Authentication Modes
This topic describes the different Authentication Modes that are available when configuring Service Instances in K2. When you configure a Service Instance of a Service Type, The Authentication Mode setting determines what credentials K2 will pass to the target system (during the initial "discovery" phase to discover the available Service Objects in the target system, as well as at runtime when SmartObjects communicate with the target system).
- Not all Authentication Modes are supported for all Service Types. Refer to the Service Type documentation for the particular Service Type you wish to configure to see what known Authentication Mode restrictions may exist.
- When a SmartObject is called by a workflow and the Service Instance is configured to use "Impersonate", "OAuth" or "SSO", K2 will use the context of the K2 Service Account to determine the credentials to pass to the target system. It is possible to override this behavior by specifying alternate credentials for the step of the workflow that executes the SmartObject method.
Impersonate
The Impersonate Authentication Mode “impersonates” the currently-connected user when K2 interacts with the provider. Effectively, this “impersonation” mechanism passes-through the credentials of the user that is currently connected to K2, to the provider. This option is most often used when the provider implements user authorization and the data must be protected against unauthorized access. To use this option, the provider must support the same user authentication mechanism as the user credentials used to connect to K2. In other words, if user connect to K2 using Active Directory credentials, the target system should also support Active Directory credentials.
| Field | Expected value Type | Description | Example |
|---|---|---|---|
| Security Provider | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Name | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Audience | Text | (not applicable for this authentication mode) | |
| User Name | Text | (not applicable for this authentication mode) | |
| Password | Text | (not applicable for this authentication mode) | |
| Extra | Text | This field is used for additional authentication information and is usually specific to the Service Type being registered. Unless otherwise noted, this value is not required nor used. | |
| Enforce Impersonation | Check Field | This is a Pass-through Authentication option and is only applicable for the Impersonate and OAuth Authentication Modes. If Enforce Impersonation is not checked and Pass-through Authentication fails for the impersonated user, the service will revert to the K2 Service Account and retry the operation. If Enforce Impersonation is checked, the service will not revert to the Service Account if it fails with the impersonated user. |
OAuth
The OAuth Authentication Mode is used to pass Claims-Based Authentication users’ identity to providers that support OAuth tokens. OAuth essentially allows K2 to interact with a target system using the currently-connected user’s credentials, but without having to store the user's credentials.
In order to use the OAuth authentication mode, you must configure OAuth settings for the target system first. See the K2 knowledge base article KB 001702: How to configure OAuth for use with the OAuth Service Instance authentication mode and the topic OAuth for more information on configuring OAuth in K2. Once the OAuth resource is configured, you can select the OAuth authentication mode and then select the OAuth resource to use when connecting to the target system.
| Field | Expected value Type | Description | Example |
|---|---|---|---|
| Security Provider | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Name | Selection Field | Select the OAuth Resource Name use for OAuth authentication. This setting is only applicable when using the OAuth Authentication Mode and refers to a pre-defined OAuth Resource. The Resource is defined using the Authentication section of the K2 management tools. | |
| OAuth Resource Audience | Text | Enter the OAuth Resource Audience URI to use for OAuth Authentication. This setting is only applicable when using the OAuth Authentication Mode and refers to the URI used to access a realm. | https://graph.windows.net |
| User Name | Text | (not applicable for this authentication mode) | |
| Password | Text | (not applicable for this authentication mode) | |
| Extra | Text | (not applicable for this authentication mode) | |
| Enforce Impersonation | Check Field | This is a Pass-through Authentication option and is only applicable for the Impersonate and OAuth Authentication Modes. If Enforce Impersonation is not checked and Pass-through Authentication fails for the impersonated user, the service will revert to the K2 Service Account and retry the operation. If Enforce Impersonation is checked, the service will not revert to the Service Account if it fails with the impersonated user. |
ServiceAccount
The ServiceAccount Authentication Mode uses the K2 service account’s Windows credentials when interacting with the provider. This is the simplest option when Active Directory authentication is used by the provider and when any interaction with the provider can occur in the context of the same AD user account, regardless of the user that is currently connected to K2.
