When a K2 SmartForm is embedded in an iFrame in a SharePoint site, the SmartForm does not open if the user isn't already signed-in to K2 with different errors showing depending on the browser in use, the way the SmartForm is embedded, and how many users have active sessions within the same browser.
These errors occur when there isn't enough information available when making a request to K2 to select the appropriate user to automatically sign-in based on the user that is already signed in to SharePoint or any other AAD authenticated site, which then causes the authentication flow to prompt the user for interaction. This interaction is not allowed to occur in an iFrame due to Microsoft's login page configuration which K2 has no control over.
The recommended and most supported way to embed a K2 SmartForm into SharePoint, or any other site that makes use of AAD, where the user is automatically logged in based on the active session, is to create an iframe where the source attribute has the providerKey and _arid parameters configured as in the example below:
<iframe width="800" height="800" src="https://example.onk2.com/Runtime/Runtime/Form/contacts/?providerKey=aad@c28812fb-37b0-4792-bca0-dc50abac8f0b&_arid=1"></iframe>
_arid must always be set to 1. This tells K2 to start a Silent Authentication or SSO type of authentication flow.
ProviderKey is composed of two parts [provider claim]@[K2 Tenant ID]
[Provider Claim] - In most K2 Cloud environments, only one AAD domain is configured, so the value would normally be "aad". However, if multiple AAD domains are registered on the same K2 Cloud tenant, the provider claim should be set to the corresponding AAD domain's claim linked to the site where the K2 SmartForm is being embedded. It will either be aad, aad1, aad2, aad3 or aad4 - This value must be requested from support by supplying what AAD domain is in use on the SharePoint site where the SmartForm will be embedded.
[K2 Tenant ID] - The simplest way to find the K2 Tenant ID, is to open the K2 Management site and navigate to Authentication -> OAuth -> Resources. Click on the IdToken resource and click Edit - The tenant ID is the GUID value in the metadata endpoint field.
If multiple users from the same AAD domain are configured as an account in windows,then the only option is to make use of scripting to add the loginName parameter to the URL in the iframe as in the example below:
The providerKey and _arid parameters must be configured in the same way as in solution 1.
<iframe width="800" height="800" src="https://example.onk2.com/Runtime/Runtime/Form/contacts/?providerKey=aad@c28812fb-37b0-4792-bca0-dc50abac8f0b&loginNameemail@example.com&_arid=1"></iframe>
For SharePoint Modern template sites (not Classic), one would need to install a custom application from the SharePoint store that will provide scripting abilities to the site.
The use of the K2 Worklist or K2 SmartForm viewer web part is no longer recommended. To display the K2 Worklist in SharePoint it is recommended to build a SmartForm that makes use of the Worklist control and then use the above guidance to embed an iFrame into the site pointing to the form that contains the worklist.