Hello guys,

I've been working with claims authentication and ADFS 2.0 lately, and I would like some confirmation on my environment configuration.

Version 4.6.2, soon to be upgraded to 4.6.7, but it shouldn't affect the fundamental problems I'm facing.

ADFS Custom provider to retrieve claims for users, built using a custom model.

SharePoint connected to ADFS as the only source of Authentication/Authorization provider. Windows authentication is disabled.

I've configured my K2 Blackpearl accordingly to http://help.k2.com/helppages/k2blackpearlGettingStarted4.6.4/Claims_Authentication_Configuration.html

Now, for as far as I understand, K2 uses a Security provider to retrieve the Groups/Users in its own environment. Authentication is done using the Claims token retrieved from SharePoint Token Service, but the authorization is done by the relevant Security Provider (AD/LDAP/SQL/Custom) contacting the source directly. This means that a custom security provider must be developed to do the authorization with whaterever custom provider is plugged in ADFS.

Could someone confirm this??

My initial expectation was that K2 could be plugged into ADFSs relying parties and receive all the Authentication and Authorization through ADFS, ignoring completely the source, even if using SharePoint Token Service to retrieve them (which doens't really make sense too, because K2 is dependent on SharePoint for authorization and this couples both platforms).

Accordingly to the claims flow in http://help.k2.com/helppages/k2blackpearlGettingStarted4.6.4/Claims_User_Identity_Flow.html, the identity is retrieved from STS, but the groups/claims need a custom security provider to contact the source (AD/LDAP/etc).

Thanks to anyone that had already gone through this pain :)

Kind regards,

Roberto