Configuration
Configuring OAuth and claims should be handled for you by the installation and configuration of K2 blackpearl. If you are integrating with SharePoint 2013, the K2 for SharePoint App should be used to configure your environment. Manual configuration is possible but not recommended.
If you have SmartForms installed you can get to the following forms for managing OAuth and Claims settings:
- Manage Resource Types: [SmartForms URL]/ Runtime/Runtime/Form/Manage+Resource+Types/
- Manage Resources (instances): [SmartForms URL]/ Runtime/Runtime/Form/Manage+OAuth+Resources/
- Manage Tokens: [SmartForms URL]/ Runtime/Runtime/Form/Manage+OAuth+Tokens/
- Manage Claims: [SmartForms URL]/Runtime/Runtime/Form/Manage+Claims/
- Manage Issuers: [SmartForms URL]/Runtime/Runtime/Form/Manage+Issuers/
- Manage Site Realms: [SmartForms URL]/Runtime/Runtime/Form/Manage+Site+Realms/
You can also browse to these forms by going to the K2 Designer and clicking All Items > System > Management > Security > Forms.
For more information about Site Realms see Introduction to Multi-Auth in the SmartForms User Guide.
For specific information on how to configure K2 blackpearl and K2 smartforms for specific systems, see the following topics in the SmartForms User Guide:
- Configure SmartForms for AAD
- Configure SmartForms for SQLUM
- Configure SmartForms for AD FS
If you do not have SmartForms installed and you need to manually modify OAuth and Claims settings, you can use the SQL script examples below. Note that these contain values from a fictitious company called Denallix. You will have to replace these values with actual values from your environment. The values that must be replaced include:
Claims Configuration
You need the following values for configuring claims:
- Identity.AddIssuer
- Name: The name of the issuer.
- Issuer: The issuer.
- Thumbprint: The thumbprint of the issuer. Can be retrieved using the attached script.
- Description (optional): The description of the issuer.
- Uri: The URI of the issuer.
- UseForLogin: Surfaces the name of this issuer on the SmartForms login page if true.
- Identity.AddClaimTypeMapping
- SecurityLabel: If configuring a third-party WS-Federation-based SAML identity provider, you must register a custom security provider with a unique label.
- ClaimTypeInfo (True/False): If you want to have groups in your idP (like SharePoint), you should set this to True. Note: There can't be two claim type mappings with the same label, the same value for ClaimTypeInfo (true in this case), and Nii. These three properties must be unique across all labels.
- Nii (NamedIdentityIssuer): The named identity issuer. Use the attached script to discover this. Note: This is not necessary for SharePoint 2010 and is only relevant to SharePoint 2013.
- GroupSPSTSRSTR (typically c:0+.w for Windows authentication): The prefix of groups in SharePoint for this claim mapping. Note that the Everyone group does not have the proper prefix. The w in the example and in the example below stands for Windows.
- UserSPSTSRSTR (typically i:o#.w for Windows authentication): The prefix for user logins in SharePoint for this claim mapping. Use the attached script to get an idea of what these are for your environment.
- Identity.AddRealm (Note: If you have SmartForms installed you will see at least three entries in the ClaimAudience table. These correspond to the design, runtime and view flow applications. View flow is necessary to configure so that users can be authenticated with the view flow site. The other two are only necessary if you're running SmartForms, and are probably setup for you correctly but are included here for completeness.)
- RealmUri: The identifier for the realm (typically the address of the resource).
- HomeRealm (typically NULL): If you have multiple identity providers for a given STS, you can specify a default idP here. It will always go to that idP.
- Freshness (typically 0): Indicates the upper bound of the credential's age in minutes. A value of zero means that the STS should immediately verify the identity or use the minimum age credentials possible when verification is not possible.
- SignOutReplyUri (always NULL): Not used.
- PersistentCookiesOnPassiveRedirects (typically True/1): If set to true, the cookie is persisted across browser sessions.
- ReplyUri (typically the relative part of RealmUri): The default reply URI.
USE[K2]
GO
DECLARE@IssId INT
EXEC@IssId =[Identity].[AddIssuer] @Name="Your STS",
@Issuer=YourSTS,@Thumbprint="THUMBPRINT",
@Description=NULL,@Uri="http://yourURI.com/something",
@UseForLogin=1
EXEC[Identity].[AddClaimTypeMapping]@IssuerId=@IssId,
@SecurityLabel=K2,@ClaimTypeInfo=True,
@Nii="urn:office.idp.activedirectory",
@GroupSPSTSRSTR="c:0+.w",@UserSPSTSRSTR="i:o#.w"
EXEC[Identity].[AddRealm] @IssuerId=@IssId,
@RealmUri="https://k2.denallix.com/ViewFlow/",@HomeRealm=NULL,
@Freshness=0,@SignOutReplyUri=NULL,
@PersistentCookiesOnPassiveRedirects=1,@ReplyUri="/ViewFlow/"
EXEC[Identity].[AddRealm] @IssuerId=@IssId,
@RealmUri="https://k2.denallix.com/Designer/",@HomeRealm=NULL,
@Freshness=0,@SignOutReplyUri=NULL,
@PersistentCookiesOnPassiveRedirects=1,@ReplyUri="/Designer/"
EXEC[Identity].[AddRealm] @IssuerId=@IssId,
@RealmUri="https://k2.denallix.com/Runtime/",@HomeRealm=NULL,
@Freshness=0,@SignOutReplyUri=NULL,
@PersistentCookiesOnPassiveRedirects=1,@ReplyUri="/Runtime/"
 |
Do not manually update the K2 database tables unless instructed to do so by K2 Support. |
Download the PowerShell script that returns the current claims configuration GetClaimsConfig.zip (or manually download it from http://help.k2.com/helppages/K2blackpearIICG4.6.8/GetClaimsConfig.zip)
Configuring OAuth
To configure OAuth you must add the following items:
- Resource Type: Use the [Authorization].[AddOAuthResourceType] stored procedure.
- Resource Type Parameters: Use the [Authorization].[AddOAuthResourceTypeParameter] stored procedure. This stored proc requires many parameters that can be found in the procedure. Use an existing OAuth resource as well as knowledge of the resource you're setting up to determine which parameters you need to specify. The out-of-the-box resources, such as SharePoint, SharePoint S2S and Azure Active Directory have specific parameters that you can use as examples. Find these in the Authorization.OAuthResourceTypeParameter table.
- Resource: The resource is the instance of the resource type. You must register an instance of a resource type to then fill in the values of the resource type parameters.
- Resource Values: The values of the resource type parameters.
