Symptoms
We are facing a problem, that users with differing passwords in the windows domain and the SAP backend system can't open a SmartForm which uses K2 connect SmartObjects. If the passwords are the same in both systems, the form opens without a problem.
Diagnoses
Pre-caching SAP SSO credentials - see here: http://help.k2.com/kb000360
Resolution
First Suggestion:
-----------------------
This seems like a case where you will have to pre-cache all the SSO credentials for your SAP system in K2.
Please have a look at this KB article, it explains a bit more about K2 using primary and secondary identities and includes a script that should help you to automatically cache credentials for K2 connect for SAP Security Labels:
http://help.k2.com/kb000360
--------------------------
Second Suggestion:
--------------------------
In 4.6.9 (when it releases), a popup will open to enter SSO credentials if the smartForm uses a SmartObject configured with SSO.
The popup will only open if no credentials for the current user exist for the label required on the SmartObject.
This functionality won’t really allow you to manage all SSO credentials (remove, edit etc), but at least a user won’t need to open workspace to cache his credentials if a SmartObject requires it.
Keep in mind that this is not SAP / K2 Connect specific, it's intended for all SmartObjects that require SSO credentials. Also note that this popup will only appear if K2 cannot find the user's credentials for the label required on the SmartObject.
-------------------------
Third Suggestion:
-------------------------
We suggest you build a custom service broker and a custom form with parameters that will route you back to the previous URL, this new form will ask for SSO credentials only when the passwords differ. What the email that was sent contained:
- Custom Service Broker
- KSPX file with custom Form
- In your SmartForms – make rules something like this:
FormIntialise:
If CheckSSOCredentials != true{
redirect to a smartform/popup that calls Add SSO Credentials, then redirect back to original page. Make sure to call Check SSO Credentials after adding them because even if AddSSOCredentials returns true, it doesn’t mean they are valid!
}
- When the Add SSO Credentials button is clicked, the new service object saves the SSO credentials and redirects back to the original form.
DISCLAIMER:
If SmartObject Logging gets enabled on the K2 Server – SAP password will be written in CLEAR TEXT to the log.
We consider this a temporary solution/POC.
------------------------
In conclusion:
This was solved by using custom code.
Please note that since this is custom code, this would unfortunately be out of the scope of support, although we can put you in touch with the necessary consultants and obviously try to help you resolve this if something critical occurs.
