Press "Enter" to skip to content

Using K2 for Sharepoint with Trusted Claims Provider Authentication

0
The proper work of K2 for Sharepoint requires a fully populated user profile application. In SharePoint 2013 the user profile system plays a critical role in the OAuth infrastructure, which is what allows certain trusted application scenarios to succeed by allowing other applications to act on behalf of a user.  In order for an application to be able to “know” what a user can do though, it needs to capture the list of attributes for that user so proper security trimming rules can be applied.
But as you also know, web-applications in Sharepoint can use several ways of users authentication:

  • Windows;
  • Forms;
  • Trusted Claims Provider.
Neither of the Installation and Configuration Guides for K2 for Sharepoint explains, what is the correct configuration of the User Profile Service Application, when Sharepoint uses several ways of authentication for one and the same web-application (eg. ADFS and Windows).
When you want to use accounts from different authentication providers with K2 app, synchronization connections need to be configured in the User Profile Service Application for each of the Authentication Providers.
Example of a Synchronization Connection Configuration for ADFS:
Even though these providers might get synchronized from one and the same Active Directory, they are deemed as 2 different groups of users with their own set of properties. When certain properties are not populated, you might see the following exceptions:
  • System.Net.WebException 401 with message: Access denied. You do not have permission to perform this action or access this resource.
  • Microsoft.SharePoint.ClientServerUnAuthorizedAccessException with message: Access denied. You do not have permission to perform this action or access this resource.
The first indication, that UPA is not properly configured, is when you see the user’s account name OR user principal name instead of the user’s Display Name in the right upper corner in Sharepoint 2013.
To determine if the UPA is populated correctly, simply login to SharePoint as the user in question and navigate to the following URL:
https://<siteurl>/_api/SP.UserProfiles.PeopleManager/GetMyProperties 
This will return all of the UPA properties. Ensure that the following UPA properties are populated:
SPS-ClaimID
SPS-ClaimProviderID
SPS-ClaimProviderType
SPS-UserPrincipalName
More details can be found here KB001627 – Known Issue when using OAuth with On-Premises SharePoint Farms. The article is quite old, but still contains the relevant information.
And this article  Mapping User Profiles for SAML Users with an AD Import in SharePoint 2013 will give you a good example on how to configure Synchronization Connection in Sharepoint for a Trusted Claims Provider.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − 5 =