Supported Technologies and Terminology
OAuth
K2 supports OAuth 2.0 for authorization flow between SharePoint, K2, Azure AD and other OAuth 2.0-compatible systems. OAuth resource types can be registered with K2 and then resources setup as instances of those types. The following resource types are automatically registered when installing K2 blackpearl:
- Azure Active Directory
- SharePoint
- SharePoint High-Trust Certificate, Server to Server
An on-premises SharePoint site registers a SharePoint high-trust resource for interacting with the SharePoint site via a self-signed certificate, while a SharePoint Online site registers an Azure Active Directory and a SharePoint resource instance.
SAML
K2 supports SAML (Security Assertion Markup Language) versions 1.1 & 2.0. SAML tokens are XML representations of claims which is what many Microsoft products use for authentication and authorization. The K2 platform includes STSs (Security Token Services) which crack and package claims into SAML tokens so that it can communicate with other claims-aware applications and line of business systems.
Terminology
Term |
Definition |
---|---|
Claim |
A statement that one subject makes about itself or another subject. For example, the statement can be about a name, identity, key, group, privilege, or capability. Claims have a provider that issues them, and they are given one or more values. This data about users is sent inside security tokens (SAML). |
Claim rule |
A rule that is written in the claim rule language of the provider that defines how to generate, transform, pass through, or filter claims. |
Security Assertion Markup Language (SAML) |
A protocol that specifies how to use HTTP Web browser redirects to exchange assertions data. SAML tokens are XML representations of claims. |
Identity Provider (IdP) |
A Web service that handles requests for trusted identity claims and issues SAML tokens. An identity provider uses a database called an identity store to store and manage identities and their associated attributes. |
Relying Party (RP) |
An application that consumes claims to make authentication and authorization decisions. For example, the K2 server receives claims that determine if the issuer user can access K2 data. |
Claims-aware application |
A relying party software application that uses claims to manage identity and access for users. |
Security Token Store (STS) |
A Web service that issues security tokens. SharePoint implements a STS to authorize activities within the application from multiple authentication providers |
Secure Sockets Layer (SSL) |
A protocol that improves the security of data communication by using a combination of data encryption, digital certificates, and public key cryptography. SSL enables authentication and increases data integrity and privacy over networks. SSL does not provide authorization or non-repudiation. |
Active Directory Federation Services (AD FS) |
A component of Windows Server that supports identity federation and web single sign-on (SSO) for Web browser–based applications. |
Federation server |
A computer running Windows Server that has been configured using the AD FS Federation Server Configuration Wizard to act in the federation server role. A federation server issues tokens and serves as part of a Federation Service. |
Federation Service |
A logical instance of a security token service such as AD FS. |