实现效果,打开邮箱owa mail.xiaomi.com 公司统一单点登录页面认证,一次登录畅游内网所有系统 ![](https://s4.51cto.com/images/blog/202007/17/0fe2277c005d0744a9b4c42727802121.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 访问路径: owa请求----反向代理nginx----邮件cas----ADFS----ssocas---》ADFS----》用户邮箱 1.安装server 2016 2.安装adfs组件 ![](https://s4.51cto.com/images/blog/202103/24/57952f94d13f45955629b6c93b8f9ff2.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 3.配置ADFS ![](https://s4.51cto.com/images/blog/202103/24/d94b4dfef18fdf954caa406618451ec2.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/2a5d05bf05c96de4360563676d73d31a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/c40168948fd2b38b36099c97eb24f8e8.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/2a85d9980d1d12cb5eb4b0f9cf4e113e.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/cdf4e6bf11fcbccc6070cc72499c5526.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/127597c1ab1c988cb2eadadd493e2b54.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/2595137a7206a7a9ad562e5cf5edc8db.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/6ba3b4510c0bdc98311b3cbbe07d2671.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 创建服务类账号 配置ADFS ![](https://s4.51cto.com/images/blog/202103/24/34bc61af72fcadccb6da7d2efb6e030b.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/c95c1a41df160a25e31eebb5c5b30c26.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/52e24e89771651f39c8fa9413ff7fa32.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/88c638507319b66cfb890a8974a8d65e.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/30222d7667eaa723c37753db2433f256.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 加入第二台ADFS服务 ![](https://s4.51cto.com/images/blog/202103/24/011c2ecb75c4f45a38e4bc108754d0c6.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/f78ba0f0b17045dc116ab6b8a9ef9d4f.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/9f0d7191626d4ad0e4e4ba8566f876ea.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/5d0413dee994edf3869c5da918cbd868.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/3e3ea4b634f72bec962740e1907486d3.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 开启默认signonpage ![](https://s4.51cto.com/images/blog/202103/24/257a0ea4fcc55691301d7a10ba4544ec.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) CAS 需要支持 SAML2.0 协议 在 CAS 中注册 ADFS 需要以下步骤: 1. 下载 https://adfs.mioffice.cn/FederationMetadata/2007-06/FederationMetadata.xml 文件放到 CAS 中 SAML 的配置目录中 2. 用 JSON Service Registry 来注册 ADFS,代码如下: {   "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",   "serviceId" : "http://adfs.mioffice.cn/adfs/services/trust",   "name": "adfs",   "id" : 10000027,   "evaluationOrder" : 10000027,   "description": "adfs service",   "logoutType": "NONE",   "requiredNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",   "metadataLocation" : "/etc/cas/saml/federationmetadata-abcd.xml",   "signAssertions": true,   "signResponses": true  } ADFS 配置 声明提供方信任 添加 CAS 步骤 ![](https://s4.51cto.com/images/blog/202103/24/3dd9a79053bf2be8dc0d0d3969fd1c19.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/e9c5c9d0580d7ab69f6640d0f1b4d56c.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/6499e0d7f46db9f72c2f9da8a7771fe6.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 完成后需要添加规则,如下图 ![](https://s4.51cto.com/images/blog/202103/24/42bab05a89b39fdd0108371d19b8614e.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) c:[Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"]  => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Value = c.Value); 信赖方信任 ![](https://s4.51cto.com/images/blog/202103/24/478c995daaffdb480a92353729615d09.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/202103/24/e688b8b485da52c413439322db806b23.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 添加 OWA 和 ECP 待补充,对 OWA 和 ECP 分别添加如下规则 ![](https://s4.51cto.com/images/blog/202103/24/12c4398df3a81c418240fd7fccaa88b4.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), query = ";objectSID;xiaomi\{0}", param = c.Value); c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";userPrincipalName;xiaomi\{0}", param = c.Value); ![](https://s4.51cto.com/images/blog/202103/24/b00ba119e6b79374cfa7023eda1bdb38.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 然后我们在ADFS服务器上,打开管理员Powershell,输入以下命令: Get-AdfsCertificate -certificateType token-signing ![](https://s4.51cto.com/images/blog/202103/24/ef9f960f9b96866cde2a91222b989c84.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) Exchange服务器打开EMS,执行以下两个cmdlet: $uris = @(" https://mail.xiaomi.com/owa","https://mail.xiaomi.com/ecp") Set-OrganizationConfig -AdfsIssuer "https://adfs.xiaomi.com/adfs/ls/" -AdfsAudienceUris $uris -AdfsSignCertificateThumbprints "fdfd2-------a9" ![](https://s4.51cto.com/images/blog/202103/24/a9e1b288058b02b13171ec71ab4b0f97.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 完成之后,再执行以下两个命令,来启用Exchange OWA/ECP的ADFS身份验证: Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false OAuthAuthentication $false ![](https://s4.51cto.com/images/blog/202103/24/01797510091670de66258a382181d427.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 完成之后使用iisreset 重新启动IIS,或通过以下cmdlet: Restart-Service W3SVC,WAS -noforce 重启之后即可完成Exchange OWA/ECP启用ADFS身份验证的配置。到此我们的Exchange就已经通过ADFS验证的方式发布完成了。