This article will explain the configuration steps that are required to allow SharePoint Workflow 2013 requests to be processed successfully with the Single Sign On (fka SiteMinder) Agent for SharePoint 2010/2013 and SharePoint Claims Authentication.
SharePoint 2013 Workflow framework introduces the Workflow Manager Client 1.0 as the workflow execution host which is external to SharePoint and communicates with SharePoint over the Microsoft Azure services bus, with OAuth providing authentication for Server-to server communication.
The Workflow Manager makes requests of SharePoint on behalf of the user using JavaScript Object Notation (JSON) . These JSON requests do not understand the Single Sign On Authentication challenges, so care must be taken to allow these requests to reach SharePoint to complete the Authentication/Authorization process to allow the Workflow requests to succeed.
SharePoint also requires that the Users Profiles in SharePoint include the UPN and the EMail of the user for Workflow requests to be successful.
1.) Ensure the SharePoint 2013 User Profiles have UPN and Email attributes at a minimum. Please refer to the Microsoft Documentation on the SharePoint Profile Synchronization Service for instructions on properly synchronizing the User Profiles from the Single Sign On User Directory.
2.) If you have configured Single Sign On Policies to protect all SharePoint Requests, you will need to create Un-Protected Realms for the Workflow resources to allow the JSON requests to be proxied to SharePoint without being challenged for Single Sign On credentials. If you have only protected "/redirectjsp/redirect.jsp" with CA Single Sign On Policies, then you do not need to create these Un-Protected Realms. If you are unfamiliar with creating Un-Protected Realms, please refer to the CA Single Sign On Policy Server Configuration Guide for instructions.
3.) The CA Singles Sign On Agent for SharePoint will block the "WWW-Authenticate" header set by the back-end SharePoint server in the 401 response back to the Workflow Manager Client 1.0 by default. This will prevent the authentication/authorization process for the Workflow Manager Client 1.0 to complete and a 401 error will be encountered and the request will fail. To allow the back-end SharePoint Server's WWW-Authenticate header to be delivered back to the Workflow Manager Client 1.0, you need to add the "connection-pool" section in the Server.conf in the "<Service name="forward"> section for versions prior to R12.52 SP1 CR-05, you need to modify the opening "nete:forward" Tag in your ProxyRules.xml file to include the connection-auth="Yes" parameter, and you need to add the "jkEnvVar REMOTE_PORT" setting in the httpd.conf file after the 'jkMountCopy all' entry.
Following is from the R12.52 SP1 Agent for SharePoint 2010 and 2013 Guide;
Configure Web Applications That Use NTLM Authentication
If the web server uses a connection-oriented authentication scheme, configure a connection-oriented connection pool for secure forward request processing.
Important! We highly recommend that you do not configure a connection-oriented connection pool.
Follow these steps:
1. Verify that the value for the JK environment variable REMOTE_PORT is set in the httpd.conf file.
2. Open server.conf and add the following lines in <Service name="forward"> section:
# Pool configuration for connection oriented authentication backend
# connections eg: NTLM.
<connection-pool name="connection oriented authentication">
connection-timeout="connection_timeout_value"
max-size="maximum_connections"
enabled="yes|no"
</connection-pool>
connection_timeout_value
Defines the time in seconds the connection times out. We recommend that you set a lower value.
Default: 5
maximum_connections
Defines the number of connections in the connection pool.
Default: 50
yes|no
Specifies the status of the connection-oriented connection pools. Set the value to yes to enable the connection-oriented connection pools.
Default: yes
3. Open proxyrules.xml and add the connection-auth attribute to the forward rule.
Example: <nete:forward connection-auth="yes">hostname:port$1</nete:forward>
This will allow the Workflow Manager Client 1.0 to receive the WWW-Authenticate Header and respond with the required Token to allow the request to succeed.
For Agent for SharePoint versions R12.52 SP1 CR-05 or highr, only steps #1 and #3 need to be accomplished since the 'connection-pool' settings have been added to the Server.conf file by default. If you have upgraded to R12.52 SP1 CR-05, then you will need to complete all three steps. You can also tune the default settings to meet your needs.