When using this authentication mode, any interaction with the provider will use the K2 service account’s credentials. If the provider implements auditing, all audit entries will appear as the K2 service account, not the user who may have been interacting with the data on a user interface. If the provider implements authorization or security, ensure that the K2 service account has sufficient rights in the target system to perform the required operations.
| Field | Expected value Type | Description | Example |
|---|---|---|---|
| Security Provider | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Name | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Audience | Text | (not applicable for this authentication mode) | |
| User Name | Text | (not applicable for this authentication mode) | |
| Password | Text | (not applicable for this authentication mode) | |
| Extra | Text | This field is used for additional authentication information and is usually specific to the Service Type being registered. Unless otherwise noted, this value is not required nor used. | |
| Enforce Impersonation | Check Field | (not applicable for this authentication mode) |
SSO (Single Sign-on)
The SSO Authentication Mode uses a Single Sign On credential caching mechanism to pass stored user credentials to a provider. This option is typically used when the provider uses a different authentication mechanism than the authentication mechanism used by K2, but you still need to pass the currently-connected user’s credentials through to the target system. You can think of SSO as a “mapping” that stores alternate credentials per user, and K2 uses these stored alternate credentials to connect to the target system at runtime. Users will cache their credentials for the provider in the K2 SSO store, and K2 will then use these stored credentials to connect to the provider. Should the credentials not be found int he store or have expired, the user will be prompted to enter new credentials for the target system.
| Field | Expected value Type | Description | Example |
|---|---|---|---|
| Security Provider | Selection Field | Select the K2 Security Provider that will be used for mapping of Single Sign-On credentials. This setting is only applicable when using the SSO (Single Sign On) authentication mode and refers to the K2 Security Provider that is used to map incoming user credentials to the outgoing credentials. Select the incoming credentials security provider. | AAD/ K2 / SP |
| OAuth Resource Name | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Audience | Text | (not applicable for this authentication mode) | |
| User Name | Text |
This is required when using either Static or SSO authentication mode. If Static is selected, this field stores the username that will be used when registering and refreshing this ServiceInstance against the backend service. It is also the identity that will be passed to the backend service when SmartObjects based upon this ServiceInstance are executed. If SSO is selected, this field stores the username that will be used when registering this ServiceInstance. When SmartObjects based upon this ServiceInstance executed, the individual users cached credentials will passed to the backend service. |
|
| Password | Text |
This is required when using either Static or SSO authentication mode. If Static is selected, this field stores the password that will be used when registering and refreshing this ServiceInstance against the backend service. It is also the password that will be passed to the backend service when SmartObjects based upon this ServiceInstance are executed. If SSO is selected, this field stores the password that will be used when registering this ServiceInstance. When SmartObjects based upon this ServiceInstance executed, the individual users cached credentials will passed to the backend service. |
|
| Extra | Text | This field is used for additional authentication information and is usually specific to the Service Type being registered. Unless otherwise noted, this value is not required nor used. | |
| Enforce Impersonation | Check Field | (not applicable for this authentication mode) |
Static
The Static Authentication Mode uses a static username and password combination to connect to the provider. This option is most often used when the provider does not support Active Directory authentication and when any interaction with the provider can occur as a specific user account.
| Field |
Applicable (Disabled if not) |
Expected value Type | Description | Example |
|---|---|---|---|---|
| Security Provider | No | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Name | No | Selection Field | (not applicable for this authentication mode) | |
| OAuth Resource Audience | No | Text | (not applicable for this authentication mode) | |
| User Name | Yes | Text | This is required when using either Static or SSO authentication mode. If Static is selected, this field stores the username that will be used when registering and refreshing this ServiceInstance against the backend service. It is also the identity that will be passed to the backend service when SmartObjects based upon this ServiceInstance are executed. If SSO is selected, this field stores the username that will be used when registering this ServiceInstance. When SmartObjects based upon this ServiceInstance executed, the individual users cached credentials will passed to the backend service. |
|
| Password | Yes | Text |
This is required when using either Static or SSO authentication mode. If Static is selected, this field stores the password that will be used when registering and refreshing this ServiceInstance against the backend service. It is also the password that will be passed to the backend service when SmartObjects based upon this ServiceInstance are executed. If SSO is selected, this field stores the password that will be used when registering this ServiceInstance. When SmartObjects based upon this ServiceInstance executed, the individual users cached credentials will passed to the backend service. |
|
| Extra | Yes | Text | This field is used for additional authentication information and is usually specific to the Service Type being registered. Unless otherwise noted, this value is not required nor used. | |
| Enforce Impersonation | No | Check Field | (not applicable for this authentication mode) |