Claims and OAuth Configuration for SharePoint

You need the following values for configuring claims:

• Identity.AddIssuer
  
  • Name: The name of the issuer.
  • Issuer: The issuer.
  • Thumbprint: The thumbprint of the issuer. Can be retrieved using the attached script.
  • Description (optional): The description of the issuer.
  • Uri: The URI of the issuer.
  • UseForLogin: Shows the name of this issuer on the SmartForms login page if true.
• Identity.AddClaimTypeMapping
  
  • SecurityLabel: If configuring a third-party WS-Federation-based SAML identity provider, you must register a custom security provider with a unique label.
  • ClaimTypeInfo (True/False): If you want to have groups in your idP (like SharePoint), you should set this to True. Note: There can't be two claim type mappings with the same label, the same value for ClaimTypeInfo (true in this case), and NamedIdentityIssuer. These three properties must be unique across all labels.
  • Nii (NamedIdentityIssuer): The named identity issuer. Use the attached script to discover this. Note: The value for NamedIdentityIssuer is case sensitive.
  • GroupSPSTSRSTR (typically c:0+.w for Windows authentication): The prefix of groups in SharePoint for this claim mapping. Note that the Everyone group does not have the proper prefix. The w in the example and in the example below stands for Windows.
  • UserSPSTSRSTR (typically i:o#.w for Windows authentication): The prefix for user logins in SharePoint for this claim mapping. Use the attached script to get an idea of what these are for your environment.
• Identity.AddRealm
  • RealmUri: The identifier for the realm (typically the address of the resource).
  • HomeRealm (typically NULL): If you have multiple identity providers for a given STS, you can specify a default idP here. It will always go to that idP.
  • Freshness (typically 0): Indicates the upper bound of the credential's age in minutes. A value of zero means that the STS should immediately verify the identity or use the minimum age credentials possible when verification is not possible.
  • SignOutReplyUri (always NULL): Not used.
  • PersistentCookiesOnPassiveRedirects (typically True/1): If set to true, the cookie is persisted across browser sessions.
  • ReplyUri (typically the relative part of RealmUri): The default reply URI.

  In a default K2 installation you will see at least four entries in the ClaimAudience table. These correspond to the Design, Runtime, Identity, and View Flow applications.

  • View Flow is necessary to configure so that users can be authenticated with the view flow site.
  • Design and Runtime are necessary for SmartForms, and are probably setup for you correctly but are included here for completeness.
  • Identity is necessary for when SmartForms requests an OAuth token for a SmartObject, the user is authenticated against the K2 Identity/Authorize/OAuth/2/ and Identity/token/OAuth/2/ endpoints.

Download the PowerShell script that returns the current claims configuration GetClaimsConfig.zip.

To configure OAuth you must add the following items:

• Resource Type: Use the [Authorization].[AddOAuthResourceType] stored procedure.
• Resource Type Parameters: Use the [Authorization].[AddOAuthResourceTypeParameter] stored procedure. This stored proc requires many parameters that can be found in the procedure. Use an existing OAuth resource as well as knowledge of the resource you're setting up to determine which parameters you need to specify. The out-of-the-box resources, such as SharePoint, SharePoint S2S and Azure Active Directory have specific parameters that you can use as examples. Find these in the Authorization.OAuthResourceTypeParameter table.
• Resource: The resource is the instance of the resource type. You must register an instance of a resource type to then fill in the values of the resource type parameters.
• Resource Values: The values of the resource type parameters.

The following configurations are supported by K2. Check the table below to see which architecture best fits your environment. A generic claims-enabled line of business (LOB) system must be manually configured.

• Claims-enabled LOB: Must be manually configured
  
  • The claims configuration resides in the K2 database.
  • It is highly recommended that you use K2 Management to configure OAuth and Claims.
• SharePoint