Manually Configure K2 for Azure Active Directory (AAD)

Microsoft Azure Active Directory is now Microsoft Entra ID

The product integrates with Microsoft Azure Active Directory (AAD) which allows AAD users to log in to K2 web sites and allows you to assign AAD users workflow tasks and get user details using the AAD SmartObjects.

For more information about AAD integration see Azure Active Directory in the K2 User Guide.

This article shows you how to manually setup AAD as an authentication option for the product. For information on inbound OAuth, see the KB article Configure AAD and Services for Inbound OAuth.

  • If you have integrated the product with SharePoint using the Nintex K2 for SharePoint app, in particular with a SharePoint Online tenancy or one that uses Azure Active Directory, you DO NOT need to do the configuration described here as it is done automatically during app installation and registration. This topic is specifically for environments that do not need SharePoint integration but need to integrate with AAD.
  • Make sure you use the administration account when doing this configuration and that you perform these steps on the server.
If you use the Sync Service to manage identity synchronization and caching in the product, and manually configure K2 for AAD, you must run the initial sync and then configure a schedule for future syncs. If you do not do this, the identities in the AAD store will not be available in the product. For further information see the Sync Service topic in the User Guide.

Prerequisites

You need the following items in your environment to configure K2 for AAD:

  • SSL-enabled K2 sites
  • An Azure Active Directory subscription

High Level Configuration Steps

If you're familiar with configuring claims integration these high-level steps summarize the steps you need to follow. For a detailed guide, see the Detailed Steps section below.
General Configuration

  1. SSL-enable the web site that hosts the K2 virtual directories.
AAD Configuration
  1. Create an App in AAD for your K2 site and gather information for configuring K2.
    1. Export the K2 OAuth High Trust certificate of your K2 server and upload it to the app in your AAD tenant.
Product Configuration
  1. Register an OAuth resource in K2 for AAD.
  2. Add the AAD Security Label.
  3. Optionally configure the AAD Service Instance and generate SmartObjects.
  4. Configure Claims.
  5. Test your AAD login.

During the configuration you need the following information from your AAD app and subscription. Write these values down as you go.

Item Example Values Your Values
Application ID / Client ID 304e7ece-9380-43ac-a35c-a4645d5bba5e  
Key / Client Secret sO7Uu2gC84Gdx/Vb7jcaGqek7KrPAfGfcsjlMS5m6AE=  
Tenant ID / Directory ID 0bb385a0-6343-4ba1-8aa3-a4371a9c458c  
Federation Metadata Document URL https://login.microsoftonline.com/0bb385a0-6343-4ba1-8aa3-a4371a9c458c/federationmetadata/2007-06/federationmetadata.xml  
OAuth 2.0 Token Endpoint https://login.microsoftonline.com/0bb385a0-6343-4ba1-8aa3-a4371a9c458c/oauth2/token  
OAuth 2.0 Authorization Endpoint https://login.microsoftonline.com/0bb385a0-6343-4ba1-8aa3-a4371a9c458c/oauth2/authorize  
Certificate Thumbprint 1528a6b4d1f2w680b4b095c69afdadf9cd65c7837  
Identity Claim Type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name  
Identity Provider Claim Type http://schemas.microsoft.com/identity/claims/tenantid/  
Login URL https://login.microsoftonline.com/0bb385a0-6343-4ba1-8aa3-a4371a9c458c/wsfed  
Issuer Azure Active Directory  

Detailed Steps