获取SPOIDCRL cookie（在向SharePoint发出请求时，该脚本将以该用户的身份“登录”）

以下是该博客中的powershell摘要：

那么看看powershell的

Get BinarySecurityToken

方法。这将向您展示如何将saml断言转换为二进制搜索标记。然后按照代码路径，了解如何将二进制搜索令牌转换为SPOIDCRL cookie，就可以开始了

嘿@praju你能分享你发送给Ping的请求XML以获取saml断言作为这个问题的一部分吗？