Cannot get SSO to work in bot framework

Eugene De Villiers 30 Reputation points
2024-05-16T02:05:51.3333333+00:00

I'm adding SSO for a multi-purpose bot.

I followed the SSO example from microsoft to setup an initial POC.

In my development environment I managed to make all SSO work and get the user token like this:

`var userTokenClient = turnContext.TurnState.Get

Microsoft Teams
Microsoft Teams
A Microsoft customizable chat-based workspace.
10,309 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,106 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
381 questions
{count} vote

Accepted answer
  1. Akshay-MSFT 17,871 Reputation points Microsoft Employee
    2024-05-24T06:43:40.4+00:00

    @Eugene De Villiers

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: SSO is not working in Teams bot and responding with Received HTTP response headers after 270.8012ms - 404

    Cause: Developer bot was working up to a point is because there was a token cached for it but not in production environment.

    Solution:

    I was able to test this in my lab but found no issues, later on I tried approaching the service engineering team but have not heard of any such emerging/known issues and was suggested to collect and inspect HTTPS traffic by using a proxying tool like Fiddler.

    Based upon your research I was able to find the following info:

    If there's a cached token, the bot uses the same token. If there's no token available, the Adaptive Card sends an invoke response to the bot service, which sends an OAuth card with the following values that includes a tokenExchangeResource to designate an SSO operation

    The SSO fails when the Teams client ignores thetokenExchangeResourcevalue for any reason, including invalid values, errors retrieving exchangeable tokens, or if Microsoft Entra ID doesn't support the value. Then the Teams client triggers the nominal sign-in or OAuth flow.

    Suggestion: It's recommended that you provide a sign-in URL

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.