Single Sign-On - Supported Scenarios
 |
The information presented in this topic is optional as there is one SharePoint security provider label available at present. If there is an AD user which has two sets of credentials (windows live ID), then a second label would be needed. |
 |
SSO-based authentication using the SHAREPOINT label to cache credentials is only supported for SharePoint Online. Do not use SSO authentication for SharePoint Content and SharePoint Management service instances for local (on-premise) SharePoint installations. |
- If a user (client) wants to execute one content and one management object via the instances SharePoint Management and the SharePoint Content as one user under one label
Solution:
- The client Active Directory (AD) user account needs cached credentials against the SharePoint client account, the online account needs to exist and have permissions in both Central Administration and the SharePoint site.
- The Extra field requires a valid site URL when caching credentials through Single Sign-On (User Preferences tab in Workspace)
- The Extra field value would be either the main SharePoint site (https://k2.sharepoint.com) or full site URL (https://k2.sharepoint.com/K2QASite) or Central Administration URL (https://portal.microsoftonline.com) – This will allow the client AD user account to execute a ServiceObject against both sites
- If a user (client) wants to execute one content ServiceObject and be blocked executing against a management ServiceObject via the instances SharePoint Management and the SharePoint Content as one user under one label
Solution:
- The client Active Directory user account needs cached credentials against the SharePoint client account, the online account needs to exist and have permissions in the SharePoint site
- The Extra field requires a valid site URL when caching credentials through Single Sign-On (User Preferences tab in Workspace)
- The Extra field value would be either the main site (https://k2.sharepoint.com) or full site URL (https://k2.sharepoint.com/K2QASite) – The online user account must not exist or have permissions in Central Administration to be blocked from executing against the Central Administration site
- In production the administrator [TestAdmin] would need cached credentials against Central Administration and SharePoint site or just Central Administration.
- [TestAdmin] – same as option 1 above
- The Extra field requires a valid site URL when caching credentials through Single Sign-On (User Preferences tab in workspace)
- If you have two separate logins for the cloud (SharePoint site and Central Administration site) and you want to utilize one Active Directory user, then you will be required to create an additional security label
- Example: SHAREPOINT and SPADMIN
Adding an additional security label
SQL script – This is not done during installation
The SharePoint Online provider GUID is used in the query:
Run the following query against the K2HostServer database to add the admin label
DECLARE @LabelGUID uniqueidentifier
SET @LabelGUID = NEWID()
INSERT INTO [HostServer].[SecurityLabel]
([SecurityLabelID]
,[SecurityLabelName]
,[AuthSecurityProviderID]
,[AuthInit]
,[RoleSecurityProviderID]
,[RoleInit]
,[DefaultLabel])
VALUES (@LabelGUID
,N'SPADMIN'
,N'EF4270D2-BF28-4805-BF90-CF7A6BB0D518'
,N'<AuthInit />'
,N'EF4270D2-BF28-4805-BF90-CF7A6BB0D518'
,NULL
,NULL);
The result should look like the following
Restart the K2HostServer service to pick up the newly added label
In Workspace
Cache credentials for admin user against new label [SPADMIN]
Cache credentials against the [SHAREPOINT] label for a user
Security labels cached
