Identity Providers

K2 Cloud supports using different Identity Providers (IdPs) that you can use to authenticate and authorize users in your environment. For example, you may have a repository of user accounts in Google, and you want these users to use their Google logins to authenticate against and use your environment.

An Azure Active Directory (Azure AD) tenant is required to integrate with. If you don't have such a tenant, contact Nintex Customer Central to create one for you. If Nintex creates an Azure AD tenant for you, it becomes your responsibility and requires the same security measures you would apply to your own environments.

There are two main aspects for Identity Providers in K2 Cloud:

  • Provisioning of user information from an identity store to the product.
    The product leverages the System for Cross-domain Identity Management (SCIM) specification to provision/retrieve user information from SCIM 2.0-compliant IdPs that support OAuth Bearer tokens. Using SCIM to synchronize user identities from your identity store to the product requires that you implement a SCIM provider application that calls the K2 SCIM endpoint. For reference information to create a SCIM provider to pass user identity information to the K2 SCIM endpoint, see the SCIM integration with an Identity Provider: Manual/Custom approach and the SCIM API Reference topics.
  • Authenticating users when they log in to applications.
    The product leverages OpenID Connect (OIDC), which is an authentication layer on top of OAuth 2.0. This mechanism allows the product to authenticate users against IdPs that support OIDC.

While the product uses OIDC OAuth flow, it does not support every authentication provider supported by OIDC.

For more on the architecture of Identity Providers in the product, please see the topic Identity Providers Architecture.

  • To configure an Identity Provider for your K2 Cloud environment:
    1. Contact Support to have your Identity Provider onboarded to your environments. As part of this process, you must provide the support team with information for an 'admin' user for each domain you want to add to your the product subscription. You need to provide the following information for each Identity Provider and each domain you want to enable in your the product subscription:
      • The name of the Identity Provider (e.g. Google, Azure Active Directory, etc.)
      • For each Identity Provider domain to be registered, provide information for the admin user that will be used to authenticate with the product to perform the SCIM synchronization:
        • Admin user Fully-Qualified Name
        • Admin user Full Name
        • Admin user Email
        • Admin user Phone Number
      • For Okta, create an app in Okta to provide the following information:
        • Client secret
        • Client ID
      • Only one Okta domain can be connected at a time.
        Every Okta integration requires two apps to be configured in Okta. The first (described below) is to provide the client secret and client ID to the onboarding team, and the second is for integration with the product. The second app is documented in the topic Configuring Okta SCIM integration for K2 Cloud.
      • For PingFederate, provide support with the following information:
        • Client Secret
        • Client ID
      • For onelogin, create an app in onelogin to provide the following information:
        • Client ID

        • Client Secret

        • Domain Name

        • KUID - Environment unique identifier

        • Admin user name (onelogin)

    2. You will receive a .json file configured with values for the specified Identity Provider and domain.
    3. Use this json file or the information in the json file to create a SCIM application in your Identity Provider that synchronizes user identity information between the Identity Provider and the product. See the topic SCIM integration with an Identity Provider: Manual/Custom approach for more information on how to build the SCIM application. Note that other users will only be able to authenticate with the product once the initial user synchronization has completed, and the SCIM application should send updated user information to the product as necessary to keep user information synchronized.