K2 smartforms Security and Authenticationcommunity.k2.com/pfxaw45692/attachments/pfxaw45692... ·...

1 Authentication

SmartForms AuthenticationDesign Time/Runtime Permissions

SmartForms uses the K2 blackpearl security mechanisms which are the following:

Windows Authentication - Uses standard Windows authentication to automatically log in on K2 Host Server as the current user.The K2 label will be used.Forms Authentication - A specific Security Provider label has to be provided. The user will be required to provide a username andpassword as well as the label to log on. Forms Authentication uses the forms login screen and creates an encrypted authenticationticket using ASP.NET Forms Authentication for a successful login. The ticket details of the user are subsequently used for allconnections to the K2 Host Server.

The type of authentication is automatically set by the K2 smartforms installer according to the User Manager that is used on the specificenvironment. If Active Directory is used on the environment, the authentication mode will default to Windows. If any other User Manageris used, the authentication mode will default to Forms. The authentication mode is applicable on a site level, so authentication is appliedon the K2 site in Internet Information Services (IIS) in the case of SmartForms if the default site was used in the installer.

Should the need arise to change the type of authentication, it can be done by changing the web.config file of the IIS site whereSmartForms resides. Follow the steps below to change the security mechanism:

1. Open Internet Information Services (IIS)2. Open the site where SmartForms has been installed3. Click on Explore in the Actions panel on the right4. Scroll down to the bottom until you find the web.config file

5. Right-click the file and select Open With > Notepad6. Search for the following "<authentication mode"7. Change the type to the required mode either Windows or Forms

K2 smartforms Security and Authentication | 1

COPYRIGHT © 2008-2013. SOURCECODE TECHNOLOGY HOLDINGS, INC. SEE THE K2 smartforms Copyright andTrademark Statement

help file version 1.0.5(4.12165.1605.0)

8. Save the file9. If Forms Authentication is selected, the following step is also required:In the web.config file search for “windowsAuthentication enabled”. Change the windowsAuthentication enabled from “true” to“false”




If this change is not done when using Forms Authentication, the following error will appear:

The login screen will be activated every time the user logs into the site.

Tick the Remember Me option in order to avoid the login screen being activated every time the user logs into the site

User Name The identity can be specified in one of the following formats:

“user name” Authenticates with and without the current domain against all security labels.




“K2 label:user name” Authenticates with and without the current domain against thespecified security label.

“domain\user name” Authenticates with the specified domain against all specified securitylabels.

“K2 label:domain\user name” Authenticates with the specified domain against thespecified security label.

Password Can include upper and lower case letters, numbers and symbols.

Design Time/Runtime Permissions

No extra permissions are required for SmartForms to work. SmartForms uses K2 blackpearl permissions and rights with regards toSmartObjects and Workflows.

However, rights can be set in IIS on the design time site level or on the runtime site level. The design time site and runtime site havedifferent web.config files and each site can be set up to use its own type of security mechanism. This enables administrators to allowcertain people to design SmartForms and other people to use SmartForms in runtime.

Follow the method mentioned above to set rights on the SmartForms sites. Alternatively, set the rights in the web.config files that can belocated in the following locations:

Designer: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Designer\Web.config

Runtime: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Runtime\Web.config




1.1 Anonymous Access

Anonymous AccessIf public users, who don't belong to a company's Active Directory or other User Manager groups, are required to openSmartForms, Anonymous Access rights can be assigned to these people.

Anonymous Access is granted on a specific Internet Information Services (IIS) web site, application or virtual directory.SmartForms supports Anonymous Access by using the Application Pool Account user to log into K2 HostServer on the site that iscreated for these users. Either all access to K2 on this site is Anonymous from an IIS perspective or Windows or FormsAuthentication is applied.

Should the need arise to grant certain users Anonymous Access rights and other users Windows or Forms Authenticationrights, two runtime sites can be installed where one is configured for Anonymous Access and the other for Authenticated Access.

To enable Anonymous Access, perform the following steps:

1. Set IIS Authentication to ONLY anonymous authentication 2. Set appSetting ConnectAsAppPool to "true". This setting can be found in the web.config file of the runtime virtual directoryin the IIS site of SmartForms. The location is by default:C:\Program Files (x86)\K2 blackpearl\K2 smartforms Runtime

3. Comment out the <deny users="?" /> under the main <authorization> node (not those under the <location> nodes)4. Uncomment the <allow users="*" /> tag

To set Authentication access:

1. Set IIS Authentication to allow anonymous access AND either Windows or Forms authentication2. Set appSetting ConnectAsAppPool to "false"3. Uncomment the <deny users="?" /> under the main <authorization> node (not those under the <location> nodes)4. Comment out the <allow users="*" /> tag

Important Consideration

When the K2 for SharePoint feature activation is executed the virtual directories for WebDesigner and EventWeb is created under_layouts/WebDesigner/EventWeb. If Anonymous Authentication is allowed on the site level, the WebDesigner and EventWebdirectories will inherit these permissions. If the site is a Claims-based Authentication site, having Anonymous Authenticationenabled will cause issues when connecting to the K2 server. Anonymous Authentication should be set to disabled forWebDesigner and EventWeb directories in this case.




1.2 Claims-based Authentication




1.2.1 Overview

OverviewClaims-based authentication is built on Windows Identity Foundation (WIF), a framework for building claims-awareapplications that is standards-based and interoperable. Interoperability is provided through reliance on industrystandard protocols such as WS-Federation, WS-Trust, and Security Assertion Markup Language 1.1 (SAML).

In claims-based authentication, an identity provider, or security token service, responds to authentication requestsand issues SAML security tokens that include any number of claims about a user, such as a user name and groupsthe user belongs to. A relying party application receives the SAML token and uses the claims inside to decide whetherto grant the client access to the requested resource. Claims-based authentication can be used to authenticate yourorganization's internal users, external users, and users from partner organizations.

K2 relies on the configuration of a K2 user manager to provide authentication and user and group resolution foridentity stores such as Active Directory, SQL, LDAP or Custom. For more information see the User Managers topic inthe K2 blackpearl Getting Started Guide:

Getting Started - Installation and Configuration > Prerequisites > Environment Configuration > User Authenticationand Security > Introduction to User Managers K2 provides the ability for incoming claims-based authenticationthrough configuration of mappings between claims-based identity providers and K2 user managers.

Full details on Claims based authentication can be found in the K2 GettingStarted Guide online athttp://help.k2.com/en/k2blackpearlgettingstarted.aspx Installation and Configuration > Installation > IntegrationConfiguration > SharePoint > Claims-based Authentication

Claims-based authentication is supported by K2 smartforms and is combined with Claims-based authenticationconfigured on K2 blackpearl.

Claims-based Authentication need to be configured and working on the K2 blackpearl server before starting the claims configuration for K2smartforms sites

Supported

Claims-based Authentication for federated claims identities such as ADFS, Azure AD, etcThe use of a Windows Identity Foundation utility (FedUtil) to configure a SmartForms runtime site to supportfederated claims-based usersWhen the abovementioned runtime site is used in the K2 smartforms Viewer Web Part on a SharePoint 2010 site,flow-through of the claims users’ identities is managed for providers in SharePoint that are ‘trusted’. However,there is a one-to-one mapping between the identity provider and the SmartForms runtime siteWindows-based users (wrapped in claims or not) with a standard Windows authentication runtime site

Unsupported

Multiple identity providers on the same runtime siteMultiple ‘trusted’ providers configured or using a Windows or Forms-based user login where the runtime site isused in the K2 smartforms Viewer Web Part on a SharePoint 2010 siteForms-based users wrapped in claims

The following matrix explains the possible combinations for Claims between K2 blackpearl and K2 smartforms:

Supported

K2 blackpearl + Claims K2 smartforms + No Claims

K2 blackpearl + No Claims K2 smartforms + No Claims

K2 blackpearl + Claims K2 smartforms + Claims

Not Supported

K2 blackpearl + No Claims K2 smartforms + Claims




1.2.2 Configuration




1.2.2.1 Prerequisites

PrerequisitesClaims-based Authentication configured on K2 blackpearlMicrosoft .NET Framework 4.5Windows Identity Framework 3.5: Runtime:http://www.microsoft.com/en-za/download/details.aspx?id=17331ORSDK:http://www.microsoft.com/en-za/download/details.aspx?id=4451Obtain a token signing certificate from your Identity ProviderThe K2 smartforms web site must be SSL enabled (Example: https://dlx.denallix.com/runtime/)

Information Required

The following information is required before beginning the claims configuration of K2 smartforms sites. The steps thatfollow direct you on how to configure claims, but you should be aware before you begin that this information isnecessary to complete the configuration.

Identity Provider – this is the application that will be providing claims-based user authentication to K2smartforms, for example AD FS.Relying Party – the K2 Host Server is configured as the relying party for the identity provider, for example ADFS.

Identity Provider

STS WS-Federation metadata document location – this is where the identity provider posts its metadatadocument.Signing Certificate – this is the certificate used by the identity provider to sign user claims.

Relying Party

K2 smartforms Site – this is the site that will become claims-enabled. K2 smartforms configures three sites bydefault – Designer, Runtime and Workflow. Each site must be individually configured for claims-basedauthentication if desired.Application configuration location – this is the path to the K2 smartforms site web.config.Application URI – this is the URI to the K2 smartforms site that will become claims-based authenticationenabled.Federation metadata file location – this is where the K2 smartforms site will store its federation metadatadocument.




http://www.microsoft.com/en-za/download/details.aspx?id=17331

http://www.microsoft.com/en-za/download/details.aspx?id=4451

https://dlx.denallix.com/runtime/

1.2.2.2 High-level Steps

Claims-based Authentication - High-level StepsThese high-level steps are provided for those familiar with configuring claims integration. For a detailed guide, seethe Step-by-Step topic.

1. Install the Windows Identity Framework SDK 3.5 (WIF) on the K2 smartforms server2. SSL-enable the web site that hosts the K2 smartforms virtual directories3. Obtain and install the Identity Provider Certificate on the K2 server4. Configure each K2 smartforms site that needs to be claims-enabled– do this for each K2 smartforms site(Designer, Workflow, Runtime)

a. Run FedUtilb. Update Web.config for bootstrap tokens and cookie handlingc. Configure App Pools to load the user profile

5. Update K2 Host Server.exe.config -- Create claims section for each Identity Provider6. Configure K2 as Relying Party Trust for each Identity Provider - do this for each K2 smartforms site (Designer,Workflow, Runtime) that is claims-enabled




1.2.2.3 Step-by-Step




1.2.2.3.1 Step 1 - Install Windows Identity Framework SDK 3.5

Step 1 - Install the Windows Identity Framework SDK 3.5Download and install the Windows Identity Framework SDK 3.5 and Windows Identity Framework 4.5 from thefollowing link:

http://www.microsoft.com/en-us/download/details.aspx?id=4451




1.2.2.3.2 Step 2 - Create an SSL-enabled site for SmartForms

Step 2 - Create an SSL-enabled site for SmartFormsConsiderations

An existing SmartForms site (not virtual directory) can be updated to be Claims-enabled or a new SmartForms site can be created forClaims-based Authentication. Note that one site can't use both Windows Authentication and Claims Authentication.

1. Open Internet Information Services (IIS) Manager2. In this example the K2 smartforms site is used. Right click the K2 smartforms site and select Edit bindings

3. Click Add4. Select https from the Type drop down list and type a new number in the Port field.5. Select the certificate used for your site. In this example it is the *.denallix.com Certificate, which is also used for the IdentityProvider, but these two certificates do not have to be the same (and in most cases will not be the same).




1.2.2.3.3 Step 3 - Obtain and install the Identity Provider Certificate

Step 3 - Obtain and install the Identity Provider CertificateThe certificate or certificates from the identity provider must be installed in the Trusted Root Certification Authorities location on the K2server. To do this, follow these steps.

1. Export the certificate from the identity provider. For the purpose of this topic, the certificate is the Token Signing Certificate fromAD FS. To find this certificate, expand the Service node and select the Certificates sub-node. Right-click the certificate and selectView Certificate from the AD FS 2.0 Management console.

2. Select the Details tab and click the Copy to File button.




3. Walk through the Certificate Export Wizard, creating a DER encoded binary X.509 certificate file.4. Copy the .CER file to the K2 server5. Double-click the .CER file on the K2 server

6. Click the Install Certificate button on the General tab.




7. Select the Place all certificates in the following store option on the Certificate Import Wizard and choose the Trusted RootCertificate Authorities store.

