Skip to content

Latest commit

 

History

History
 
 
page_type description products languages extensions urlFragment
sample
This sample code demonstrates how to get enable SSO authentication for your Adaptive Cards
office-teams
office
office-365
nodejs
contentType createdDate
samples
21/01/2023 12:54:21 PM
officedev-microsoft-teams-samples-bot-sso-adaptivecard-nodejs

SSO for your Adaptive Cards

This sample code demonstrates how to get enable SSO authentication for your Adaptive Cards.

Included Features

  • Teams SSO (bots)
  • Adaptive Cards

Interaction with app

Preview

Try it yourself - experience the App in your Microsoft Teams client

Please find below demo manifest which is deployed on Microsoft Azure and you can try it yourself by uploading the app package (.zip file link below) to your teams and/or as a personal app. (Sideloading must be enabled for your tenant, see steps here).

Implement SSO authentication for your Adaptive Cards: Manifest

Prerequisites

Run the app (Using Teams Toolkit for Visual Studio Code)

The simplest way to run this sample in Teams is to use Teams Toolkit for Visual Studio Code.

  1. Ensure you have downloaded and installed Visual Studio Code
  2. Install the Teams Toolkit extension
  3. Select File > Open Folder in VS Code and choose this samples directory from the repo
  4. Using the extension, sign in with your Microsoft 365 account where you have permissions to upload custom apps
  5. Select Debug > Start Debugging or F5 to run the app in a Teams web client.
  6. In the browser that launches, select the Add button to install the app to Teams.

If you do not have permission to upload custom apps (sideloading), Teams Toolkit will recommend creating and using a Microsoft 365 Developer Program account - a free program to get your own dev environment sandbox that includes Teams.

Setup

1. Setup for Bot SSO

  • Setup for Bot SSO Refer to Bot SSO Setup document.

  • Ensure that you've enabled the Teams Channel

  • While registering the bot, use https://<your_tunnel_domain>/api/messages as the messaging endpoint.

    NOTE: When you create your bot you will create an App ID and App password - make sure you keep these for later.

2. Setup NGROK

  1. Run ngrok - point to port 3978

    ngrok http 3978 --host-header="localhost:3978"

    Alternatively, you can also use the dev tunnels. Please follow Create and host a dev tunnel and host the tunnel with anonymous user access command as shown below:

    devtunnel host -p 3978 --allow-anonymous

3. Setup for code

  • Clone the repository

    git clone https://github.com/OfficeDev/Microsoft-Teams-Samples.git
  • In a terminal, navigate to samples/bot-sso-adaptivecard/nodejs

  • Update the .env configuration for the bot to use the MicrosoftAppId <>, MicrosoftAppPassword <> and <> replace with (OAuth Connection Name).

  • Install modules

    npm install
  1. Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\adaptiveCardResponseJson.json and replace this <<YOUR-MICROSOFT-APP-ID>> with your MicrosoftAppId.
  2. Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\AdaptiveCardWithSSOInRefresh.json
    • Update everywhere you see the place holder string <<YOUR-MICROSOFT-APP-ID>> and Update On line 12, replace <<YOUR-CONNECTION-NAME>>.
  3. Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\options.json and replace <<YOUR-MICROSOFT-APP-ID>>.
  4. Navigate to samples\bot-sso-adaptivecard\nodejs\index.js file uncomment the code at line number 46 for local debugging.
  • Run your bot at the command line:

    npm start

Bot Configuration:

BotConfg

Bot OAuth Connection:

Bot Connections

4. Register your Teams Auth SSO with Azure AD

  1. Register a new application in the Microsoft Entra ID – App Registrations portal.

  2. Select New Registration and on the register an application page, set following values:

    • Set name to your app name.
    • Choose the supported account types (any account type will work)
    • Leave Redirect URI empty.
    • Choose Register.
  3. On the overview page, copy and save the Application (client) ID, Directory (tenant) ID. You’ll need those later when updating your Teams application manifest and in the appsettings.json.

  4. Under Manage, select Expose an API.

  5. Select the Set link to generate the Application ID URI in the form of api://{AppID}. Insert your fully qualified domain name (with a forward slash "/" appended to the end) between the double forward slashes and the GUID. The entire ID should have the form of: api://fully-qualified-domain-name/botid-{AppID}

    • ex: api://botid-00000000-0000-0000-0000-000000000000.
  6. Select the Add a scope button. In the panel that opens, enter access_as_user as the Scope name.

  7. Set Who can consent? to Admins and users

  8. Fill in the fields for configuring the admin and user consent prompts with values that are appropriate for the access_as_user scope:

    • Admin consent title: Teams can access the user’s profile.
    • Admin consent description: Allows Teams to call the app’s web APIs as the current user.
    • User consent title: Teams can access the user profile and make requests on the user's behalf.
    • User consent description: Enable Teams to call this app’s APIs with the same rights as the user.
  9. Ensure that State is set to Enabled

  10. Select Add scope

    • The domain part of the Scope name displayed just below the text field should automatically match the Application ID URI set in the previous step, with /access_as_user appended to the end:
      • `api://botid-00000000-0000-0000-0000-000000000000/access_as_user.
  11. In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Each of the following IDs needs to be entered:

    • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
    • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application) Authentication
  12. Add any necessary API permissions for downstream calls

    • Navigate to "API permissions" blade on the left hand side Authentication
  13. Navigate to Authentication If an app hasn't been granted IT admin consent, users will have to provide consent the first time they use an app. Set a redirect URI:

    • Select Add a platform.
    • Select web.
    • Enter the redirect URI for the app in the following format:
    1. https://token.botframework.com/.auth/web/redirect

    Enable implicit grant by checking the following boxes:
    ✔ ID Token
    ✔ Access Token
    Authentication

  14. Navigate to the Certificates & secrets. In the Client secrets section, click on "+ New client secret". Add a description(Name of the secret) for the secret and select “Never” for Expires. Click "Add". Once the client secret is created, copy its value, it need to be placed in the appsettings.json.

5. Setup Manifest for Teams

This step is specific to Teams.

  • Edit the manifest.json contained in the appManifest folder to replace your Microsoft App Id (that was created when you registered your bot earlier) everywhere you see the place holder string <<YOUR-MICROSOFT-APP-ID>> (depending on the scenario the Microsoft App Id may occur multiple times in the manifest.json)
  • Edit the manifest.json for validDomains replace {{domain-name}} with base Url domain. E.g. if you are using ngrok it would be https://1234.ngrok-free.app then your domain-name will be 1234.ngrok-free.app and if you are using dev tunnels then your domain will be like: 12345.devtunnels.ms.
  • Zip up the contents of the appManifest folder to create a manifest.zip folder into a manifest.zip.(Make sure that zip file does not contains any subfolder otherwise you will get error while uploading your .zip package)
  • Upload the manifest.zip to Teams (In Teams Apps/Manage your apps click "Upload an app to your org's app catalog'". Browse to and Open the .zip file. At the next dialog, click the Add button.)

Note: This manifest.json specified that the bot will be installed in a "personal" scope only. Please refer to Teams documentation for more details.

Running the sample

Install App:

InstallApp

Welcome UI:

Welcome

Sign-In UI:

SignButton

Welcome Universal Card:

InstallApp

Deploy the bot to Azure

To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.

Further reading