Introduction to User Managers

Microsoft Azure Active Directory is now Microsoft Entra ID

The product works with various identity providers (IdPs, also known as identity stores) through User Managers (UMs) unique to each IdP. Some UMs are available for configuration during installation, such as Active Directory (AD) and SQL, while you must configure others after installation, such as LDAP, AAD, and custom user managers.

Definitions

The following key terms are used throughout this section:

User Manager All configuration necessary to associate the product with an identity store, such as the security label, security provider, authentication provider, and role provider.
Security Label The token string prefixed to the user’s identity. For example, the Active Directory User Manager is represented by the Nintex label, and AD users appear in the product as Nintex:[Domain\Username] which is a Fully Qualified Name (FQN). The label's context does not extend beyond the products platform. The security label must be unique and identifies specific instances of the identity provider.
Security Provider A collection of interfaces for interacting with an identity store and authenticating users in that store.
Authentication Provider The mechanism to confirm the identity of a user when they log in or interact with services and data sources. Authentication can be integrated or require the use of a prompt or a web-based form.
Role Provider The mechanism that resolves users and groups in the product from the identity store.
Fully Qualified Name (FQN) The FQN is the user or role value in [Security Label]:[User/Role Name] and is the format used by the product for authorization, such as assigning tasks, interacting with tasks, and assigning permissions. The FQN must be unique across the platform.
The system prefixes the security label for the default user manager when an authentication request occurs without a security label.

Available User Managers

Active Directory (Default): Requires access to an Active Directory domain with a functional level of Windows 2003 or higher to provide authentication and roles. Active Directory (AD) must be present and available at the time of installation to configure the AD user manager.

Azure Active Directory: Requires access to an AAD environment to provide authentication and roles. You can configure the AAD user manager as a non-default user manager. This takes place automatically when registering the Nintex K2 for SharePoint app with SharePoint Online.

Active Directory Federated Services: Requires access to an ADFS environment to provide authentication and roles. You can configure ADFS user manager as a non-default user manager.

SQLUM: Requires access to the SQL user manager database, K2SQLUM by default, to provide authentication and roles. You can configure the SQL user manager as the default user manager during installation, or as a non-default user manager after installation.

LDAP: Requires access to a LDAP-compatible system with protocol version 3 or higher to provide authentication and roles. You can configure an LDAP user manager as a non-default user manager.

Custom: Requires access to the custom identity store to provide authentication and optionally role resolution. You can configure a custom user manager as a non-default user manager post-installation. You must develop and register a custom user manager manually with the server.

User Managers

 

AD

AAD ADFS

SQLUM

LDAP

Custom

Security Label – Default Value

K2

K2AAD K2ADFS

K2SQL

K2LDAP

{Custom}

Can be configured as default during installation?

Yes

No No

Yes

No

No

Can be configured as non-default post installation?

No

Yes Yes

Yes

Yes

Yes

Can be configured with multiple security labels?

No

No No

Yes

Yes+

Yes+

+ The LDAP User Manager implements two IHostableSecurityProviders .NET types - SourceCode.Security.Providers.LdapProvider.Forms.Ldap and SourceCode.Security.Providers.LdapProvider.Trusted.Ldap - each can only be configured for a single security label. Each custom user manager .NET type that implements IHostableSecurityProvider can only be configured for a single security label.