No ratings

Known Issue: K2 SmartForms do not open when embedded in an iFrame in SharePoint sites.

 

Known Issue: Unable to add the K2 for SharePoint App from the App Catalog

Issue

When a K2 SmartForm is embedded in an iFrame in a SharePoint site, the SmartForm does not open if the user isn't already signed-in to K2 with different errors showing depending on the browser in use, the way the SmartForm is embedded, and how many users have active sessions within the same browser.

Errors

  1. OpenIDConnectProtocolException.
    The message contains an error: 'interaction required', error description: 'AADSTS1600': Either multiple user identities are available for the current request or the selected account is not supported for the scenario. This error appears when users make use of Microsoft Edge and have multiple accounts configured in windows.
  2. Login.microsoftonline.com refused to connect
    This typically occurs when making use of the K2 Worklist or K2 SmartForms Viewer web parts in a SharePoint site when there are multiple Azure Active Directory (AAD) user sessions logged in from different domains in the same browser. 

Explanation

These errors occur when there isn't enough information available when making a request to K2 to select the appropriate user to automatically sign-in based on the user that is already signed in to SharePoint or any other AAD authenticated site, which then causes the authentication flow to prompt the user for interaction. This interaction is not allowed to occur in an iFrame due to Microsoft's login page configuration which K2 has no control over.

Resolution

The recommended and most supported way to embed a K2 SmartForm into SharePoint, or any other site that makes use of AAD, where the user is automatically logged in based on the active session, is to create an iframe where the source attribute has the providerKey and _arid parameters configured as in the example below:

Solution 1

<iframe width="800" height="800" src="https://example.onk2.com/Runtime/Runtime/Form/contacts/?providerKey=aad@c28812fb-37b0-4792-bca0-dc50abac8f0b&amp;_arid=1"></iframe>

 

_arid must always be set to 1. This tells K2 to start a Silent Authentication or SSO type of authentication flow.

 

ProviderKey is composed of two parts [provider claim]@[K2 Tenant ID]

 

[Provider Claim] - In most K2 Cloud environments, only one AAD domain is configured, so the value would normally be "aad". However, if multiple AAD domains are registered on the same K2 Cloud tenant, the provider claim should be set to the corresponding AAD domain's claim linked to the site where the K2 SmartForm is being embedded. It will either be aad, aad1, aad2, aad3 or aad4 - This value must be requested from support by supplying what AAD domain is in use on the SharePoint site where the SmartForm will be embedded.

 

[K2 Tenant ID] - The simplest way to find the K2 Tenant ID, is to open the K2 Management site and navigate to Authentication -> OAuth -> Resources. Click on the IdToken resource and click Edit - The tenant ID is the GUID value in the metadata endpoint field.

Solution 2

If multiple users from the same AAD domain are configured as an account in windows,then the only option is to make use of scripting to add the loginName parameter to the URL in the iframe as in the example below:

 

The providerKey and _arid parameters must be configured in the same way as in solution 1.

 

<iframe width="800" height="800" src="https://example.onk2.com/Runtime/Runtime/Form/contacts/?providerKey=aad@c28812fb-37b0-4792-bca0-dc50abac8f0b&amp;loginName=admin@m365x481201.onmicrosoft.com&amp;_arid=1"></iframe>

 

The following sample JavaScript code determines what user is signed-in on SharePoint to construct the appropriate URL for the iFrame and create the iFrame element:

This code is supplied as is for demonstration purposes only and should be adjusted to suit your needs.
<script type="text/javascript">
var loginName = "";
var userid = _spPageContextInfo.userId;
GetCurrentUser();
function GetCurrentUser() {
var requestUri = _spPageContextInfo.webAbsoluteUrl + "/_api/web/getuserbyid(" + userid + ")";
var xmlhttp = new XMLHttpRequest();
   
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == XMLHttpRequest.DONE) {   // XMLHttpRequest.DONE == 4
           if (xmlhttp.status == 200) {
  var userObj = JSON.parse(xmlhttp.responseText);
  onSuccess(userObj);
           }
           else if (xmlhttp.status == 400) {
              alert('There was an error 400');
           }
           else {
               alert('something else other than 200 was returned');
           }
        }
    };
    xmlhttp.open("GET", requestUri, true);
    xmlhttp.setRequestHeader("accept","application/json;odata=verbose");
    xmlhttp.setRequestHeader("Content-Type","application/json;odata=verbose");
    xmlhttp.send();
}
function onSuccess(data, request) {
    var loginName = data.d.UserPrincipalName;   
    // to set the "hello username" into the page
    document.getElementById("iFrame").innerHTML = "<iframe width=800 height=400 src='https://example.onk2.com/Runtime/Runtime/Form/contacts/?providerKey=aad%40c28812fb-37b0-4792-bca0-dc50abac8f0b&amp;_arid=1&amp;loginName=" + loginName + "'></iframe>";
    }
</script>
<div id="iFrame"></div>

Additional Information

For SharePoint Modern template sites (not Classic), one would need to install a custom application from the SharePoint store that will provide scripting abilities to the site.

 

The use of the K2 Worklist or K2 SmartForm viewer web part is no longer recommended. To display the K2 Worklist in SharePoint it is recommended to build a SmartForm that makes use of the Worklist control and then use the above guidance to embed an iFrame into the site pointing to the form that contains the worklist.

Labels: (2)
Version history
Last update:
‎07-07-2021 05:11 AM
Updated by:
Contributors