Press "Enter" to skip to content

Configure K2 SmartForms to work with AD FS – highlights

1
First of all, I would like to pay your attention to the fact, that this article is pure my experience and is not an official guide how everything must be configured.

Before reading this article, please, read carefully Configure SmartForms for Active Directory Federation Services (AD FS) in K2 SmartForms Installation and Configuration Guide. These are advanced tasks which should be fulfilled by administrators only!
Working with the guide all the time, I noticed that some of the points were not highlighted and not mentioned there. So let’s try to make them clear.
Most of the steps of the K2 SMARTFORMS CONFIGURATION AND INSTALLATION GUIDE are quite clear and I do not see any problems here. But in Step 5 – Configure the Claim Mappings in K2 most people do not know what to enter and where. Even when you enter correct values, it can work in one browser and give errors in the others. 

Identity Provider:
  • Identity Provider Claim TypeThe claim type, proposed by the Guide is not good enough, especially if there are several browsers in the company and authentication methods for them are different. For example, IE can use Windows Integrated authentication, whereas Mozilla will redirect you to the ADFS authentication page. The claim values in these cases will be different. For the Identity provider claim I would recommend to create a claim rule with a static value on the ADFS side – this is some additional rule to Step 7 – Configure K2 as a Relying Party Trust in AD FS for each K2 smartforms site. For example:

  • Identity Provider Claim Value: Use the static value of the Identity Provider Claim, configured in ADFS. In our example – it is “ADFS

Then your Identity Provider section should look like this:

Identity:
  • Identity Claim Type: Your identity claim type is something you can find out from your ADFS administrator. Basically, this is a claim, which will identify the user. In some companies you will use the Name claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) in others – UPN claim type (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn). Depending on what claim you will use here, your ADFS relaying party should contain the claim rule for this claim type. Below is an example of rules, configured both for Name and UPN claims:
  • Identity Claim Value: Since the identity claim is the identifier of the user, for each user this claim will have different values, meaning you need to leave Identity Claim Value textbox empty.

SharePoint integration:

If you want to use the ADFS issuer in K2 with SharePoint, then you need to fill in some more columns, which are left empty in the guide, namely Identity IssuerUser Token Identifier, Group Token Identifier. SharePoint 2013 and SharePoint 2010 display identity claims with the following encoding format:
<IdentityClaim>:0<ClaimType><ClaimValueType><AuthMode>|<OriginalIssuer (optional)>|<ClaimValue>
  • Identity Issuer: This information can be obtained from your SharePoint administrator. The Identity Issuer can have one of the following values, depending on what is used by the SharePoint web-application:
    • Windows Authentication: urn:office:idp:activedirectory 
    • FBA: urn:office:idp:forms:membershipprovidername 
    • Trusted Identity Provider: trusted:samlprovidername

Here is an example of the section for Windows authentication:
And here is an example of the section for a Trusted Identity Provider, in my case its name is adfs:

PS. This article can get updated upon some research or new experience. If you found any mistake, please, let me know so that I can update the article as soon as possible and better understand how it all works!
  1. Hi, thanks for this. Was very helpful, especially with the K2 for SharePoint integration bits.
    Now I'm getting an error "Operation is not valid due to the current state of the object.", I get this error when I try to use any SharePoint SmartObject from SMO Tester, SmartForms, etc.
    Any ideas? Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen + 4 =