K2 Blackpearl and SharePoint Claims based Authentication

R
Badge +2

Good morning guys,


I'm integration K2 with a SharePoint solution that works with a Claims Based Authentication.


We're using only Integrated Windows Authentication, and then custom Claims Providers for Role definitions against a complex Security Schema.


However, I can't get K2 to recognize my Claims Roles from SharePoint, the user allocation works fine, but I can't allocate any security roles/activity to a SharePoint claim. I even tried to wrap each Claim with a default SharePoint Group, however K2 can't still figure out which users belong to that Claim. Everything works fine in SharePoint.


I've wondered if I had to implement my own Security Provider for K2, however it's still a SharePoint provider and this should be available through the OOTB SharePoint Provider. Or even just a GroupProvider in order to read the Claims from SharePoint and resolve the list of users for each one.


If anyone have some insight, that would help to use OOTB components would be awesome.


Thanks in advance for any help. 


PS - We don't use Forms Authentication at all. Almost all of the examples I found using Claims, assume that the FBA is just there.
PS1 - K2 blackpearl version 4.6.5 

5 replies

T
Badge +10

Have you modified the k2hostserver.config file with the claimtypemappings?  Once you do that you can run your server in console mode and it'll show it authenticating with claims for example when a user refreshes their K2 Worklist webpart on the SharePoint site.


Here are the instructions about how to add the entries to the K2HostServer.config file:


http://help.k2.com/en/K2blackpearlGettingStarted4.6.5.aspx?page=claims_authentication_configuration.html

R
Badge +2

Hi timkn,


thank you for your reply.


Yes, I did everything from the K2 guide for my scenario (Windows Claims authentication), and it works just fine if I use the users, and the Claims WebPart shows the user in the right place, however the Claim Value that comes from my SharePoint Claim Provider doesn't have any K2 Claim Type Mapping. I tried adding it in the RoleClaim node of the ClaimTypeMappings section as follows:


<claimTypeMappings>
   <!--K2 Security/Role Provider for Windows Authentication-->
   <claimTypeMapping securityLabel="K2">
     <!-- Claim that represents the system issuing the identity and role claims to be mapped to the K2 security label-->
     <identityProviderClaim originalIssuer="SecurityTokenService" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider" claimValue="windows" />
     <!-- Claim that represents the user for the K2 security label-->
     <identityClaim originalIssuer="Windows" claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" />
     <!-- Claim that represents the groups for the K2 security label-->
     <roleClaim originalIssuer="ClaimProvider:SDMProvider" claimType="http://schema.sdm.local/roles" />
   </claimTypeMapping>
 </claimTypeMappings>


No luck though. I changed the RoleClaim to what I've seen in the Claims WebPart, with the hope that it would pick up the Groups. The generated configuration from the provided script has the same effect (none at all).


I can't get the Claims themselves to be resolved from K2 side as Groups or Roles, that's what I was expecting from the Claim Type Mappings. 


I know that this is quite confusing, so I'll just try to give a simple example.


The SharePoint claims provider have a list of Claims/Groups predefined. For simplicity lets say that we have Users and Approvers. In SharePoint what happens is that this provider figures out at runtime to what group does the current user belongs and applies the security set for that particular claim. For instance, the Users only have Read permission on the site collection. The People Picker works as expected and all SharePoint as well.


What I was expecting from K2 was that, I could set the Destination group of a Client Activity to Users for instance, and K2, through SharePoint user manager, would get the appropriate users to that Claim, and show them the task in the Worklist Task Webpart.


No luck. I can't even see the Claims listed in K2 Studio/Workspace


I hope someone has some insight about this, or at least give me the final answer of, "Not possible without a custom security provider".


Thanks again to anyone who bothers to help ;)

R
Badge +2

Just a small update on what I'm doing here.


I gave up on the idea of using the OOTB Groups provider. I started building my own Groups Provider in order to resolve Claims and ClaimMembers into K2. I'm using a SharePoint service that returns the information needed back to my Groups Provider, and it looks good.


My problem right know is actually configuring K2 to use my Groups Provider and K2 Auth Security Provider (which is using claims correctly). I added the following line into K2 Database - HostServer.GroupProvider table


8915a718-19b7-477b-a197-c6494a71cf2c fa4e4278-bfb1-4391-aa3e-18702b3c8fbd 6eb380c5-1835-4fc3-9de7-ae2afc4af9f0 SDM <init><server name="http://k2.dev.local/" label="SP" /></init>


where the GUIDs match SecurityLabelID and my newly created Provider (added into the SecurityProvider table as well), respectively.


My Provider never runs, and I'm not sure what I'm doing wrong, since there's less or no information about Custom Group Providers. Any help would be, as always, very welcomed.


 

S
Badge +6

I never heard of custom group providers, only custom security providers. I don't think your setup will work. Refer to these links on how to register your claims provider as the new security provider within K2.


http://help.k2.com/helppages/k2blackpearlDevRef4.6.5/webframe.html?creating_a_custom_user_manager.html


http://help.k2.com/en/kb000186.aspx


http://help.k2.com/en/displaycontent.aspx?id=1668

R
Badge +2

Just in case anyone is following this thread, or anyone will find this in the future.


With the help of a K2 Consultant (thanks _cyclops_, we solved this issue by developing a custom Role Provider and a Group Provider. Both of them query the Claim Service to get the claims as groups, and to resolve each claim into its members.


Registered a new label with the Role Provider associated with it (much like the OOTB SharePoint Role Provider), and added the Group Provider into the HostServer.GroupProvider table.


For what we could find, the Role Provider gets the claims and is called whenever a security permission is set within K2 environment and the Group Provider resolves the user's claims (when a worklist is opened for instance).


My main error before was to assume only one of them would be enough to do the job, and was not sure that K2 could read the Claims from the SharePoint provider (it doesn't, even the K2 Support didn't answer me this).


Some of these assumptions may not be completely right, but the behavior is exactly what was expected.


Thanks to anyone that tried to help.


Best regards,
Roberto Felix 

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings