K2 blackpearl Installation and Configuration Guide > Installation > Integration Configuration > SharePoint > Claims-based Authentication > Claims and OAuth Configuration > Claims Authentication Configuration | Send feedback |
The K2 Installer creates a claims based authentication configuration during the installation process. The configuration is stored in the K2 Database and can be managed through the configuration settings forms from the K2 Designer installed with K2 smartforms. This release adds support for multiple authentication (Multi-Auth). Please see the K2 smartforms Claims and OAuth section for more information.
Prior to K2 blackpearl 4.6.7, the claims configuration supported a single Claims authentication connection and was configured in various config files. This legacy section is kept for those needing to find those configuration settings and those customers who have not upgraded to K2 blackpearl 4.6.7 or later.
K2 allows for the use of incoming claims from SharePoint 2010 claims authentication enabled sites. K2 must be configured to register the SharePoint Security Token Service (STS) certificates and map the incoming claims that contain user and group information to the appropriate K2 User Manager. This section explains the configuration settings required and how to determine them.
The configurations are added as a <configuration><sourcecode.security.claims> section in the K2HostServer.config file. The physical path to this file is [Installation Directory]\Host Server\Bin\K2HostServer.config.
Example
The following example is for the fictitious Denallix.com SharePoint claims based site on a single server with user mappings configured for Windows (Active Directory), Forms (LDAP) and a Trusted Provider (AD FS for LDAP).
![]() |
---|
<sourcecode.security.claims> <!-- The combination of issuers and claimTypeMappings allows K2 to ensure incoming claims are valid and have not been tampered with --> <issuers> <!-- An entry for each certificate (signing or encrypting) for a trusted STS --> <issuer name="SharePoint Security Token Service" thumbprint="8BD27388714EC92EA0433BE660BA7698430CE4FF" /> <issuer name="SharePoint Security Token Service Encryption" thumbprint="54722E70106DF64E48DD2FF2AFC8BC4F8DE231B1" /> </issuers> <claimTypeMappings> <!--K2ADFS Security/Role Provider for Trusted Provider--> <claimTypeMapping securityLabel="K2ADFS"> <!-- Claim that represents the system issuing the identity and role claims to be mapped to the K2 security label--> <identityProviderClaim originalIssuer="SecurityTokenService" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider" claimValue="trusted:ADFS LDAP" /> <!-- Claim that represents the user for the K2 security label--> <identityClaim originalIssuer="TrustedProvider:ADFS LDAP" claimType="http://schemas.k2.com/identity/claims/name" /> <!-- Claim that represents the groups for the K2 security label--> <roleClaim originalIssuer="TrustedProvider:ADFS LDAP" claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> </claimTypeMapping> <!--K2 Security/Role Provider for Windows Authentication--> <claimTypeMapping securityLabel="K2"> <!-- Claim that represents the system issuing the identity and role claims to be mapped to the K2 security label--> <identityProviderClaim originalIssuer="SecurityTokenService" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider" claimValue="windows" /> <!-- Claim that represents the user for the K2 security label--> <identityClaim originalIssuer="Windows" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" /> <!-- Claim that represents the groups for the K2 security label--> <roleClaim originalIssuer="Windows" claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" /> </claimTypeMapping> <!--K2FORMS Security/Role Provider for Forms Authentication--> <claimTypeMapping securityLabel="K2FORMS"> <!-- Claim that represents the system issuing the identity and role claims to be mapped to the K2 security label--> <identityProviderClaim originalIssuer="SecurityTokenService" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider" claimValue="forms:LdapMembershipProvider" /> <!-- Claim that represents the user for the K2 security label--> <identityClaim originalIssuer="Forms:LdapMembershipProvider" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" /> <!-- Claim that represents the groups for the K2 security label--> <roleClaim originalIssuer="Forms:LdapRoleProvider" claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> </claimTypeMapping> </claimTypeMappings> </sourcecode.security.claims> |
K2 supports a one-to-many mapping between K2 and the certificates that the SharePoint STS uses to sign (SharePoint Security Token Service) and encrypt (SharePoint Security Token Service Encryption) the security tokens it issues. The default installation of SharePoint will generate and store individual certificates for both signing and encrypting on each server in the farm. The image highlights the values required for an <issuer> entry – the name and thumbprint for each individual signing and encrypting certificate for the STS.
K2 recommends a one-to-one mapping between a K2 User Manager (UM) and an incoming claim set Identity Provider (IP). Each <claimTypeMapping> will contain an entry for the Security Label of the associated K2 UM and three claim types to be mapped from the IP: Identity Provider, Identity and Role.
![]() |
It is recommended that one K2 User Manager is mapped to a single Identity Provider. However, if more than one mapping is required, the runtime resolution of users is determined by the order they are registered in the <sourcecode.security.claims> configuration. Furthermore, it is recommended that the Windows Identity Provider, typically used for service accounts only, be the last one registered in the <sourcecode.security.claims> configuration. |
The image below highlights the values required for a <claimTypeMapping>. The claimTypeMapping requires a unique K2 UM securityLabel to be configured. The identityProviderClaim requires an originalIssuer, claimType and claimTypeValue to be configured while the identityClaim and roleClaim require originalIssuer and claimType to be configured.
Legend
1 Identity Provider
2 Identity
3 Role
![]() |
K2 requires the claimType for the identityClaim to match the claim mapping configured in SharePoint as the Identifier Claim. The K2 Server Configuration section provides automatic and manual approaches that aid in configuring the appropriate identity claim type mapping for K2. |
The <sourcecode.security.claims> section must be manually added to the K2HostServer.config file. However, the method used to generate the configuration section values can be automatically generated or manual. Using the automatically generated approach is recommended.
This option requires the use of PowerShell scripts available as a download for this topic that will interrogate a SharePoint 2010 claims configuration and automatically generate all the resulting <sourcecode.security.claims> configuration section for K2HostServer.config.
SharePoint Central Administration
Run these commands on the SharePoint Central Administration server or for single server farm configurations.
SharePoint Web Front Ends
Additionally, run these commands on the SharePoint web front ends for multi-server farm configurations.
![]() |
Download: You can download the SourceCode.Security.Claims sample scripts by clicking here or by downloading the zip from the help.k2.site (http://help.k2.com/onlinehelp/k2blackpearl/icg/current/webframe.html#SourceCode.Security.Claims.zip) |
This option requires extensive knowledge of the SharePoint claims configuration and optionally the use of the community provided SourceCode.Samples.Claims.WebPart.
The image below highlights the values required in K2HostServer.config as returned by the SourceCode.Samples.Claims.WebPart.
Legend
1 Identity Provider
2 Identity
3 Role
![]() |
---|
(Get-SPServiceApplication -Name SecurityTokenServiceApplication).SigningCertificateThumbprint (Get-SPServiceApplication -Name SecurityTokenServiceApplication).EncryptionCertificateThumbprint |
![]() |
Download: You can download the SourceCode.Sample.Claims.WebParts sample scripts by clicking here. |
![]() |
The SourceCode.Sample.Claims.WebPart is provided as an example only. |