Configuring KeyCloak SCIM integration for Nintex Automation K2

1. Create a new realm (optional) in KeyCloak. If you don’t want to use the default master realm, you can create a new realm for your app:
   1. In the admin console of KeyCloak, click on the Master drop down in the top left and select Add Realm.
   2. Give it a name and click Create.
      
2. On the current realm go to the Clients section and click the Create client button
   
3. Create a new KeyCloak client
   
4. Configure the redirect URLs
   
5. Ensure public access is not enabled and set the Authentication flow to Implicit flow
   
6. In the General settings for your client, you can not set your Client ID
   
7. In the Credentials section, you will find your Client Secret. This value must be saved for later.
   

You can now use these details to setup KeyCloak in Nintex Automation K2 with the OIDC preview tool.

• Clientid – ID for you client app
• Authority – Domain for you IDP
• Client Secret - GUID generated by your client

Follow the steps below to configure OIDC for your environment

1. Extract OIDC preview from {K2 install location}\Setup\Features\ K2OIDC Preview.zip

2. Run ConfigureOIDC.exe as administrator
   

3. Provide the K2 database connection string and press Enter. The default option will connect to localhost SQL instance database, named K2.

   Copy

   K2 Database connection string example

   Data Source=Localhost;Initial Catalog=K2;Integrated Security=True;Pooling=True;Encrypt=True;TrustServerCertificate=True

4. Provide the K2 host server connection string and press Enter. We recommend using the integrated authentication to localhost, as this will work correctly if the current user has rights to execute SmartObjects.

   Copy

   Host server connection string example

   Integrated=True;IsPrimaryLogin=True;Authenticate=True;EncryptedPassword=False;Host=Localhost;Port=5555 

5. Run step 1 to install the OpenID assemblies. Once completed, you will be returned to the main menu.
   

6. Run step 2 and provide the following values:
   

   1. Client ID – the client Id from the OIDC application created.

   2. Authority – the issuer base url eg https://trial-5190475.okta.com (to check locate the OIDC metadata endpoint eg https://providerurl/.well-known/openid-configuration).

   3. ClientSecret – the client secret configured for the OIDC application.

   4. Claim issuer/security label name: K2OIDC.
      

7. Run step 3 to reconfigure your web configurations.
   

8. Run step 4 to enable SCIM. This option will enable Sync Engine and the K2 SCIM endpoint.

Prerequisites

Download the latest version of the SCIM provider here: keycloak-scim

Copy it to: keycloak\providers\

Restart KeyCloak

In the K2 database run:

DECLARE @TypeID int = (SELECT Top 1 ID FROM [SyncEngine].[ProviderType] WHERE [Type] = 'SCIM')
                        DECLARE @ProviderID int = (SELECT Top 1 ID FROM [SyncEngine].[Provider] WHERE [ProviderTypeID] = @TypeID)
                    SELECT * FROM [SyncEngine].[ProviderInstance] WHERE [ProviderID] = @ProviderID

1. In KeyCloak go to Console > Events > Event Configs (or in Real settings > Events), and add scim in Event listeners.
   

2. Go to User Federation and click on Add Scim providers.
   

3. Add the following information for the SCIM provider.
   

   1. UI display name: K2Scim
   2. SCIM 2.0 endpoint: https://nintex.k2test.net/api/scim/v2/{ProvInstID}/
   3. AuthMode: BASIC_AUTH
   4. Auth username: K2SQL:scim_user / Service Account
   5. Auth password: K2pass!
   6. Import action: (This field must be blank)
   7. Log SCIM requests and responses: ON
4. To Create a user in KeyCloack, select the Users and select Create user. From here enter the user's details and assigned groups.