Can add an samlple for Exchange2013-OWA login ? #33
Comments
|
@AlistairDoswald , can anybody help ? |
|
@AaronYaoCN We've tried the module with several ws-fed clients, but not Exchange 2013-OWA. I'm guessing that you posted the logs in Exchange, but do you have any logs from Keycloak during the login sequence? It would also help if you told me the login sequence goes for you. For example, do you get to the Keycloak login screen? Another question, have you got keycloak with wsfed module to work with another ws-fed service provider (client in keycloak parlance), so that you can rule out a misconfiguration of keycloak? On my end I don't know if I have an Exchange 2013-OWA available for testing, but I'll see what I can do. |
|
@AlistairDoswald, Thanks a lot for your reply. In fact, I have tried the following steps for myself : (1) Have got keycloak-wsfed module to work with idp-test-client, proving that I have got a good keycloak-wsfed service. There are so many details for the integration with Exchange-OWA, so I hope that if you can give an example like Sharepoint will be good for us. Thanks again! |
|
@AlistairDoswald , can I get some suggest ? |
|
@AaronYaoCN There's a few steps within your description which I find strange, and that maybe you can investigate further:
|
|
|
@AaronYaoCN Is it correct that in your ADFS case the Exchange-OWA is configured to expect a claim with the name upn, and with the Keycloak case the Exchange-OWA is configured to expect a claim with the name upngg ? |
|
@AlistairDoswald , Thanks for your analysis . In fact , "upngg" is just my debug info for testing . It is not the reason that result in 440 error. After I compared the authentication steps carefully between ADFS and keycloak-wsfed , I found that ADFS hasing one step was the key one . Between step (12) and (13) , ADFS will repsponse a 302 to browser and let it sending the GET Login-Request again. And then I refered to ADFS and let keycloak-wsfed responsing a Login-Request to browser before step (13), I logined to Exchange-OWA successfully. The 440 error disappeared and the logout was OK, too. My problem is sovled now . Thanks for your help again. |
@AaronFromCN , Please can you share the complete steps for Exchange 2013 OWA |
|
Would need the steps to integrate on Exchange Server 2016/13 OWA too, please. |
|
I managed to login to OWA 2013 using this module, but now I have a problem when login out. Any way, I'll try to explain the config I have done in case it's useful for anyone. And if someone can help me to solve the logout issue it would be most welcome. 1.- Create and configure the LDAP User Federation with the domain. Then create a new LDAP Mapper inside 2.- Create a new Authentication Flow. (I have not been able to use Forms Authentication for what I think is a referrer problem) 3.- Create and configure the client overriding the Authentication Browser Flow 4.-Configure a Mapper on the client to pass the AD's userPrincipalName as an atribute named "upn" 5.- On the Exchange server, you have to add to the "Trusted Root CAs" the certificate that you get here: 6.- Configure Exchange to use ADFS Authentication with the Exchange Management Shell: |
|
Hello guys! Is there any progress? I'm trying to connect ws-fed 8.0.1 with Exchange 2016 and every time without success. |
|
@AaronFromCN @Quebrantos I also ended up with 440 error. What was done from your end to fix this issue ? |
Currently, the WS-Fed module has only been tested with sharepoint 2013. It should also be tested at least with exchange 2013-OWA .
I tried to do it for myself , but encountered 440 "Login Timeout" :
ModuleName
ADFSFederationAuthModule
Notification
AUTHENTICATE_REQUEST
HttpStatus
440
HttpReason
Login Timeout
HttpSubStatus
0
ErrorCode
The operation completed successfully.
(0x0)
ConfigExceptionInfo
Can I get some help ? Thanks so much !
The text was updated successfully, but these errors were encountered: