K2 Cloud and External Users with Azure B2B

KB002501

PRODUCT

K2 Cloud Update 4

BASED ON

K2 Cloud Update 4

Introduction

As you move workloads into the cloud, you may need to invite external users to participate in and use K2 apps. This is possible using the external user invitation capabilities of Microsoft Azure AD B2B.

The screenshots and instructions for third-party software are accurate at the time of publication. Third-party vendors may have changed or updated aspects of their systems (such as user interfaces, functionality, and security). As a result, this content may be outdated.

Azure AD B2B enables you, as a K2 Cloud customer, to invite users from outside your primary AAD tenant to safely and securely collaborate and use assets secured by AAD. AAD B2B can work with users that exist in a separate AAD tenant (such as a trading partner) or with external users that only have an email address (such as Gmail or Hotmail).

Microsoft Azure offers a separate service called Azure AD B2C which allows external users to use a company’s mobile or web apps. However, K2 Cloud cannot authenticate AAD B2C users and should not be used with K2 Cloud. Find more information about the differences between AAD B2B and AAD B2C at Compare B2B collaboration and B2C in Azure Active Directory (Microsoft).

Once you invite external users, K2 recognizes these users and you can assign and share tasks with them, allow them access to K2 Workspace and K2 Designer, and generally treat them as a standard user.

Prior to inviting users, you must be aware of the licensing implications using AAD B2B, which you can read more about at Azure Active Directory B2B collaboration licensing guidance (Microsoft). Additionally, once a user accesses a K2 site (Designer, Workspace, Management, or via K2 mobile apps), they use a license within your K2 Cloud subscription.

You must complete the SharePoint Registration Wizard before following the steps in this article to add AAD B2B users.
If you do not integrate with SharePoint Online and need to add AAD B2B users, open a new support ticket.

Getting Started

Use the following information to enable external users to access K2 Cloud artifacts and functionality.

This article assumes you have K2 Cloud Update 4 or later and that you have AAD tenant administration access to invite external users. If you integrate with SharePoint Online, this article assumes that you have SharePoint Online tenant admin access to update external sharing settings in SharePoint Online.

Azure AD B2B

To allow external users to access assets or participate in apps built in K2 Cloud, you must first invite these users into your primary AAD tenant. The steps to do this are available at Add Azure Active Directory B2B collaboration users in the Azure portal (Microsoft). Once an external user has accepted the B2B invitation, they appear in your AAD tenant and are marked as a Guest as in the following image:

Following the scheduled sync of identities from your AAD tenant into your K2 Cloud subscription, external users are available within K2 Cloud:

K2 Cloud for SharePoint

When you want to use SharePoint and especially K2 Cloud for SharePoint artifacts, you must enable external sharing in the App Catalog. See Turn external sharing on or off for SharePoint Online (Microsoft) for more information on doing this.

If you do not enable external sharing, external users see the following error trying to access K2 artifacts:

That didn't work

External sharing is disabled for…

K2 Sites - Workspace, Designer, Management

K2 sites, such as K2 Workspace, K2 Designer, and K2 Management, are able to open and perform tasks for which they are given permissions.

In K2 Workspace, external users can access their Inbox, view forms and reports, set out of office, and set a default Workspace. They can also create and deploy Apps.
In K2 Designer, they are able to browse categories and build SmartObjects, views, forms, and workflows.
In K2 Management, they are able to work with all aspects of configuration, including accessing the K2 Swagger (OpenAPI) definition of the Workflow REST service.

All functionality in K2 sites is dependent on the external user having the necessary K2 permissions to be able to perform tasks.

In order to see if a user is external, you can see the fully-qualified name (FQN) by hovering over the username in any particular site.

K2 Mobile

External users, if they need to use the K2 Mobile app on their device, can log in and use the app to action tasks, and open and submit application forms.

K2 SmartActions & Task Notifications

External users, when they are assigned a task, can use SmartActions to action, share, and sleep tasks. They can also click on the task link in notifications to open tasks and action them.

Package and Deployment

External users can create and deploy packages using K2 Package and Deployment as long as they are part of the Package and Deployment role. For more information about downloading the tool and creating and deploying packages, see Download the Package and Deployment Tool.

Follow these additional steps when using K2 Package and Deployment with Azure B2B:

Consent to the run the app on behalf of your organization:
1. Run the Package and Deployment remote app and log in with the Global Admin account of your guest tenant.
2. Check the Consent on behalf of your organization check box, and click the Accept button.
3. The Package and Deployment windows opens, but the environment drop down will be empty.
4. Close your Package and Deployment remote app.
Connect the Package and Deployment remote app using your external user credentials:
1. To find your AAD Resource ID, get the JSON from Landlord API using the original owner account. Use the following example link, but change the admin@YOURTENANT to your local owner account:
  https://landlord.onk2.com/web/api/environments/list/v2.0/o365?username=admin@YOURTENANT.onmicrosoft.com.
  This returns the information you need to run the Package and Deployment remote app.
2. Now run the Package and Deployment remote app using the following command line options:
  <K2DeploymentUtility.VERSIONnnn.exe> <KUID>;<VanityFQDN>;<HS PORT>;<AAD ResourceID>
  and log in with your external user credentials.

Tasks Tested

The following tasks were tested and noted to function as expected. See notes for additional information, workarounds, or additional configuration that you must do in order to allow external AAD B2B users to use K2.

Area	Task	Notes
SharePoint	Open K2 worklist in SharePoint Online	Enable external sharing on app catalog
SharePoint	Access SmartForm in SharePoint Online	Enable external sharing on app catalog
SharePoint	Add item to SharePoint list using K2 form (K2-integrated list with forms and workflow)	Grant Workflow Start rights to B2B user using K2 Management as they are not included in the Everyone group.
SharePoint	Add item to SharePoint library using K2 form (K2-integrated library with forms and workflow)	Grant Workflow Start rights to B2B user using K2 Management as they are not included in the Everyone group.
SharePoint	Open View Flow from K2-integrated list or library	Grant Workflow View rights to B2B user using K2 Management as they are not included in the Everyone group.
SharePoint	Open and complete (action) a K2 task form from K2-integrated list or library workflow	Use task notification email link or the worklist in K2 Workspace if you cannot access the K2 Worklist in SharePoint Online.
SharePoint	Open and complete (action) a K2 task from email notification
SharePoint	Create or modify K2 application in SharePoint Online	Enable external sharing on app catalog
SharePoint	Access K2 Cloud for SharePoint settings page	Enable external sharing on app catalog
K2 Sites - Workspace	Access Inbox tasks View My Forms View Process Overview report View My Overview report Set Out of Office Set default workspace Generate apps
K2 Sites - Designer	Browse categories Create categories Create sub-categories Build artifacts including SmartObjects, Views, Forms, and Workflows
K2 Sites - Management	All nodes and configuration including Workflow REST API	The B2B user must be a member of the K2 Administrators role
Other	Create a package for deployment Deploy a package	The B2B user must be a member of the Package and Deployment role
Mobile	Log in to K2 Mobile app Open and complete (action) a task
SmartActions	Open and reply with action to task notification

Considerations

You must have K2 Cloud Update 5 or later
Every external user who interacts with K2 uses a license regardless if they are primary AAD users or external users added using the invitation process

List of Resources

Be the first to reply!

K2 Cloud and External Users with Azure B2B

Introduction