Question:
Are there known issues or licensing concerns with upgrading K2 for SharePoint from SharePoint 2013 (Active Directory-AD) to SharePoint 2016 (Active Directory Federation Services-ADFS)?
Are the users treated the same or are they distinct and not linkable (as the same user)?
Answer:
The answer is explained in 2 parts.
Part 1:
An AD user and an ADFS user, even though they might be considered "the same thing", will appear as 2 different users or entities from a K2 perspective, because they use 2 different labels.
1. An AD user will use the K2 security label.
2. And an ADFS user is going to use the ADFS label
An AD user might look something like this in the "identity.identity table":
K2:DenallixBob, and
might be something like ADFS:Bob for the ADFS equivalent.
Because we are querying 2 different "user stores", and we authenticate using 2 different security labels, we will store 2 different entries in the "[Identity].[Identity]" table.
Those 2 "entities" should have 2 different entries in the "identity.identity" table.
For example;
If you get a work item, and it is assigned to "K2:K2WorkflowBob", the ADFS entity is not going to be able to "see" that work item, because that user will be something like "ADFS:K2WorkflowBob".
Part 2:
Even though "Active Directory User Manager" (ADUM) and "Active Directory Federation Services" (ADFS) points to the same "Active Directory", the security label makes these 2 "entities" unique.
I have attached a Word document to this discussion post for your reference, that explains how to use ADFS with the K2 security label and the steps to remap the ADFS issuer to the K2 security label.
The ADFS identity claim should be in the format of "[domain][username]". Another thing to note is that in a multi-domain environment if the domain is not included in the identity claim, the user might not resolve properly in the AD user manager.
For example:
If certain artifacts (Like Views and Forms.) has been checked out to "K2ADFS:username", and we make this switch to point to the K2 label, that the "K2ADFS:username" user will not be able to access those artifacts anymore. The same goes for process rights, existing workflow instances etc.
However, as per the attached Word document we could 'theoretically speaking', point an ADFS label to the K2 label, and if the claims are set to return [Domain][Username], then this should be do-able.