8. Click OK, Next and then Finish to complete the wizard. Your identity provider signing certificate is now installed for the K2 serverto trust.




1.2.2.3.4 Step 4 - Configure each SmartForms site

Step 4 - Configure each SmartForms siteEach SmartForms site must be configured using the following steps:

A - Use the FedUtil utility to generate the metadataB - Modify the web.config files for bootstrap tokens and cookie handlingC - Modify the App Pool to load the user profile

A - Using FedUtil

1. Run the FedUtil.exe which can be found in the following location:C:\Program Files (x86)\Windows Identity Foundation SDK\v3.5\FedUtil.exe

2. On the Welcome page, configure the following items:a. Application configuration location - Browse to the required SmartForms design time installation path. Open the web.configb. Application URI - Should contain the SmartForms website URL. (Example: https://dlx.denallix.com:449/Designer/) Notethat you’ll have to do this for each SmartForms site that needs to be claims-enabled.

3. Click Next.4. Select the Use an existing STS option.5. Provide a location for example: ADFS - https://adfs.denallix.com/6. Click Test location - This will automatically generate the FederationMetadata/2007-06/FederationMetadata.xml




https://dlx.denallix.com:449/Designer/

7. Click Next.8. Configure applicable options for your environment.

9. Click Next.10. Review the available claims.




11. Click Next.12. Review the summary information and click Finish.

13. Click OK.




Repeat Step 1-13 for the following URLS if Claims-Authentication is required on the Runtime and Workflow sites of K2 smartforms:

Runtime - Example: https://dlx.denallix.com:449/Runtime/Workflow - Example: https://dlx.denallix.com:449/Workflow/

NOTE: The application configuration location paths to the web.config will differ

B - Modify the web.config files for bootstrap tokens and cookie handling

1. Update the following web.config files:a. Designer - Example: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Designer\b. Workflow - Example: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Designer\Workflow\c. Runtime - Example: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Runtime\

2. Locate the microsoft.identityModel tag3. Replace the service tag with the following:

Copy Code

… <microsoft.identityModel> <service saveBootstrapTokens="true"> …

4. Locate the federatedAuthentication tag. Add path="/" to the cookieHandler requireSsl node. Example is shown below:

Copy Code

… <cookieHandler requireSsl="false" path="/" /> …

Consideration

If you only want certain security labels' users to return in search results, the following can be added to the Workflow site's web.config filein appsettings.

Copy Code

… <add key="DestinationSearchLabels" value="K2ADFS" /> …

This should only be used to override the default that the K2HostServer has configured. This is not a required step.

C - Modify the Application Pool to load the user profile

1. In Internet Information Service(IIS) Manager, open the Advanced Settings of the Application Pool as shown below:




https://dlx.denallix.com:449/Runtime/

https://dlx.denallix.com:449/Workflow/

2. Change the setting next to Load User Profile to True. Click OK.

Repeat this step if the SmartForms sites are configured with different Application Pools.




1.2.2.3.5 Step 5 - Update K2HostServer.exe.config

Step 5 - Update K2HostServer.exe.config - Create a claims section for each identity providerThe K2HostServer.exe.config file must contain a claim section for each identity provider. Before you can configure this, you must get thethumbprint for each from the web.config files of each virtual directory configured above (Designer, Workflow, Runtime). To do this, followthese steps:

1. Open each web.config file for each SmartForms site and copy the GUID from the following location:

Copy Code

… <issuerNameRegistrytype="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry,Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral,PublicKeyToken=31bf3856ad364e35"><trustedIssuers><add thumbprint="4AE0C3A788A2B40EA90E254ACD1C8E6DC48E20C9"name="http://adfs.denallix.com/adfs/services/trust" /></trustedIssuers></issuerNameRegistry> …

2. Edit the K2HostServer.exe.config and add claims sectiona. Open the K2HostServer.exe.config file from :\Program Files (x86)\K2 blackpearl\Host Server\Binb. Copy the configuration section below and add it to the config file in the configuration section.

ExampleThe following example configuration section is for the fictitious Denallix.com claims based site on a single server with usermappings configured for Windows (Active Directory), Forms (LDAP) and a Trusted Provider (AD FS for LDAP).

