| page_type | description | products | languages | extensions | urlFragment | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
sample |
This sample code demonstrates how to get enable SSO authentication for your Adaptive Cards |
|
|
|
officedev-microsoft-teams-samples-bot-sso-adaptivecard-nodejs |
This sample code demonstrates how to get enable SSO authentication for your Adaptive Cards.
- Teams SSO (bots)
- Adaptive Cards
Please find below demo manifest which is deployed on Microsoft Azure and you can try it yourself by uploading the app package (.zip file link below) to your teams and/or as a personal app. (Sideloading must be enabled for your tenant, see steps here).
Implement SSO authentication for your Adaptive Cards: Manifest
- Microsoft Teams is installed and you have an account
- .NET SDK version 6.0
- dev tunnel or ngrok latest version or equivalent tunnelling solution
- Teams Toolkit for VS Code or TeamsFx CLI
The simplest way to run this sample in Teams is to use Teams Toolkit for Visual Studio Code.
- Ensure you have downloaded and installed Visual Studio Code
- Install the Teams Toolkit extension
- Select File > Open Folder in VS Code and choose this samples directory from the repo
- Using the extension, sign in with your Microsoft 365 account where you have permissions to upload custom apps
- Select Debug > Start Debugging or F5 to run the app in a Teams web client.
- In the browser that launches, select the Add button to install the app to Teams.
If you do not have permission to upload custom apps (sideloading), Teams Toolkit will recommend creating and using a Microsoft 365 Developer Program account - a free program to get your own dev environment sandbox that includes Teams.
-
Setup for Bot SSO Refer to Bot SSO Setup document.
-
Ensure that you've enabled the Teams Channel
-
While registering the bot, use
https://<your_tunnel_domain>/api/messagesas the messaging endpoint.NOTE: When you create your bot you will create an App ID and App password - make sure you keep these for later.
-
Run ngrok - point to port 3978
ngrok http 3978 --host-header="localhost:3978"Alternatively, you can also use the
dev tunnels. Please follow Create and host a dev tunnel and host the tunnel with anonymous user access command as shown below:devtunnel host -p 3978 --allow-anonymous
-
Clone the repository
git clone https://github.com/OfficeDev/Microsoft-Teams-Samples.git
-
In a terminal, navigate to
samples/bot-sso-adaptivecard/nodejs -
Update the
.envconfiguration for the bot to use the MicrosoftAppId <>, MicrosoftAppPassword <> and <> replace with (OAuth Connection Name). -
Install modules
npm install
- Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\adaptiveCardResponseJson.json and replace this
<<YOUR-MICROSOFT-APP-ID>>with your MicrosoftAppId. - Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\AdaptiveCardWithSSOInRefresh.json
- Update everywhere you see the place holder string
<<YOUR-MICROSOFT-APP-ID>>and Update On line 12, replace<<YOUR-CONNECTION-NAME>>.
- Update everywhere you see the place holder string
- Navigate to samples\bot-sso-adaptivecard\nodejs\Resources\options.json and replace
<<YOUR-MICROSOFT-APP-ID>>. - Navigate to samples\bot-sso-adaptivecard\nodejs\index.js file uncomment the code at line number 46 for local debugging.
-
Run your bot at the command line:
npm start
Bot Configuration:
Bot OAuth Connection:
-
Register a new application in the Microsoft Entra ID – App Registrations portal.
-
Select New Registration and on the register an application page, set following values:
- Set name to your app name.
- Choose the supported account types (any account type will work)
- Leave Redirect URI empty.
- Choose Register.
-
On the overview page, copy and save the Application (client) ID, Directory (tenant) ID. You’ll need those later when updating your Teams application manifest and in the appsettings.json.
-
Under Manage, select Expose an API.
-
Select the Set link to generate the Application ID URI in the form of
api://{AppID}. Insert your fully qualified domain name (with a forward slash "/" appended to the end) between the double forward slashes and the GUID. The entire ID should have the form of:api://fully-qualified-domain-name/botid-{AppID}- ex:
api://botid-00000000-0000-0000-0000-000000000000.
- ex:
-
Select the Add a scope button. In the panel that opens, enter
access_as_useras the Scope name. -
Set Who can consent? to
Admins and users -
Fill in the fields for configuring the admin and user consent prompts with values that are appropriate for the
access_as_userscope:- Admin consent title: Teams can access the user’s profile.
- Admin consent description: Allows Teams to call the app’s web APIs as the current user.
- User consent title: Teams can access the user profile and make requests on the user's behalf.
- User consent description: Enable Teams to call this app’s APIs with the same rights as the user.
-
Ensure that State is set to Enabled
-
Select Add scope
- The domain part of the Scope name displayed just below the text field should automatically match the Application ID URI set in the previous step, with
/access_as_userappended to the end:- `api://botid-00000000-0000-0000-0000-000000000000/access_as_user.
- The domain part of the Scope name displayed just below the text field should automatically match the Application ID URI set in the previous step, with
-
In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Each of the following IDs needs to be entered:
1fec8e78-bce4-4aaf-ab1b-5451cc387264(Teams mobile/desktop application)5e3ce6c0-2b1f-4285-8d4b-75ee78787346(Teams web application)
-
Add any necessary API permissions for downstream calls
- Navigate to "API permissions" blade on the left hand side
- Navigate to "API permissions" blade on the left hand side
-
Navigate to Authentication If an app hasn't been granted IT admin consent, users will have to provide consent the first time they use an app. Set a redirect URI:
- Select Add a platform.
- Select web.
- Enter the redirect URI for the app in the following format:
Enable implicit grant by checking the following boxes:
✔ ID Token
✔ Access Token
-
Navigate to the Certificates & secrets. In the Client secrets section, click on "+ New client secret". Add a description(Name of the secret) for the secret and select “Never” for Expires. Click "Add". Once the client secret is created, copy its value, it need to be placed in the appsettings.json.
This step is specific to Teams.
- Edit the
manifest.jsoncontained in theappManifestfolder to replace your Microsoft App Id (that was created when you registered your bot earlier) everywhere you see the place holder string<<YOUR-MICROSOFT-APP-ID>>(depending on the scenario the Microsoft App Id may occur multiple times in themanifest.json) - Edit the
manifest.jsonforvalidDomainsreplace{{domain-name}}with base Url domain. E.g. if you are using ngrok it would behttps://1234.ngrok-free.appthen your domain-name will be1234.ngrok-free.appand if you are using dev tunnels then your domain will be like:12345.devtunnels.ms. - Zip up the contents of the
appManifestfolder to create amanifest.zipfolder into amanifest.zip.(Make sure that zip file does not contains any subfolder otherwise you will get error while uploading your .zip package) - Upload the
manifest.zipto Teams (In Teams Apps/Manage your apps click "Upload an app to your org's app catalog'". Browse to and Open the .zip file. At the next dialog, click the Add button.)
Note: This
manifest.jsonspecified that the bot will be installed in a "personal" scope only. Please refer to Teams documentation for more details.
Install App:
Welcome UI:
Sign-In UI:
Welcome Universal Card:
To learn more about deploying a bot to Azure, see Deploy your bot to Azure for a complete list of deployment instructions.