As you move workloads into the cloud, you may need to invite external users to participate in and use K2 apps. This is possible using the external user invitation capabilities of Microsoft Azure AD B2B.
Azure AD B2B enables you, as a K2 Cloud customer, to invite users from outside your primary AAD tenant to safely and securely collaborate and use assets secured by AAD. AAD B2B can work with users that exist in a separate AAD tenant (such as a trading partner) or with external users that only have an email address (such as Gmail or Hotmail).
Microsoft Azure offers a separate service called Azure AD B2C which allows external users to use a company’s mobile or web apps. However, K2 Cloud cannot authenticate AAD B2C users and should not be used with K2 Cloud. Find more information about the differences between AAD B2B and AAD B2C at Compare B2B collaboration and B2C in Azure Active Directory (Microsoft).
Once you invite external users, K2 recognizes these users and you can assign and share tasks with them, allow them access to K2 Workspace and K2 Designer, and generally treat them as a standard user.
Prior to inviting users, you must be aware of the licensing implications using AAD B2B, which you can read more about at Azure Active Directory B2B collaboration licensing guidance (Microsoft). Additionally, once a user accesses a K2 site (Designer, Workspace, Management, or via K2 mobile apps), they use a license within your K2 Cloud subscription.
Use the following information to enable external users to access K2 Cloud artifacts and functionality.
This article assumes you have K2 Cloud Update 4 or later and that you have AAD tenant administration access to invite external users. If you integrate with SharePoint Online, this article assumes that you have SharePoint Online tenant admin access to update external sharing settings in SharePoint Online.
To allow external users to access assets or participate in apps built in K2 Cloud, you must first invite these users into your primary AAD tenant. The steps to do this are available at Add Azure Active Directory B2B collaboration users in the Azure portal (Microsoft). Once an external user has accepted the B2B invitation, they appear in your AAD tenant and are marked as a Guest as in the following image:
Following the scheduled sync of identities from your AAD tenant into your K2 Cloud subscription, external users are available within K2 Cloud:
When you want to use SharePoint and especially K2 Cloud for SharePoint artifacts, you must enable external sharing in the App Catalog. See Turn external sharing on or off for SharePoint Online (Microsoft) for more information on doing this.
If you do not enable external sharing, external users see the following error trying to access K2 artifacts:
That didn't work
External sharing is disabled for…
K2 sites, such as K2 Workspace, K2 Designer, and K2 Management, are able to open and perform tasks for which they are given permissions.
External users, if they need to use the K2 Mobile app on their device, can log in and use the app to action tasks, and open and submit application forms.
External users, when they are assigned a task, can use SmartActions to action, share, and sleep tasks. They can also click on the task link in notifications to open tasks and action them.
External users can create and deploy packages using K2 Package and Deployment as long as they are part of the Package and Deployment role. For more information about downloading the tool and creating and deploying packages, see Download the Package and Deployment Tool.
Follow these additional steps when using K2 Package and Deployment with Azure B2B:
The following tasks were tested and noted to function as expected. See notes for additional information, workarounds, or additional configuration that you must do in order to allow external AAD B2B users to use K2.
|SharePoint||Open K2 worklist in SharePoint Online||Enable external sharing on app catalog|
|SharePoint||Access SmartForm in SharePoint Online||Enable external sharing on app catalog|
|SharePoint||Add item to SharePoint list using K2 form (K2-integrated list with forms and workflow)||Grant Workflow Start rights to B2B user using K2 Management as they are not included in the Everyone group.|
|SharePoint||Add item to SharePoint library using K2 form (K2-integrated library with forms and workflow)||Grant Workflow Start rights to B2B user using K2 Management as they are not included in the Everyone group.|
|SharePoint||Open View Flow from K2-integrated list or library||Grant Workflow View rights to B2B user using K2 Management as they are not included in the Everyone group.|
|SharePoint||Open and complete (action) a K2 task form from K2-integrated list or library workflow||Use task notification email link or the worklist in K2 Workspace if you cannot access the K2 Worklist in SharePoint Online.|
|SharePoint||Open and complete (action) a K2 task from email notification|
|SharePoint||Create or modify K2 application in SharePoint Online||Enable external sharing on app catalog|
|SharePoint||Access K2 Cloud for SharePoint settings page||Enable external sharing on app catalog|
|K2 Sites - Workspace||
|K2 Sites - Designer||
|K2 Sites - Management||All nodes and configuration including Workflow REST API||The B2B user must be a member of the K2 Administrators role|
||The B2B user must be a member of the Package and Deployment role|
|SmartActions||Open and reply with action to task notification|