Copy Code

… <sourcecode.security.claims> <issuers> <issuer name="http://adfs.denallix.com/adfs/services/trust"thumbprint="E2F26FEEF7550CE36D875A76E6748979AEFCDF40 "/> </issuers> <claimTypeMappings> <claimTypeMapping securityLabel="K2ADFS"> <identityProviderClaim originalIssuer="http://adfs.denallix.com/adfs/services/trust"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod"claimValue="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows"/> <identityClaim originalIssuer="http://adfs.denallix.com/adfs/services/trust"claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/> <roleClaim originalIssuer="http://adfs.denallix.com/adfs/services/trust"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"/> </claimTypeMapping> </claimTypeMappings> </sourcecode.security.claims> …

c. Replace the GUID obtained from Step 1 in the configuration section. d. Replace all values as per your environment in the configuration section. The configuration section should resemble the details ofyour environment. The details of your environment can be found in the following location: C:\Program Files (x86)\K2blackpearl\K2 smartforms Designer\ and as shown below:




http://adfs.denallix.com/adfs/services/trust



http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows%22/


http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name%22/


http://schemas.microsoft.com/ws/2008/06/identity/claims/role%22/

3. Create a new security label pointing to the trusted LDAP provider. Follow the steps as provided in the K2 blackpearl documentation:Getting Started - Installation and Configuration > Installation > Integration Configuration > SharePoint > Claims-based Authentication> Claims Authentication Configuration. The specific configuration is available under the Claim Type Mappings section of this topic.

Consideration

If you have configured the K2 Host Server to use claims for SharePoint, your K2HostServer.exe.config as per Step 2.2 above should look likethis:

Copy Code

… <sourcecode.security.claims> <issuers> <issuer name="SharePoint Security Token Service"thumbprint="F7207335CEECFC8B70B384BA4606082CA8837091" /> <issuer name="SharePoint Security Token Service Encryption"thumbprint="E0C95B0DCC11F3C88C7F6E9C62421980BEC3991C" /> <issuer name="http://sav-pd-appsrv.pointdistro.local/adfs/services/trust"thumbprint="EFB1E5519C8E5C3EFF2ECA1EC7EC1A4C45844D35" /> </issuers> <claimTypeMappings> <claimTypeMapping securityLabel="K2FORMS"> <identityProviderClaim originalIssuer="SecurityTokenService"claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider"claimValue="forms:LdapMembership" /> <identityClaim originalIssuer="Forms:LdapMembership"claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" /> <roleClaim originalIssuer="Forms:LdapRoleProvider"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> </claimTypeMapping> <claimTypeMapping securityLabel="K2ADFS"> <identityProviderClaim originalIssuer="http://sav-pd-appsrv.pointdistro.local/adfs/services/trust"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod"claimValue="http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password"/> <identityClaim originalIssuer="http://sav-pd-appsrv.pointdistro.local/adfs/services/trust"claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" /> <roleClaim originalIssuer="http://sav-pd-appsrv.pointdistro.local/adfs/services/trust"




http://sav-pd-appsrv.pointdistro.local/adfs/services/trust

http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider

http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname

http://schemas.microsoft.com/ws/2008/06/identity/claims/role



http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod

http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password



http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name



claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> </claimTypeMapping> <claimTypeMapping securityLabel="K2ADFS"> <identityProviderClaim originalIssuer="SecurityTokenService"claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider"claimValue="trusted:ADFS" /> <identityClaim originalIssuer="TrustedProvider:ADFS"claimType="http://schemas.k2.com/identity/claims/name" /> <roleClaim originalIssuer="TrustedProvider:ADFS"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" /> </claimTypeMapping> <claimTypeMapping securityLabel="K2"> <identityProviderClaim originalIssuer="SecurityTokenService"claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/identityprovider"claimValue="windows" /> <identityClaim originalIssuer="Windows"claimType="http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname" /> <roleClaim originalIssuer="Windows"claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" /> </claimTypeMapping> </claimTypeMappings> </sourcecode.security.claims> …

Note that there are two K2ADFS sections in the above configuration section.

Yellow - The claim type mapping in the highlighted yellow section represents SmartForms

Blue - The claim type mapping in the highlighted blue section represents SharePoint

If both setups use the same users, the green and pink highlighted claim types should be the same.







http://schemas.k2.com/identity/claims/name



http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname

http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid

1.2.2.3.6 Step 6 - Configure K2 as a Relying Party Trust for each Identity Provider generated byFedUtil

Step 6 - Configure K2 as a Relying Party Trust for each Identity Provider generated by FedUtilThe following steps are required to add a relying party to the token issuer. This must be done on each site that was configured above.

This example uses AD FS but the steps are similar for other token issuers.

1. Launch the AD FS 2.0 Management console (Start > Administrative Tools > AD FS 2.0 Management )2. Add a new Relying Party Trust

3. Click Start




4. Select Import data about the relying party from a file and click on Browse. The Federation metadata file location – this is the3 site locations as per the examples previously given: C:\Program Files (x86)\K2 blackpearl\K2 smartforms Designer\FederationMetadata\2007-06\FederationMetadata.xmlC:\Program Files (x86)\K2 blackpearl\K2 smartforms Designer\Workflow\FederationMetadata\2007-06\FederationMetadata.xmlC:\Program Files (x86)\K2 blackpearl\K2 smartforms Runtime\FederationMetadata\2007-06\FederationMetadata.xml




5. Click Next.6. Enter a display name and description.




7. Click Next.8. Select the desired option.




9. Click Next.10. Review information in tabs especially the Accepted Claims and Endpoints.




11. Click Next.12. Click Close.




13. On the Issuance Transform Rules tab, click Add Rule…




14. Select Send LDAP Attributes as Claims.




15. Click Next.16. Supply a name for the rule. Configure the required and optional claim mappings.




17. Click Finish.18. Click OK.19. Restart the K2 Host Server and open the new web site




1.2.3 Claims User Identity Flow

Claims User Identity FlowThis section explains how a claims-based user identity flows in a specific environment with the following systems configured in aparticular manner as described throughout the Claims-based Authentication topics:

SharePoint 2010 Web application using Trusted Provider claims-based authenticationK2 smartforms web application using Trusted Provider claims-based authenticationAD FS 2.0 using the LDAP attribute storeK2 blackpearl with trusted Issuer, Identity Provider, Identity and Role claim mappings

For more information on configuration, see Claims-based Authentication with K2 smartforms

Logical Flow

User requests for content and data from SmartForms and K2 will follow this flow.

1. The client sends a request to access the SmartForms site.2. IIS refuses the connection and redirects the user to the trusted claims provider for SmartForms – AD FS 2.0.3. The client sends a request for a token from AD FS 2.0.4. AD FS 2.0 returns a logon page to the client prompting users for credentials.

If the client already has a valid Kerberos ticket on the network, and AD FS 2.0 is setup for Integrated Windows Authentication, then this ticket ispresented to AD FS 2.0 in the first request, skipping steps 4-7.

5. The user provides their credentials.6. AD FS 2.0 validates the credentials with the identity store, in this case Active Directory.7. Active Directory validates the client.8. AD FS 2.0 provides a claim for access to SmartForms data.9. The client presents the claim from AD FS 2.0 to the SmartForms services.10. The SmartForms services decrypts and validates the claim, then encrypts the claim with additional SmartForms claims and

provides the claims for access to K2 data.11. The K2 server validates the claim is from a trusted issuer (the SmartForms STS) and decrypts the claim.12. The K2 server matches the identity provider in the claim to one registered in K2 configuration.13. The K2 server retrieves the K2 user manager security label and the identity claim value to construct the K2 fully qualified

name user.14. The K2 server switches the context to the K2 FQN user.15. (Optional) The K2 server accesses LOB system data via Kerberos or Pass-through Authentication using the context of the

K2 FQN user.16. (Optional) The LOB system requested data is returned to the K2 server.17. The K2 data is returned to the SmartForms services.18. The SmartForms services present the K2 FQN user with the requested information.

K2 does not implement an STS and therefore does not retain or pass-on to external LOB systems any of the claims provided with the user fromSmartForms. K2 utilizes the configured claim mappings to determine the appropriate K2 fully qualified name user. Once the K2 fully qualified username context has been determined, all processing in K2 occurs using that same user context just as it does for non-claims-based users.




