Forum Discussion
Third party oidc authentication with SPSE failed
MicrosoftBy looking at the log, your SharePoint version(16.0.14326.20620) is not latest, our fix is in March PU.
Could you please have a try with March PU? You can get latest PU from: https://docs.microsoft.com/en-us/officeupdates/sharepoint-updates
As you suggest, after march update, keycloak and SP-SE integration worked. But this time portal pages (modern experience sites) throw js errors. i think i have to start a new discussion. Thanks again.
- TroyStarr
Hi ictotum, you can open a support case by going to https://support.microsoft.com/contactus, then clicking Show expanded list of products, then clicking SharePoint Server. The cost to open a support case will depend on the type of support contract your organization has with Microsoft.
- how's that? Is it free? How can I open it? Thanks
- Steve Zhang
- It seems you can help me for an issue with another third party... Forgerock. Do I have to open a new discussion? I try to list here... SE configured with 3 data: 1) claim to map (EmailAddress), 2) metadata URL (has everything there), 3) client ID. I don't know if the auth provider team should do something else, they told me the claim they treat is "email", not "EmailAddress", maybe that's the issue? The authentication error, in SharePoint, is... the claim is void or not recognized. LOGS > "No identity provider claim on the identity..." "Initialized session revocation members. Auth instant: 'null'. IAT: 'null'. ValidFrom: 'null'. Operation type: '' ..." "Initialize session attributes: Did not find any. Current value: 'None'..." "Trusted login provider is not sending configured input identity claim type..." "Throwing fault exception because there is no identity claim..." "An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm"
Thanks so much jinzhong he! Knowing you got it working helped me get to the bottom of our issue.
On our keycloak instances (latest 17.0.0 quarkus version), in a new test realm, the default for "Access Token Lifespan" is set to 5 minutes. (For reference, on ADFS, this same value defaults to 60 minutes).
This is all fine usually, as many apps, (excluding sharepoint), we've tested on both keycloak and adfs work fine with either IdP with default timeouts.
But sharepoint has an odd behavior, in that by default: "when there are less than 10 minutes left in the lifetime SharePoint considers it expired" (quote from https://sharepoint.stackexchange.com/users/3338/infotekka at https://sharepoint.stackexchange.com/questions/79864/sharepoint-2013-adfs-login-local-token-cache-always-expired )
The ULS logs confirmed the issue after sso login: "Found matching token cache entry but it's token is expired."
So sharepoint was rejecting the token as expired immediately after the successful SSO login from keycloak had completed. Adjusting the keycloak realm settings for "Access Token Lifespan" to 60 minutes up from the default 5 minutes fixed our issue. Login to sharepoint is now working correctly against keycloak.
- The client scopes were the default(emial, profile, etc), The IdentifierClaim I used on the sharepoint side was the UPN, and on the keycloak side, I mapped username to upn.
Could you list what client scopes and mappers you've configured in keycloak to get this to work? and what claim type you've configured on the sharepoint side to recieve those claims?
So far i've been unsuccessful in getting keycloak to work with SPSE, although now the token is validating correctly (per the ULS logs) since the March CU, so appears i'm missing some critical claims for sharepoint to grant access.
Currently I'm attempting to use "email" as the claim on both sides to match.
benjamin8733 see the attached screenshot.
You need to create token mappers for username mapping.
Would you mind posting a screenshot or an export of your sharepoint client config inside of keycloak now that you've got it working? Or even just an example access or id token that has the claims you added to get it working?
Thanks for anything you can provide to help us out!
- The March PU worked. Thanks.
- Steve ZhangIt's good to know the fix really works. For the page js errors, yes, we can start another new discussion with new post.
