Claims and OAuth Configuration for SharePoint 2013
Configuring OAuth and claims should be handled for you by the installation and configuration of K2 blackpearl. If you are integrating with SharePoint 2013, the K2 for SharePoint app must be used to configure your environment. Manual configuration is not possible.
Use the K2 Management site, and specifically the Authentication node, to view and managed your Claims and OAuth settings.
For more information about Site Realms see Introduction to Multi-Auth.
For specific information on how to configure K2 blackpearl and K2 smartforms for specific identity providers, see the following topics:
If you want to modify OAuth and Claims settings without using a UI, you can use the SQL script examples below. Note that these contain values from a fictitious company called Denallix. You will have to replace these values with actual values from your environment. The values that must be replaced include:
Claims Configuration
You need the following values for configuring claims:
- Identity.AddIssuer
- Name: The name of the issuer.
- Issuer: The issuer.
- Thumbprint: The thumbprint of the issuer. Can be retrieved using the attached script.
- Description (optional): The description of the issuer.
- Uri: The URI of the issuer.
- UseForLogin: Shows the name of this issuer on the SmartForms login page if true.
- Identity.AddClaimTypeMapping
- SecurityLabel: If configuring a third-party WS-Federation-based SAML identity provider, you must register a custom security provider with a unique label.
- ClaimTypeInfo (True/False): If you want to have groups in your idP (like SharePoint), you should set this to True. Note: There can't be two claim type mappings with the same label, the same value for ClaimTypeInfo (true in this case), and Nii. These three properties must be unique across all labels.
- Nii (NamedIdentityIssuer): The named identity issuer. Use the attached script to discover this. Note: This is not necessary for SharePoint 2010 and is only relevant to SharePoint 2013.
- GroupSPSTSRSTR (typically c:0+.w for Windows authentication): The prefix of groups in SharePoint for this claim mapping. Note that the Everyone group does not have the proper prefix. The w in the example and in the example below stands for Windows.
- UserSPSTSRSTR (typically i:o#.w for Windows authentication): The prefix for user logins in SharePoint for this claim mapping. Use the attached script to get an idea of what these are for your environment.
- Identity.AddRealm (Note: If you have SmartForms installed you will see at least three entries in the ClaimAudience table.
These correspond to the design, runtime and view flow applications. View flow is necessary to configure so that users can be authenticated with the view flow site. The other two are only necessary if you're running SmartForms, and are probably setup for you correctly but are included here for completeness.)
- RealmUri: The identifier for the realm (typically the address of the resource).
- HomeRealm (typically NULL): If you have multiple identity providers for a given STS, you can specify a default idP here. It will always go to that idP.
- Freshness (typically 0): Indicates the upper bound of the credential's age in minutes. A value of zero means that the STS should immediately verify the identity or use the minimum age credentials possible when verification is not possible.
- SignOutReplyUri (always NULL): Not used.
- PersistentCookiesOnPassiveRedirects (typically True/1): If set to true, the cookie is persisted across browser sessions.
- ReplyUri (typically the relative part of RealmUri): The default reply URI.
Do not manually update the K2 database tables unless instructed to do so by K2 Support.
Download the PowerShell script that returns the current claims configuration GetClaimsConfig.zip.
Configuring OAuth
For more information see the KB article KB001702 - How to configure OAuth in K2.
To configure OAuth you must add the following items:
- Resource Type: Use the [Authorization].[AddOAuthResourceType] stored procedure.
- Resource Type Parameters: Use the [Authorization].[AddOAuthResourceTypeParameter] stored procedure. This stored proc requires many parameters that can be found in the procedure. Use an existing OAuth resource as well as knowledge of the resource you're setting up to determine which parameters you need to specify. The out-of-the-box resources, such as SharePoint, SharePoint S2S and Azure Active Directory have specific parameters that you can use as examples. Find these in the Authorization.OAuthResourceTypeParameter table.
- Resource: The resource is the instance of the resource type. You must register an instance of a resource type to then fill in the values of the resource type parameters.
- Resource Values: The values of the resource type parameters.
Supported Configurations
The following configurations are supported by K2. Check the table below to see which architecture best fits your environment. A generic claims-enabled line of business (LOB) system must be manually configured.
- Claims-enabled LOB: Must be manually configured
- The claims configuration resides in the K2 database.
- It is highly recommended that you use K2 Management to configure OAuth and Claims.
- SharePoint
| Version | Authentication | Configuration |
|---|---|---|
| SharePoint 2010 | Windows | None |
| SharePoint 2010 | Claims (Windows, Forms or Trusted Identity Provider (IdP)) | Manual Configuration or Script |
| SharePoint 2013 | Claims (Windows) | Run the Registration Wizard |
| SharePoint 2013 | Azure Active Directory | Run the Registration Wizard |
| SharePoint 2013 | Claims (Forms or Trusted Identity Provider (IdP)) | Manual Configuration or Script |