1.2.4 Troubleshooting Claims Authentication Configuration

Troubleshooting Claims Authentication ConfigurationThe following errors may be encountered:

Error 1:

Problem:

You are navigating to the http site. This site has now been configured for claims.

Solution:

You need to navigate to the https site created for Claims-Authentication.

Error 2:

Problem:

This indicates that you have not imported the certificate for the Issuing Party into the certificate store for the machine your site ison. The following link might be useful:

https://confluence.atlassian.com/display/CONFKB/SharePoint+Unable+to+Connect+to+SSL-secured+Confluence

Workaround:

To bypass the certificate validation, the following entry can be added to the web.config file of the specific site.

Copy Code

… <certificateValidation certificateValidationMode="None"/> …

Example:




Error 3:

Once certificates are properly configured, the following error may appear

Problem:

This indicates that the thumbprint is likely incorrect.

Solution:

Verify the thumbprint matches in the web.config and in the K2HostServer.exe.config claims configuration section. NOTE: Restartthe K2 Host Server after these changes.

Error 4:




Problem:

This indicates that there is no Name in the relying party trust

Solution:

Map the SAM-Account-Name attribute to the Name Outgoing Claim Type as per the instructions in the Step 6.16

Error 5:

The following Java script error may be encountered in the HostServer log of a Claims-based Authentication environment:

“ProcessPacket Error, Authentication With Server Failed : ID4223: The SamlSecurityToken is rejected because theSamlAssertion.NotOnOrAfter condition is not satisfied. NotOnOrAfter”

Solution:




Resync the system time of the machine as per the following article:

http://www.richardawilson.com/2012/02/adfs-20-id4332-samlsecuritytoken-is.html

Error 6:

Problem:

There is an issue with connection pooling between K2 smartforms and K2 HostServer that produces the error displayed above.This usually happens when the session and/or token expires.

Solution:

Disable connection pooling by adding <add key="Forms.UseConnectionPooling" value="false"/> to the configSections sectionof the web.config of the Designer, Runtime and Workflow sites.

or

Extend the token lifetime of the bootstrap token to 9 hours (540 minutes) for example, which will cover a typical workingday.Execute the following commands in die Windows Powershell on the environment hosting the AD FS service to affect this:Add-PSSnapin Microsoft.Adfs.PowerShellSet-ADFSRelyingPartyTrust -Targetname "Designer" -TokenLifetime 540Set-ADFSRelyingPartyTrust -Targetname "Workflow" -TokenLifetime 540Set-ADFSRelyingPartyTrust -Targetname "Runtime" -TokenLifetime 540

Error 7:

Problem:

The Claims Authentication SAML token has expired since the last interval check. This usually happens when the session and/ortoken expires. If the page is not refreshed on a regular basis the claim expiration will expire and a message will appear.

Solution:

One way to avoid the issue is to extend the lifetime of the tokens. It is recommended to change it to 9 hours as it closely matchesa typical working day. To change the lifetime of the tokens, follow the instructions here: http://technet.microsoft.com/en-us/library/gg188586.aspx




http://www.richardawilson.com/2012/02/adfs-20-id4332-samlsecuritytoken-is.html

2 K2 smartforms Copyright and Trademark Statement

© 2008-2013 SOURCECODE TECHNOLOGY HOLDINGS, INC. ALL RIGHTS RESERVED.SOURCECODE SOFTWARE PRODUCTS ARE PROTECTED BY ONE OR MORE U.S.PATENTS. OTHER PATENTS PENDING. SOURCECODE, K2, K2 BLACKPEARL, K2BLACKPOINT AND K2 SMARTFORMS ARE REGISTERED TRADEMARKS ORTRADEMARKS OF SOURCECODE TECHNOLOGY HOLDINGS, INC. IN THE UNITEDSTATES AND/OR OTHER COUNTRIES. THE NAMES OF ACTUAL COMPANIES ANDPRODUCTS MENTIONED HEREIN MAY BE THE TRADEMARKS OF THEIR RESPECTIVEOWNERS.




K2 smartforms Security and Authenticationcommunity.k2.com/pfxaw45692/attachments/pfxaw45692... ·...

Documents

Transcript of K2 smartforms Security and Authenticationcommunity.k2.com/pfxaw45692/attachments/pfxaw45692... ·...