Introduction to User Managers
K2 works with various identity providers (IdPs, also known as identity stores) through User Managers (UMs) unique to each IdP. Some UMs are available for configuration during installation, such as Active Directory (AD) and SQL, while you must configure others after installation, such as LDAP, AAD, and custom user managers.
Definitions
The following key terms are used throughout this section:
User Manager | All configuration necessary to associate K2 with an identity store, such as the security label, security provider, authentication provider, and role provider. |
Security Label | The token string prefixed to the user’s identity. For example, the Active Directory User Manager is represented by the K2 label, and AD users appear in K2 as K2:[Domain\Username] which is a Fully Qualified Name (FQN). The label's context does not extend beyond the K2 platform. The security label must be unique and identifies specific instances of the identity provider. |
Security Provider | A collection of interfaces for interacting with an identity store and authenticating users in that store. |
Authentication Provider | The mechanism to confirm the identity of a user when they log in or interact with services and data sources. Authentication can be integrated or require the use of a prompt or a web-based form. |
Role Provider | The mechanism that resolves users and groups in K2 from the identity store. |
Fully Qualified Name (FQN) | The FQN is the user or role value in [Security Label]:[User/Role Name] and is the format used by K2 for authorization, such as assigning tasks, interacting with tasks, and assigning permissions. The FQN must be unique across the K2 platform. |
Available User Managers
Active Directory (Default): Requires access to an Active Directory domain with a functional level of Windows 2003 or higher to provide authentication and roles. Active Directory (AD) must be present and available at the time of installation to configure the AD user manager.
Azure Active Directory: Requires access to an AAD environment to provide authentication and roles. You can configure the AAD user manager as a non-default user manager. This takes place automatically when registering the K2 for SharePoint app with SharePoint Online.
Active Directory Federated Services: Requires access to an ADFS environment to provide authentication and roles. You can configure ADFS user manager as a non-default user manager.
SQLUM: Requires access to the SQL user manager database, K2SQLUM by default, to provide authentication and roles. You can configure the SQL user manager as the default user manager during installation, or as a non-default user manager after installation.
LDAP: Requires access to a LDAP-compatible system with protocol version 3 or higher to provide authentication and roles. You can configure an LDAP user manager as a non-default user manager.
Custom: Requires access to the custom identity store to provide authentication and optionally role resolution. You can configure a custom user manager as a non-default user manager post-installation. You must develop and register a custom user manager manually with the K2 server.
User Managers |
||||||
---|---|---|---|---|---|---|
AD |
AAD | ADFS |
SQLUM |
LDAP |
Custom |
|
Security Label – Default Value |
K2 |
K2AAD | K2ADFS |
K2SQL |
K2LDAP |
{Custom} |
Can be configured as default during installation? |
Yes |
No | No |
Yes |
No |
No |
Can be configured as non-default post installation? |
No |
Yes | Yes |
Yes |
Yes |
Yes |
Can be configured with multiple security labels? |
No |
No | No |
Yes |
Yes+ |
Yes+ |
+ The LDAP User Manager implements two IHostableSecurityProviders .NET types - SourceCode.Security.Providers.LdapProvider.Forms.Ldap and SourceCode.Security.Providers.LdapProvider.Trusted.Ldap - each can only be configured for a single security label. Each custom user manager .NET type that implements IHostableSecurityProvider can only be configured for a single security label. |