Introduction to User Managers

K2 requires an association with an identity store and uses a User Manager (UM) to achieve this. Some UMs are available for configuration during installation (for example AD and SQL) while others are only available by configuration after installation (for example LDAP, AAD, and custom user managers).

Definitions

The following key terms are used throughout this section:

User Manager All configurations necessary to associate K2 with an identity store, such as the security provider, security label, authentication provider and role provider.
Security Label Also called K2 label, a user label and simply label, it is the token string that is prepended to the user’s identity, for example the K2 label is used for Active Directory users by default, which appear in the K2 context as K2:[Domain\Username] (FQN). The context for the label does not extend beyond the K2 platform. The security label identifies specific instances of authentication providers and/or role providers.
Security Provider The implementation of an authentication mechanism represented by a set of interfaces for interacting with an identity store and authenticating users located in that store.
Authentication Provider The mechanism to confirm the identity of a user when they login or interact with services and data sources. User authentication is performed by passing a set of user credentials. Authentication can be integrated or require the use of a prompt or a web-based form.
Role Provider The mechanism by which users and groups are resolved in K2 from the identity store.
Fully Qualified Name (FQN) The FQN is the user or role value in [Security Label]:[User/Role Name] format used by K2 for authorization such as assigning tasks, interacting with tasks, and assigning permissions. The FQN must be unique across the K2 platform.

K2 prepends the security label for the default user manager when an authentication request occurs without a security label.

Available User Managers

Active Directory (Default): Requires access to Active Directory domain functional level Windows 2003 or higher to provide authentication and roles. Active Directory (AD) must be installed and available at the time of installation to configure the AD user manager.

Azure Active Directory: Requires access to an AAD environment to provide authentication and roles. AAD user manager can be configured as a non-default user manager and takes place automatically when registering the K2 for SharePoint app with SharePoint Online.

Active Directory Federated Services: Requires access to an ADFS environment to provide authentication and roles. An ADFS user manager can be configured as a non-default user manager.

SQLUM: Requires access to the SQL user manager database, K2SQLUM by default, to provide authentication and roles. The SQL user manager can be configured as a non-default user manager or as the default user manager either during or post installation.

LDAP: Requires access to a LDAP-compatible system with protocol version 3 or higher to provide authentication and roles. An LDAP user manager can be configured as a non-default user manager.

Custom: Requires access to the custom identity store to provide authentication and optionally role resolution. A custom user manager can be configured as a non-default user manager or as the default user manager post-installation, and must be developed and registered manually with the K2 server.

User Managers

 

AD

AAD ADFS

SQLUM

LDAP

Custom

Security Label – Default Value

K2

K2AAD K2ADFS

K2SQL

K2LDAP

{Custom}

Can be configured as default during installation?

Yes

No No

Yes

No

No

Can be configured as default post installation?

No

Yes* No

Yes*

No

Yes*

Can be configured as non-default post installation?

No

No Yes

Yes

Yes

Yes

Can be configured with multiple security labels?

No

No No

Yes

Yes+

Yes+

* For more information, please refer to Changing the Default User Manager in the Configure section.
+ The LDAP User Manager implements two IHostableSecurityProviders .NET types - SourceCode.Security.Providers.LdapProvider.Forms.Ldap and SourceCode.Security.Providers.LdapProvider.Trusted.Ldap - each can only be configured for a single security label. Each custom user manager .NET type that implements IHostableSecurityProvider can only be configured for a single security label.

All Users Selections in an Identity Store

K2 does not support a concept of All Users for assigning tasks, interacting with tasks, or assigning permissions. Built-in or configured groups for the appropriate K2 user manager, for example Domain Users for Active Directory, should be used instead.